Welcome back to the TCE Strategy monthly technology and cybersecurity newsletter! The mission of this publication is to cut through the clutter of cybersecurity news stories and provide you with the most important, relevant and actionable cybersecurity information.
If this newsletter adds value, fantastic! That is the goal. Please forward it on to friends/colleagues. If not, no hard feelings. Please look to the bottom for an easy to click "unsubscribe" button.
Happy holidays everyone! The world of cybersecurity keeps bringing new and interesting presents our way, so let’s unwrap some of the best cybersecurity nuggets from the last month and see how they can help us make better decisions about what is Secure Enough for us, the companies we work for, and our families.
Deepfakes, kidnapping and you.
Deepfakes have been around for years. These are pictures, videos or audio recordings that are based on a real person, but are a computer-generated replica of that person instead of an actual recording. They are used on social media frequently, often to make a political figure look bad or to fan the flames of pre-existing feelings of certain groups of people. Most deepfakes are relatively easy to spot if you look closely, but that’s hard to do on a small smartphone screen or while scrolling through an endless stream of 5 second clips on Tiktok. The most nefarious use of deepfakes that I’m aware of is this: A cybercriminal picks a victim. They make a computer-generated audio recording that sounds like the victim’s child or spouse from a social media recording of that person’s voice. The audio recording makes the person sound very frightened/upset, and the words the person says are something to the effect that they have been kidnapped and are scared. The cybercriminal then calls the victim, plays the deepfake recording, and then the cybercriminal begins negotiating a ransom payment from the victim. There is a great story about this on the podcast Darknet Diaries. The takeaway here is simple: Don’t believe a panicked phone call from anyone. Ever. Call the person back on a number you know to be theirs, ask them a question that only that person would know, and then decide whether or not to “declare an emergency” if there is a real emergency to deal with.
Deepfake videos still have a long way to go from a believability standpoint. In fact, a recent news article caught my eye because several celebrities had videos they were paid to create using a service called Cameo. These videos were then cut up into bits/pieces, and rearranged to make the celebrities sound like they were in favor of Russia in the Russia-Ukraine war. What surprised me is that deepfake technology was not used to make computer-generated renditions of these celebrities. Instead, they were paid to make a real recording that was then chopped up to give a false narrative. If deepfakes were hard to detect, why go to the trouble of paying celebrities to make a video using specific words you want them to say?
“LogoFail” is more of a molehill than a mountain.
There was a lot of noise the last few weeks about a new (and very clever) attack vector into the motherboards of many computers. The idea is this: Most computers display a manufacturer’s logo on the screen when you first turn them on. The picture of that logo is stored in a part of the computer called the firmware, and researchers figured out that they could manipulate the logo to inject malicious software into the computer before the operating system starts up. That means that antivirus software cannot defend against this, nor can traditional protections built into modern operating systems such as Windows 11 or MacOS Sonoma. This is bad. That being said, I found articles such as this and this that make it sound like this vulnerability is the next Log4j and it’s not. Some very large computer makers such as Dell and Apple hard-code their logo files so they are immune. Seeing headlines such as “LogoFAIL vulnerabilities may affect 95% of computers” is very misleading. Dell and Apple have a combined share of almost 50% of the consumer computer market. Regrettably having overblown media coverage in cybersecurity is no different than any other industry, so be careful how much alarm you see in a single news source.
Last month’s newsletter outlined the 23andMe breach and the lack of a requirement that their users implement Multi-Factor Authentication, or MFA. More recently, it has come to light that TWO DAYS BEFORE 23ANDME DISCLOSED THEIR BREACH, they changed the Terms and Conditions of their website to make it harder for their customers to enter group arbitration. Apparently their previous Terms and Conditions made it hard to sue them in court, but that wasn’t good enough. I’m at a bit of a loss for words here… If you are really interested in learning more about your genetic details, I’d recommend going with one of 23andMe’s competitors.
Until next month, stay safe!
Upcoming Speaking Events
Here is a list of the cities that I will be in over the next few months. Please reach out if you have an event in mind!
December 28-30, Rockford, IL
February 27-29, 2024, Clearwater, FL
March 7-10, 2024, Albuquerque, AZ
April 8-9, Des Moines, IA
May 27-31, Las Vegas, NV
August 3-6, Denver, CO
I have multiple clients being actively hit with QR code phishing emails. It is important to incorporate this into your cybersecurity awareness training program.
"Despite its multifaceted capabilities, the Flipper Zero seems best known in recent weeks for its iPhone Denial-of-Servicing capabilities. The way Bluetooth works on iPhones and iPads makes them especially susceptible."
"The study also highlights the critical need for comprehensive testing of AI models. It’s not just the aligned, user-facing model that requires scrutiny; the foundational base model and the entire system, including API interactions, demand rigorous examination."
Cybersecurity Tip of the Month
How To Stay on Top of Cybersecurity Ahead of the Holidays
It may seem like these are common sense, but you’d be surprised how a simple reminder of cybersecurity best practices can make a big difference and go a long way this Holiday season.
1) Ditch the gift cards. They’re just too easy to hack and scam. Stick to cold hard cash if your creative juices have run out (or if that’s all they really want).
2) Make sure you have Multi-Factor Authentication (MFA) on all accounts you care about, especially any financial institutions you use. Any fraud involving your bank accounts, emails, and social media accounts this time of year could really put a damper on your holiday plans and add undue stress.
3) Consider a gift for your family and friends of a premium plan on a password protector. There are a lot of good choices out there (Dashlane, Lastpass, 1Password, etc.). $60 a year for a family to stay password protected? Now that’s a great gift.
4) The start of a new year is a wonderful time to re-evaluate all passwords, practices, security measures and patches. Both for yourself personally and for your business, determine that you won’t go into 2024 vulnerable to cyber attacks.