Some lessons learned as the Paris Olympics gets pro-active in tackling threats, Elon Musk’s Grok offers convincing fakes without guard rails, and a new open source deep fake video software forces us to confront this new threat.
Welcome to Cyber Security Today for Friday August 16th. I’m your host, Jim Love
In the 2024 Paris Olympics, cybercriminals predictably siezed the opportunity to exploit the event’s popularity. But as we covered in other stories, there was are real emphasis on being proactive in these games with the authorities in France trying to head off attackers before they could exploit an opportunity.
A report from a company called BforeAI crossed my virtual desk and although it’s a commercial piece aimed at highlighting their solution, it had some interesting findings from the lead up to the games.
Key findings from the report include:
1. Domain abuse: Researchers identified 166 unique domains using tactics like keyword stuffing and typosquatting to mimic official Olympic sites. These domains often use suspicious top-level domains like .xyz, .win, and .store.
2. Counterfeit shops and ticket scams: Fake online stores and ticketing websites are proliferating, aiming to steal personal and financial information from unsuspecting fans.
3. Unauthorized live streaming: Illicit streaming sites pose a significant threat to official broadcasters and Olympic revenue streams. Like illicit software, this is a new attack vector we should be thinking about.
4. Cryptocurrency scams: Fraudulent Olympic-themed cryptocurrencies are being marketed, potentially leading to substantial financial losses for investors.
5. Betting fraud: Some domains are attempting to collect financial information through fake Olympic betting platforms.
The report emphasizes the importance of proactive measures in combating these threats. As the report states:
‘Disrupting or taking malicious infrastructure down completely before it becomes live can halt the campaign in its foundational stage, before it has a wider impact on the general public.’
The advice is the same that we should be giving about any significant event, viewers and fans should rely solely on official websites and authorized platforms for tickets, merchandise, and streaming. We need to be wary of unfamiliar top-level domains and avoid event themed cryptocurrency investments.
I’m sure that there will be some post-Olympic analysis, but it does seem that the games avoided any major disasters, and perhaps the proactive approach made some contribution in this regard.
There’s a link in the show notes and you can read the summary without registering for anything.
Sources include: Bfore
A demonstration at Def Con this week showed how easy it is to make and use deep fakes. A number of commercial companies have launched new offerings that are free or cheap in price that can generate convincing deep fakes. Software like Hey Gen offers a free option. And Elon Musk’s Grok without video, but it’s creation of photo realistic fakes was particularly concerning because unlike any of the other foundation models, Musk’s Grok has no guard rails at all.
One writer from the publication the Verge who used the software was able to successfully generating images such as:
– Donald Trump wearing a Nazi uniform
– A figure resembling Bill Gates using cocaine off a Microsoft-logoed surface
– Barack Obama appearing to threaten Joe Biden with a knife
– Sexually suggestive images of celebrities like Taylor Swift
It should be emphasized that while these examples deal with well-known individuals, the potential for embarrassment and manufactured “revenge porn” create a real and present threat – it’s only a matter of time before some cyber-crook finds a way to leverage this in a corporate setting:
And another potential offering of deep fakes without guard rails comes from the open source community:
“A new open-source software called Deep-Live-Cam is causing a stir in the tech world, raising serious concerns about the potential for digital impersonation and fraud. This tool allows users to create real-time deepfakes using just a single photo, effectively becoming a digital doppelganger of anyone during video chats.
Key points about Deep-Live-Cam:
1. It can apply a face from a single photo to a live webcam feed, matching pose, lighting, and expressions in real-time.
2. The project has gone viral, briefly becoming the top trending repository on GitHub.
3. While not perfect, the results are convincing enough to potentially fool people who aren’t intimately familiar with the person being impersonated.
4. The software combines existing AI models for face detection, swapping, and quality enhancement.
5. It’s part of a larger trend of deepfake technology becoming more accessible and user-friendly.
This development raises significant concerns about identity fraud and digital security. We’ve already seen instances of deepfake technology being used for financial scams, including a $25 million heist earlier this year.
As this technology becomes more widespread and sophisticated, it’s crucial for individuals and organizations to develop new strategies for verifying identity in digital communications. Some are even suggesting the use of ‘safe words’ among friends and family to confirm identity in video calls.
While Deep-Live-Cam is just one of many similar projects, it represents a significant step in making this technology more accessible to the average user. As we move forward, we’ll need to grapple with the ethical implications and potential misuse of such powerful tools.”
Sources include: ArsTechnica
That’s our show for today. Our Week In Review Panel will cover some stories from this week with an in depth discussion on deep fakes. Week in Review will drop just after midnight ready for your Saturday morning coffee.
I’m you host Jim Love. Thanks for listening.
