FFT news digest April 14 2023

AI; hype and reality

Amid all the AI-related news around at the moment, there are some important stories...and then there are those that, not to put too fine a point on it, are mostly bollocks. News of a "terrifying" AI-powered tool that can crack passwords in seconds fits neatly into the second category. That story came from an outfit called Home Security Heroes. It said PassGAN was able to compromise half the passwords from a leaked dataset in under a minute. In reality, PassGAN is based on an approach first published in 2017, so whatever else it is, it isn't new. ArsTechnica has a sober evaluation of the tool, how it works and some corrective analysis from industry experts.

To compound their errors, Home Security Heroes told people to change their passwords every three to six months. NO! That advice is dead. Changing - or forcing people to change - their passwords only makes them less safe. There are some potentially alarming ways that AI could be used to guess a password, for example by gathering all the open source data about a particular person and using it to generate a list of likely passwords. But for the moment, it's much more important to focus on the basics; like using a password manager, never reusing passwords, and ensuring when people leave an organisation they don't retain access to their accounts. This week, according to a survey, 58% of respondents said they retained access to their old accounts - and 47% admitted to using it.

In other news...
Ads: A very real threat comes from the flood of ads on social media seeking to exploit the upsurge in interest in all things AI, but particularly in ChatGPT. Don't be tempted. The maker of ChatGPT doesn't advertise and the genuine ChatGPT assistants are overloaded and can barely handle the users they have. Veriti

Trust: A reminder that despite (or because of) being hugely impressive, ChatGPT is not to be trusted. As OpenAI says, "It does know a lot, but the danger is that it is confident and wrong a significant fraction of the time."

Bing: A new version of Microsoft's search tool includes the addition of ChatGPT responses to search queries. In some cases, users will see Bing AI answers to their queries, with prompts to continue conversations with the chatbot. Bleeping Computer

Threats

Charging: The FBI (or at least its Denver office) says free phone charging stations are dangerous and shouldn't be used. To say this is simplistic would be an understatement. There was a time when this was a risk but devices are now much harder to compromise through a charging port. That said, it's better to use your own charger if you can. And definitely unplug your device if you see a message asking you to "Trust this Computer!"

Help: A very real issue highlighted by the FBI concerns companies that offer to help the victims of "sextortion" scams in return for "exorbitant" fees. This is a truly vile fraud, often targeting young people.

Browser extension: A new malicious software strain is focussed on browsers built on the Chromium platform (e.g. Chrome, Edge, Brave and Opera). It masquerades as a Google Drive extension and it can trick people in disclosing 2-factor authentication details. Trustwave SpiderLabs

Chrome: There's a steady stream of updates for Google's web browser so it's not surprising criminals try to exploit them. They're currently compromising websites to make them display fake auto update error messages. Bleeping Computer

Stolen: Online attacks are an obvious threat but it's important to keep in mind the risk of someone stealing your phone while you're using it. Last year, a phone was reported stolen in London every six minutes, according to figures obtained by the BBC. Less than 2% of them were recovered.

Chrome: Research by Kaspersky suggests the price of getting a malicious app into the official Google Play store is about $20,000. Google is getting better at spotting these intruders but it's a reminder to be careful what you install - even from the Play store.

Zelle: Criminals are impersonating the popular money-transfer service to defraud users. Avanan says they're using "meticulously designed" fake emails.

Spyware

Another week, another spyware company finds itself in the unwelcome glare of publicity. Citizen Lab and Microsoft say QuaDream's tool was used to compromise the iPhones of journalists, opposition figures and an NGO worker. Citizen Lab said the spyware appeared to work by exploiting a zero-day (previously unknown) vulnerability that enabled it to send weaponised iCloud calendar invitations which were invisible to the user. Citizen Lab identified QuaDream servers in Bulgaria, Czech Republic, Hungary, Romania, Ghana, Israel, Mexico, Singapore, United Arab Emirates and Uzbekistan. Apple says there's no evidence the vulnerability was exploited after it was fixed in March 2021. That will be a huge comfort to the victims whose phones were compromised to access phone calls, steal files and track their precise location.

Privacy

Least surprising news of the week was the arrest of a 21-year old Air National Guardsman on suspicion of being behind a massive leak of US government secrets. The arrest came after multiple news outlets - let alone US law enforcement - were able to use public information to identify the alleged leaker. This culminated in a New York Times report which identified an online profile that led to an Instagram account with photos of the exact location where one of the leaked documents was photographed; a kitchen counter in his childhood home. The Intercept has excellent advice on "what to do before sharing classified documents with your friends online." The Intercept is talking from experience. It admitted making mistakes in handling a document leaked to it by National Security Agency employee, Reality Winner, which led to her spending four years in jail. The mistake was that, in trying to verify its authenticity, The Intercept gave the NSA a copy of the original document. Although there's also the fact that Winner leaked the document from a work computer. So pretty poor performance all round.

In brief

PsyOps: A1984 interview with a KGB defector examines the 4-stages identified by Soviet intelligence as the necessary steps to cause the psychological implosion of American society. To say it's relevant in today's social media landscape would be an understatement. Benjamin Carlson

Browsers: Chief Information Security Officers are more worried about web browsing than anything else, according to research by RedAccess. It also found that 72% of those surveyed thought hybrid and remote working had had a negative impact on security.

Facial: The New York Times has a harrowing example of a Black man living in Georgia who spent a week in jail because of an erroneous facial recognition match. He was arrested because of accusations relating to a state which he had never visited. 

Garages: Last week we reported on the Nexx garage opener that could be compromised over the internet. Next has fixed the problem...by disabling internet access. Not so smart after all. Motherboard

The hack that wasn't: Along with everyone else, back in 2021 we reported that hackers infiltrated a Florida water company and tried to poison its supplies. We're careful about what we include in this newsletter and the report was sourced to law enforcement and seemed genuine. Not so much, it turns out. As the Tampa Bay Times explains, the FBI has found no evidence of a "targeted cyber intrusion."

Thought for the week: "I'm the cybersecurity director at NSA and you could absolutely craft a phishing message that would get me to click a link. You’ve got to design your architecture to assume the humans are humans and bad things will happen." @RGB_Lights

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

124 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2023 Full Frame Technology - All Rights Reserved