Tech Friday with Dave Hatter - May 14th 2021 - SPONSORED BY INTRUST IT


Cyberattack shuts down largest pipeline in the US:

  • Experts have been warning about cyberattacks on critical infrastructure for some time
  • Cybersecurity company Dragos has said that group of hackers are probing the power grid in the US and elsewhere
  • The hacking group is believed to be behind an attack on the industrial control systems (ICS) of a petrochemical plant in Saudi Arabia that installed malware in 2017
  • The malware targeted emergency shutdown capabilities which could cause physical damage to the plant and beyond
  • Some security experts warned that the activity is consistent with a government preparing for an attack
  • Security company FireEye linked the malware to a Russian government owned lab
  • Dragos warned that Xenotime, that the group behind the malware, has been probing US and Asia-Pacific power networks
  • "Starting in late 2018, Xenotime began probing the networks of electric utility organizations in the US and elsewhere using similar tactics to the group's operations against oil and gas companies" Dragos said
  • Dragos said that they spotted attempts to gather information associated with electric utilities starting in February of 2019
  • They said that so far, there have been no successful intrusions, but the probing is "a cause for deep concern given this adversary's willingness to compromise process safety"
  • Dragos said organizations using ICS' should prepare for potential breach and disruption scenarios. "ICS operators must address such concerns in advance, rather than trying to figure out such sensitive, complex items mid- or post-intrusion," Dragos warned
  • For example, Russian cyberattacks crippled the electrical grid in Ukraine back in 2015 and 2016
  • Colonial Pipeline halted operations because of a ransomware attack
  • The FBI has linked the attack to a criminal gang known as DarkSide
  • DarkSide, linked to Russia, is one of many gangs that have cost Western nations tens of billions of dollars in losses over the past 3 years
  • Reports have said the attackers also stole data from the company which can be used to additional leverage
  • The New York Times reported "The operator of a critical fuel pipeline on the East Coast paid extortionists roughly 75 Bitcoin — or nearly $5 million — to recover its stolen data, according to people briefed on the transaction, clearing the way for gas to begin flowing again but complicating President Biden’s efforts to deter future attacks."
  • Security experts said this is yet another clarion call for operators of critical infrastructure.. Lack of investment is security puts them, and in some cases, society at risk of catastrophe
  • David Kenned from TrustedSec said that once a ransomware attack is discovered, companies have little recourse but to completely rebuild their infrastructure, or pay the ransom if they don't have reliable backups
  • "Ransomware is absolutely out of control and one of the biggest threats we face as a nation" - David Kennedy
  • Kennedy also said "The problem we face is most companies are grossly underprepared to face these threats."
  • You can expect these attacks to continue, to become more complex and to become more difficult to stop

Synthetic text may be the most terrifying Deepfake:

  • Advances in computer power and machine learning have lead to technology known as Deepfakes which is making it hard to believe your own eyes and ears
  • New algorithms can take a single photo of someone and create a video that is completely fabricated but very, very realistic and that shows them saying and doing things that they did not actually do
  • MIT recently released a deepfake video as part of a project known as "In Event of Moon Disaster" to demonstrate the disturbing power of these videos
  • The video mixes actual NASA footage with President Nixon delivering the news that NASA failed and astronauts died on the moon
  • It took MIT AI experts 6 months to create the very convincing 7-minute video, watch it here:https://www.youtube.com/watch?v=LWLadJFI8Pk&feature=youtu.be
  • Pinscreen is a Los Angeles start-up that has created the technology, they believe these renderings will become so realistic that it will be virtually impossible to determine what is real
  • FakeApp is one of several new AI-powered synthesizing tools that doesn't require specialized hardware or skilled experts to create convincing fake videos
  • Software such as FakeApp can be used for fraud, forgery, and propaganda. FakeApp has been downloaded more than 100,000 times and has been used to create many fake pornographic videos featuring celebrities and politicians
  • FakeApp is relatively easy to use, a user "trains" it with hundreds of photos of source and target faces. It relies on deep-learning algorithms to find patterns and similarities between the two faces
  • "Ten years ago, if you wanted to fake something, you could, but you had to go to a VFX studio or people who could do computer graphics and possibly spend millions of dollars," says Dr. Tom Haines, lecturer in machine learning at University of Bath. "However, you couldn't keep it a secret, because you'd have to involve many people in the process
  • There are many possible applications for this technology and many of them are malicious. Imagine the capability to use fake videos for blackmail, revenge or propaganda
  • There are also concerns about the possible impact of deepfakes on the upcoming election because the videos are fake, easy to make, can can be shared easily and quickly on social media
  • "Deepfakes can be made by anyone with a computer, internet access, and interest in influencing an election" - John Villasenor, a professor at UCLA focusing on artificial intelligence and cybersecurity
  • Paul Barrett, adjunct professor of law at New York University, said, "a skillfully made deepfake video could persuade voters that a particular candidate said or did something she didn’t say or do."
  • It currently is not a crime in the US to create fake videos. But "using a fake video to commit another crime — such as extortion or fraud or harassment — would be illegal under the laws covering the other crimes"- Barrett.
  • The legality of deepfakes could change in the future, there are bills in Congress to limit their use, and some states have taken action
  •  California and Texas enacted laws that make deepfakes illegal when they’re used to interfere with elections
  • The Malicious Deep Fake Prohibition Act, was introduced in Congress in December 2018
  • The DEEPFAKES Accountability Act, short for “Defending Each and Every Person from False Appearances by Keeping Exploitation Subject to Accountability Act,” was introduced in 2020. It would require creators to label false videos of face up to five years in prison
  • There is work being done on technology to identify deepfakes
  • Hany Farid, a digital forensics expert at Dartmouth College, said watching for blood flow in the face can sometimes determine whether footage is real. He also said slight imperfections at the pixel level may reveal fake video
  • TheFakening is a YouTube channel dedicated to deepfakeshttps://www.youtube.com/channel/UC5D-8hVVwLB0DNrcSBqoVxgver
  • Deepfake video and audio is bad enough. Synthetic writing, undetectable, will be far worse
  • Synthetic text is easy to produce in high volume and very difficult to detect
  • GPT-3 is an AI tool that produces very real sounding sentences
  • It's possible to imagine a future in which much of the written content on the internet is machines generated and impossible to tell it's not real
  • There would be original material that could used to a fact-check it
  • Machine generated content might be processed and amplified by machines, leading to a feedback loop that would significantly alter our information ecosystem.

iOS 14.5 allows you to block tracking. Do it now:

  • For many years, "free" apps and services have meant that if you're not paying with money, you're paying with data, you are the product, NOT the customer
  • Apple’s mandatory new privacy consent requirements threaten to completely upend the surveillance capitalism model that powers much of the Internet
  • Apple wrote "The App Store is designed to be a safe and trusted place for users to discover apps created by talented developers around the world. Apps on the App Store are held to a high standard for privacy, security, and content because nothing is
  • The ATT essentially has two phases. In the first, app developers must provide Apple with accurate information that tells a potential user how the app tracks user data across properties owned by other companies as well as what their information is potentially linked to. The mandatory labels that are displayed prior to app download allows users to make an informed choice about the app
  • Phase one has recently been implemented and while app developers don't love it, the coming second phase has caused quite an uproar and is set to launch soon in iOS 14.5
  • Apple will requires apps to display a mandatory privacy consent notice that allows users to opt out of the use of the unique device ID to track them
  • There are some exceptions, apps are allowed to track a user without notice if the data is anonymized before leaving the device, or if it is used solely for security purposes that protect the end user
  • Apple also explicitly banned the implementation of workarounds for tracking based on device fingerprinting
  • Developers are permitted to explain why permission to track is being sought, but can't use dark patterns or incentives to con the user into allowing tracking. Such actions could get the app banned
  • Many social media platforms like Facebook, Google makes a substantial amount of its revenue from your data
  • with iOS 14.5 or higher, all of your apps must ask in a pop-up: "Do you want to allow this app to track your activity across other companies' apps and websites?"
  • Jason Kint, CEO of Digital Content Next. “The digital advertising business has been mostly built off of micro-targeting audiences. Facebook, as an example, has code embedded in millions of apps to collect data to target audiences wherever it wants as promptly as possible—and this cuts that off.”
  • "We believe tracking should always be transparent and under your control" - Katie Skinner, an Apple user privacy software manager
  • The popups are not required if a developer tracks you across its own services, Apple wants to give users the option to opt-out of tracking across differnt services
  • Choose “Ask App not to Track” for all apps
  • This is yet another reason to switch to Apple if you haven't already
  • Good news! Recent analytics data suggests that US users are now opting out of tracking 96% of the time thanks to iOS 14.5. See the data here:https://www.flurry.com/blog/ios-14-5-opt-in-rate-att-restricted-app-tracking-transparency-worldwide-us-daily-latest-update/