Cybersecurity Monthly Newsletter June 2024

In this issue:

• Microsoft Recall Feature Raising Security Concerns

• Cybersecurity Shorts

• Software Updates

Microsoft’s Recall Feature Raising Security Concerns

Microsoft’s new AI-powered feature, Recall designed for Copilot+ PCs running Windows 11, has sparked debate within the cybersecurity community. Marketed as a productivity hack by Microsoft through the ability to create searchable visual timelines of users’ screen activity, security experts have raised significant red flags about its potential risks.

Recall works by periodically capturing screenshots of everything a user does on their Copilot+ PC—creating a visual history that users can then search using natural language queries. Microsoft boasts that this will improve productivity as you can quickly pull up past searches and work you have completed in a matter of seconds. Microsoft emphasizes that all processing and storage occur locally on the device, with snapshots encrypted and stored on the user’s PC. The company stresses user control, allowing individuals to disable, pause, or filter snapshots at any time.

Security experts sound the alarm

However, many security experts have expressed cybersecurity concerns over the new software program. Many experts call the software an invasion of privacy due to the continuous screen capture. The feature lacks content moderation, potentially capturing and storing sensitive information like credit card numbers and trade secrets which makes it an attractive target for hackers and cybercriminals. In fact, some experts have noted the similarities between Recall and keylogger software used by hackers to capture activity on victims’ devices.

Recall delayed

In light of these criticisms, Microsoft has delayed the broad release of Recall. The company plans to first make it available as a preview in the Windows Insider Program before rolling it out to all Copilot+ PCs. Microsoft is implementing additional security measures, such as making Recall an opt-in feature by default.

However, some security experts argue that these changes may be insufficient to address the core privacy and security concerns.

The Road Ahead

As Microsoft works to balance Recall’s productivity benefits with critical security considerations, the cybersecurity community remains vigilant. The controversy surrounding Recall highlights the ongoing tension between innovative AI features and the need to protect user privacy and data security.

For now, the future of Recall remains uncertain. Its eventual release and adoption will likely depend on Microsoft’s ability to address the serious security concerns raised by experts and convince users that the benefits outweigh the potential risks.

Cybersecurity shorts

Snowflake customers targeted in widespread identity-based attacks. Snowflake, a cloud-based data warehouse vendor, has confirmed that at least 100 of its customers have been impacted by a wave of identity-based attacks over the past two months, with approximately 165 businesses potentially exposed. The attacks, which began as early as April 14, were facilitated by stolen credentials obtained from infostealer malware infections on non-Snowflake systems, according to Mandiant, the incident response firm assisting with the ongoing investigation. While Snowflake and Mandiant have provided guidance to help customers detect and prevent malicious activity, the full extent of the damage, including data theft, extortion demands, and the sale of allegedly stolen data on the dark web, remains unclear. You can read more about these attacks here.

Microsoft takes responsibility for Storm-0558 hack, pledges enhanced cybersecurity measures. During testimony before the House Homeland Security Committee, Microsoft’s vice chair and president, Brad Smith, accepted responsibility for the cybersecurity lapses that led to the Storm-0558 hack, which compromised Microsoft email accounts, including those of U.S. federal agencies. Smith pledged to implement the recommendations made by the Cyber Safety Review Board (CSRB) and go beyond them through the company’s Secure Future Initiative, which aims to ensure products and services are secure by design and continuously monitored to meet future threats. Additionally, Smith called on the U.S. government to improve cyber defense by imposing stronger punishments against nation-states behind attacks and adopting the CSRB’s recommendation for a victim notification alert system.

GAO report highlights increasing cybersecurity risks for U.S. federal agencies. A new report from the U.S. Government Accountability Office (GAO) reveals that cybersecurity risks targeting federal agencies’ technology systems are on the rise, with 30,659 information security incidents reported to the Department of Homeland Security in fiscal year 2022. The GAO has made over 1,600 recommendations to improve cybersecurity protections since 2010, but more than 500 of these recommendations remain unimplemented, hindering the federal government’s ability to ensure the security of critical infrastructure and sensitive data. The report emphasizes the need for federal agencies to adopt outcome-based performance measures, share information more effectively, and take a proactive approach to address the ever-evolving threat landscape.

State and local government associations urge Congress to preserve cybersecurity grant funding. A group of seven professional associations representing state and local governments has sent a letter to congressional leaders, urging them to maintain the $100 million in upcoming cybersecurity funding approved through the State and Local Cyber Security Grant Program. The program, established by the Infrastructure Investment and Jobs Act of 2021, has been crucial in helping state and local governments implement stronger cybersecurity protocols and address vulnerabilities. Despite some challenges, such as matching requirements and the need for clearer guidance on allowable uses of the funding, the associations stress that redirecting these vital funds would seriously hinder efforts to secure the nation’s networks at the state and local levels. You can read more about state and local governments’ urges to Congress on this topic here.

FCC approves $200 million pilot program to bolster cybersecurity in schools and libraries. The Federal Communications Commission has voted to approve the Schools and Libraries Cybersecurity Pilot Program, a three-year initiative that will provide up to $200 million to strengthen cybersecurity defenses in educational institutions and libraries. The program, funded through the Universal Service Fund, will allocate budgets based on a per-student and per-library location model, with schools receiving $13.60 per student and libraries receiving $15,000 per location. The pilot aims to address the significant cybersecurity threats faced by schools and libraries, which often lack the necessary expertise and resources to protect sensitive information and maintain secure access to digital learning tools.

Strengthening healthcare cybersecurity: key changes needed. Cybersecurity experts recommend three critical changes to improve the healthcare industry’s defense against increasingly sophisticated cyberattacks. First, all healthcare employees should receive ongoing, comprehensive cybersecurity training to recognize risks and properly handle sensitive information. Second, the government must establish and enforce minimum cybersecurity standards specific to the healthcare sector, providing incentives and resources to help organizations meet these requirements. Finally, healthcare providers should collaborate more effectively to address shared vulnerabilities, share details of cyberattacks and work together to proactively identify and mitigate emerging risks. You can read more about the key changes that are needed to strengthen the healthcare system’s cybersecurity initiatives here.

Software updates

Adobe: Adobe released 10 updates this month for programs such as Photoshop and Creative Cloud Desktop. You should update these programs as soon as you can. Learn more about the updates here.

Microsoft: Patches closing over 50 security vulnerabilities in Windows programs were released this month. This update also turns off the automatic enabling of, Recall, which automatically takes screenshots of what a user is doing on their computer after security experts criticized the software. Your devices should prompt you to update automatically. You can learn more here.