Roku users are revolting after their TVs are bricked by the company, we learn how to make money through conspiracy videos on TikTok, and just how much is your car snooping on your driving?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Dave Bittner from "The Cyberwire" podcast.
Category: Privacy
Incognito Market, a darknet platform connecting sellers of narcotics to potential buyers, has turned out to be not entirely trustworthy.
Americans lost a record $10 billion to scams last year — and scams are getting more sophisticated.
Related: Google battles AI fakers
Recently used to impersonate Joe Biden and Taylor Swift, AI voice cloning scams are gaining momentum — and one in three adults confess they aren’t confident they’d identify the cloned voice from the real thing.
Google searches for ‘AI voice scams’ soared by more than 200 percent in the course of a few months. Here are a few tips how to not fall prey to voice cloning scams.
•Laugh. AI has a hard time recognizing laughter, so crack a joke and gauge the person’s reaction. If their laugh sounds authentic, chances are there’s a human on the other end of the line, at least.
•Test their reactions. Say something that a real person wouldn’t expect to hear. For instance, if scammers are using artificial intelligence to imitate an emergency call from your relative, say something inappropriate, such as “Honey, I love you.” Whereas a real person would react panicked or confused, AI would simply reply “I love you too.”
Konovalov
•Listen for anomalies. While voice cloning technology can be convincing, it isn’t yet perfect. Listen out for unusual background noises and unexpected changes in tone, which may be a result of the variety of data used to train the AI model. Unusual pauses and speech that sounds like it was generated by ChatGPT are also clear giveaway that you’re chatting to a machine.
•Verify their identity. Don’t take a familiar voice as proof that a caller is who they say they are, especially when discussing sensitive subjects or financial transactions. Ask them to provide as many details as possible: the name of their organization, the city they’re calling from, and any information that only you and the real caller would know.
•Don’t overshare. Avoid sharing unnecessary personal information online or over the phone. According to Alexander, scammers often phish for private information they can use to impersonate you by pretending to be from a bank or government agency. If the person on the other end seems to be prying, hang up, find a number on the organization’s official website, and call back to confirm their legitimacy.
•Treat urgency with skepticism. Scammers often use urgency to their advantage, pressuring victims into acting before they have time to spot the red flags — If you’re urged to download a file, send money, or hand over information without carrying out due diligence, proceed with caution. Take your time to verify any claims (even if they insist there’s no time.)
About the essayist: Alexander Konovalov is the Co-Founder & Co-CEO of vidby AG, a Swiss SaaS company focused on Technologies of Understanding and AI-powered voice translation solutions. A Ukrainian-born serial tech entrepreneur, and inventor, he holds patents in voice technologies, e-commerce, and security. He is also a co-founder of YouGiver.me, a service that offers easy and secure communication through real gifts, catering to individual users and e-commerce businesses.
Is there any truth behind the alleged data breach at Fortnite maker Epic Games? Who launched the ransomware attack that caused a fallout at pharmacies? And what’s the latest on the heart-breaking hack of Finnish therapy clinic Vastaamo? All this and much much more is discussed in the latest edition of the “Smashing Security” podcast … Continue reading "Smashing Security podcast #362: Ransomware fraud, pharmacy chaos, and suicide"
The Washington Post is reporting on the FBI’s increasing use of push notification data—”push tokens”—to identify people. The police can request this data from companies like Apple and Google without a warrant.
The investigative technique goes back years. Court orders that were issued in 2019 to Apple and Google demanded that the companies hand over information on accounts identified by push tokens linked to alleged supporters of the Islamic State terrorist group.
But the practice was not widely understood until December, when Sen. Ron Wyden (D-Ore.), in a letter to Attorney General Merrick Garland, said an investigation had revealed that the Justice Department had prohibited Apple and Google from discussing the technique.
[…]
Unlike normal app notifications, push alerts, as their name suggests, have the power to jolt a phone awake—a feature that makes them useful for the urgent pings of everyday use. Many apps offer push-alert functionality because it gives users a fast, battery-saving way to stay updated, and few users think twice before turning them on.
But to send that notification, Apple and Google require the apps to first create a token that tells the company how to find a user’s device. Those tokens are then saved on Apple’s and Google’s servers, out of the users’ reach.
The article discusses their use by the FBI, primarily in child sexual abuse cases. But we all know how the story goes:
“This is how any new surveillance method starts out: The government says we’re only going to use this in the most extreme cases, to stop terrorists and child predators, and everyone can get behind that,” said Cooper Quintin, a technologist at the advocacy group Electronic Frontier Foundation.
“But these things always end up rolling downhill. Maybe a state attorney general one day decides, hey, maybe I can use this to catch people having an abortion,” Quintin added. “Even if you trust the U.S. right now to use this, you might not trust a new administration to use it in a way you deem ethical.”
If sharing your content with AI firms is such a great thing for the publishers of blogs, you have to wonder why Automattic feels the need to enable it by default rather than insisting they opt-out - surely if it's such a "win", blog owners would be keen to opt-in themselves.
Your smartphone may be toast – if you use a hacked wireless charger, we take a closer look at the latest developments in the unfolding LockBit ransomware drama, and Carole dips her toe into online AI romance apps. All this and much much more is discussed in the latest edition of the “Smashing Security” podcast … Continue reading "Smashing Security podcast #361: Wireless charging woe, AI romance apps, and ransomware revisited"
Achieving “digital trust” is not going terribly well globally.
Related: How decentralized IoT boosts decarbonization
Yet, more so than ever, infusing trustworthiness into modern-day digital services has become mission critical for most businesses. Now comes survey findings that could perhaps help to move things in the right direction.
According to DigiCert’s 2024 State of Digital Trust Survey results, released today, companies proactively pursuing digital trust are seeing boosts in revenue, innovation and productivity. Conversely, organizations lagging may be flirting with disaster.
“The gap between the leaders and the laggards is growing,” says Brian Trzupek, DigiCert’s senior vice president of product. “If you factor in where we are in the world today with things like IoT, quantum computing and generative AI, we could be heading for a huge trust crisis.”
DigiCert polled some 300 IT, cybersecurity and DevOps professionals across North America, Europe and APAC. I sat down with Trzupek and Mike Nelson, DigiCert’s Global Vice President of Digital Trust, to discuss the wider implications of the survey findings. My takeaways:
Bungled innovation
Digital trust refers to companies meeting the reasonable expectation that the digital services they offer not only protects users, but also upholds societal expectations and values. The tech sector has been preaching this for several years, acknowledging the fact that preserving trust, as digital services advance, is proving to be extremely difficult — yet crucial nonetheless.
“Trust has become absolutely paramount in the world,” Nelson observes. “Trust can be lost when you introduce digital connectivity — and digital connectivity is everywhere.”
DigiCert’s survey presents hard evidence that trust can be the basis of a winning business model. The top 33 percent of digital ‘trust leaders’ identified in DigiCert’s poll said they can respond more effectively to outages and incidents and found themselves to be in a much better position to effectively leverage innovation. Meanwhile, the bottom 33 percent found it increasingly difficult to tap into innovation.
This tug-and-pull is happening in an operating environment where digital innovation, from a global perspective, is being bungled. That’s the assessment of the 2024 Edelman Trust Barometer, a study highlighting the rapid erosion of digital trust, to the point of exacerbating polarized political views.
Trzupek
In such an environment, companies have a terrific opportunity to set themselves apart as being trustworthy, Trzupek argues. “The companies we view as the most trustworthy on the planet are able to provide very reliable digital services in consistent ways,” he says. “They’re able to connect people through trusted experiences.”
Emerging standards
Indeed, advanced technologies, new protocols and emerging best practices are at hand to help companies build and sustain trust.
And supply chain participants and individual consumers are eager recipients, naturally gravitating to trusted services, Nelson observes. Digital trust has, in fact, become a crucial factor in consumer purchasing decisions and corporate procurement strategies, he says.
This dynamic is highlighted by support of the Matter smart home devices standard. Matter is part of a fresh slate of technical standards that must take hold to enable massively interconnected, highly interoperable digital systems.
Since it was introduced two years ago, Matter has been embraced by some 400 manufacturers of IoT devices and close to one million Matter certificates have been issued, Nelson told me. “It’s not just in smart homes,” he says. “We’re building trust into devices in automotive and we’re seeing it in healthcare, as well.”
For its part, DigiCert has continued to advance it’s DigiCert ONE platform of tools and services to help companies manage their digital certificates and Public Key Infrastructure (PKI.) DigiCert’s clients and prospects are steadily modernizing the way digital connections get authenticated and sensitive assets get encrypted, Trzupek told me.
“In visiting our customers over the past 18 months, I’ve seen a newfound energy for closely examining and more effectively managing PKI infrastructure, both internally and externally,” he says. “Companies are moving to update decades old PKI systems because they realize how pivotal this is to digital trust and everything they do.”
DigiCert has also been a leader in championing the concept of “crypto agility” —the capacity to update and adapt cryptographic routines swiftly—something Trzupek and Nelson argued is rapidly becoming a business imperative.
A starting point
Nelson
Leveraging advanced tools and embracing emerging best practices is all well and good for the trust leaders. But what about the laggards? For the organizations just starting down the path towards achieving and sustaining digital trust, Nelson outlined this framework:
•Knowledge and inventory: Begin with taking inventory of cryptographic assets and understanding how they’re utilized within the organization.
•Policies and enforcement: Next, establish organizational policies that outline appropriate and inappropriate behaviors regarding digital assets. Assure that these policies are enforceable.
•Centralized security: Streamline control over various business units that may have disparate practices, thereby improving visibility and the ability to mitigate risks.
•Factor in business impact: Finally, prioritize security efforts based on the potential business impact. Evaluate the consequences should certain assets go offline; focus on protecting the most critical areas first.
Lagging really is no longer an option. Geo-political conflict, remote work exposures, unpredictable usage of generative AI; these all stand to further undermine digital trust for months and years to come.
Will the laggards follow the trust leaders? I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
A simple-to-avoid security flaw allowed unauthorised parties to track the location of anyone wearing Livall ski and biking helmets, and listen to group conversations.
Read more in my article on the Hot for Security blog.
Two US insurance companies are warning that thousands of individuals' personal information may have been stolen after hackers compromised computer systems.
Read more in my article on the Hot for Security blog.