{"id":33984,"date":"2023-01-13T15:12:29","date_gmt":"2023-01-13T20:12:29","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=521733"},"modified":"2023-01-16T09:38:28","modified_gmt":"2023-01-16T14:38:28","slug":"cyber-security-today-week-in-review-for-friday-january-13-2023","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-friday-january-13-2023\/","title":{"rendered":"Cyber Security Today, Week in Review for Friday, January 13, 2023"},"content":{"rendered":"<p data-ar-index=\"0\">Welcome to Cyber Security Today. This is the Week in Review edition of the podcast for Friday, January 13th, 2023. From Toronto, I\u2019m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.<\/p>\n<p data-ar-index=\"1\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/25593339\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"2\">\n<p data-ar-index=\"3\">Joining me in a few minutes will be Jim Love, IT World Canada\u2019s chief information officer, to discuss recent cybersecurity news. But first a look back at some of the headlines from the past seven days:<\/p>\n<p data-ar-index=\"4\"><a href=\"https:\/\/techcrunch.com\/2023\/01\/10\/app-store-and-play-store-are-flooded-with-dubious-chatgpt-apps\/\" rel=\"noopener\">Fake ChatGPT applications<\/a> temporarily appeared in the Apple and Google app stores. This comes after news reports touting the usefulness of the artificial intelligence app spread around the world. Jim will have some thoughts. We\u2019ll also discuss a survey suggesting ransomware attacks are decreasing, a report on the vulnerabilities found in the apps created by major car manufacturers and a suggestion by an American regulator that telecommunications companies notify customers faster about data breaches.<\/p>\n<p data-ar-index=\"5\">The Guardian news service <a href=\"https:\/\/www.theguardian.com\/media\/2023\/jan\/11\/guardian-confirms-it-was-hit-by-ransomware-attack\" rel=\"noopener\">has confirmed<\/a> the December cyber attack that forced all editorial and office staff in the U.K. to work from home was ransomware. Not only that, the crooks copied personal data of British employees \u2014 but not subscribers. The organization doesn\u2019t think it was targeted because it is a news service.<\/p>\n<p data-ar-index=\"6\">Also in the U.K. <a href=\"https:\/\/www.theguardian.com\/business\/2023\/jan\/11\/royal-mail-services-suffer-severe-disruption-after-cyber-incident\" rel=\"noopener\">a cyber attack affected operations<\/a> at the Royal Mail service so much that it asked people to stop sending letters and parcels to international destinations. Mail within Great Britain was not affected. <a href=\"https:\/\/www.telegraph.co.uk\/business\/2023\/01\/12\/russia-linked-hackers-behind-royal-mail-cyber-attack\/\" rel=\"noopener\">The Telegraph newspaper says<\/a> the LockBit ransomware gang is responsible.<\/p>\n<p data-ar-index=\"7\">Hackers could have exploited a web page vulnerability to see personal information held by Experian, one of the biggest credit rating agencies in the world. <a href=\"https:\/\/krebsonsecurity.com\/2023\/01\/identity-thieves-bypassed-experian-security-to-view-credit-reports\/\" rel=\"noopener\">Security reporter Brian Krebs wrote about the hole this week<\/a>, describing how altering the Experian URL crooks could have gotten around a security feature that was supposed to allow people to see only their own data held by the company. The hole was patched in December. We asked Experian for comment. No answer was received.<\/p>\n<p data-ar-index=\"8\">SugarCRM administrators <a href=\"https:\/\/sugarclub.sugarcrm.com\/engage\/b\/sugar-news\/posts\/jan-5-2023-security-vulnerability-updat\" rel=\"noopener\">have been warned<\/a> some products may need to have two hotfix patches installed. They close a serious vulnerability in systems that don\u2019t have SugarIdentity enabled. The applications that are affected include Sugar Sell, Enterprise, Professional and Ultimate.<\/p>\n<p data-ar-index=\"9\">Do you have an end-of-life Cisco Systems small business RV-series router? <a href=\"https:\/\/www.securityweek.com\/cisco-warns-critical-vulnerability-eol-small-business-routers\" rel=\"noopener\">Cisco says<\/a> they won\u2019t be getting patches for a newly-discovered critical vulnerability. The best way to mitigate the problem is to disable remote management for the devices and block certain ports. Or buy new routers.<\/p>\n<p data-ar-index=\"10\">Finally, <a href=\"https:\/\/therecord.media\/supreme-court-dismisses-spyware-company-nso-groups-claim-of-immunity\/\" rel=\"noopener\">the U.S. Supreme Court dismissed<\/a> an attempt by the Israeli spyware manufacturer NSO Group to claim immunity in the United States from being sued. It is being sued by WhatsApp over the alleged use of the NSO Pegasus hacking tool to target WhatsApp\u2019s IT infrastructure and users.<\/p>\n<p data-ar-index=\"11\"><em>(The following transcript has been edited for length and clarity)<\/em><\/p>\n<p data-ar-index=\"12\"><strong>Howard:<\/strong> We\u2019ll start with ChatGPT. It\u2019s a text creator run by artificial intelligence that has captured tech headlines. You ask it to create a letter, a speech, a book chapter or correct your software code and poof! Like magic, a solution appears.<\/p>\n<p data-ar-index=\"13\">But as so often happens on the internet, when an application becomes popular someone creates a phony version to cash in. According to news reports, fake ChatGPT mobile apps have appeared in the Google Play store and the Apple App store. However, no mobile app has been released by the developers. These fake apps have been removed by Google and Apple, but there are lots of other places on the internet where they might pop up. We shouldn\u2019t be surprised.<\/p>\n<p data-ar-index=\"14\"><strong>Jim Love:<\/strong> We shouldn\u2019t be surprised. And a matter of fact, if you try to download the app it tells you all sessions are full. Right now it can\u2019t deal with the download request. So we shouldn\u2019t be surprised that people are taking something with that much excitement behind it and trying to make a few bucks. But there are a couple of things that people need to know: One is that ChatGPT does not have an official API so there\u2019s nothing these people [creators of fake apps] can hook into. Second, if you get the real one the amount of cycles that it takes to run this type of AI is expensive \u2026 No little firm that doesn\u2019t have Microsoft throwing $10,000,000,000 into them is going to be able to afford to have the type of AI that ChatGPT has. I did a check on some of the fake apps that had been reported, and a lot of them have been taken down. There\u2019s one up [on an app store] that\u2019s got a 5-star review from one person.<\/p>\n<p data-ar-index=\"15\"><strong>Howard<\/strong>: And the thing is if you come across an app that\u2019s supposedly ChatGPT that you have to pay for that\u2019s one of the reasons to flee, because the real application is free.<\/p>\n<p data-ar-index=\"16\"><strong>Jim:<\/strong> Right, because when there is a paid version it\u2019s going to come from ChatGPT itself.<\/p>\n<p data-ar-index=\"17\"><strong>Howard<\/strong>: This speaks to the care you have to take when you\u2019re downloading mobile apps, even if they\u2019re in the Google or Apple stores. You\u2019ve got to check the reputation of the app, the source of the app. You just can\u2019t automatically trust something just because it\u2019s in one of those big stores.<\/p>\n<p data-ar-index=\"18\"><strong>Jim:<\/strong> Absolutely. I\u2019m not 100 per cent certain because I haven\u2019t tested these [fake] apps to see if there\u2019s any hidden malicious code in them, but I think they\u2019re just scams. But I think we can reasonably depend on these app stores to look for obvious hacks. However, a scam where I give you something that doesn\u2019t really work and you download it and it shoves ads at you or anything like that, I think you\u2019re on your own on that. But when an app has one person [review] with five stars, lights should go on<\/p>\n<p data-ar-index=\"19\"><strong>Howard:<\/strong> The other thing about the real ChatGPT users need to know is not all of the text that it generates is necessarily accurate. It\u2019s not perfect. It pulls what it thinks is relevant text from the internet. You need to check everything that it produces for accuracy, which of course can take time.<\/p>\n<p data-ar-index=\"20\"><strong>Jim:<\/strong> It is surprisingly accurate, but I don\u2019t disagree with you. You must check it [the results]. But I\u2019ve gone on to it and done all kinds of things. When we were talking [at IT World Canada] about running a version of ChatGPT code on our own servers I asked it, \u2018How would I run chat gpt on my own server?\u2019 It came back with the instructions. I\u2019ve done a lot of things with it. I think where it really fails is answers that may not necessarily be great in the context. It has been reported to that if you tell it, \u2018I\u2019m feeling awful. My life is terrible. Should commit suicide?\u2019 it will say, \u2018Yes.\u2019 So it\u2019s not intelligent. It\u2019s not sentient, but within the confines of what it can do it\u2019s pretty darn good \u2014 and it\u2019ll get better and better. The reason why I say that is because I hear a lot of people saying it\u2019s going to be inaccurate, it\u2019s going to be this \u2026 It\u2019s is the alpha version. It\u2019s not even in beta yet. But it\u2019s moving at an incredible rate. It will become very, very accurate over time.<\/p>\n<p data-ar-index=\"21\"><strong>Howard:<\/strong> News item number two: A survey of 300 U.S.-based IT decision-makers done by a security company called Delinea suggests that the incidence of ransomware is dropping. Only 25 per cent of respondents said their organization was victimized in 2022 by ransomware. By comparison 64 per cent of respondents in 2021 said their firm was a ransomware victim. That suggests that ransomware is dropping. What do you hear from your IT colleagues?<\/p>\n<p data-ar-index=\"22\"><strong>Jim:<\/strong> I hear noises that it\u2019s going down. And because people won\u2019t speak publicly about whether they\u2019ve been hit by ransomware I believe that the occurrences of ransomware are going down. That doesn\u2019t mean that the damage is any less. But the sense I get is that the [cyberseurity] tools are better and there\u2019s a lot more prevention. There\u2019s been a lot more [employee] education. I\u2019m not going to jump behind these [particular] numbers because I\u2019m not sure I believe them. But I do believe that there is a downward trend.<\/p>\n<p data-ar-index=\"23\"><strong>Howard:<\/strong> Maybe the work being done by international law enforcement is having some effect on ransomware gangs?<\/p>\n<p data-ar-index=\"24\"><strong>Jim:<\/strong> I think some of the groups are being broken up by law enforcement. I think some of the messaging [to CEOs] saying don\u2019t pay is getting through. Overall, I think there\u2019s a shift happening. I\u2019m not sure quite what it is, but I think there\u2019s a lull. It could be a lull that things are moving down. Or could be a lull before the storm. I don\u2019t know.<\/p>\n<p data-ar-index=\"25\"><strong>Howard:<\/strong> Thing is, in that survey there was quite a drop. In 2021, 64 per cent of respondents said the were victimized by ransomware. It dropped to 25 per cent last year. That\u2019s quite a plunge. So was one of these surveys a rogue poll \u2014 you know, every once in a while a poll is wildly wrong.<\/p>\n<p data-ar-index=\"26\"><strong>Jim:<\/strong> I went back and compared this <a href=\"https:\/\/www.itworldcanada.com\/article\/making-ransom-payment-no-assurance-of-getting-data-back-telus\/477202\" rel=\"noopener\">to a Telus poll<\/a> [last year of Canadian IT leaders]that totally conflicts with this in terms of the number of companies that paid a ransom. So I\u2019m wondering should we believe these studies? I don\u2019t think you should take the numbers and claim they\u2019re accurate. I just don\u2019t believe they are, and I question the survey logic in this. We [IT World Canada] do a lot of research and I\u2019m not sure that these things would stand up under any real research. So let\u2019s look at the trend, and I think we can believe that the trend has gone down. And I think that\u2019s all we can take away from any of these Surveys. I wouldn\u2019t believe the numbers. But if you aggregate them there is a downward trend.<\/p>\n<p data-ar-index=\"27\"><strong>Howard:<\/strong> This [Delinea] was a survey of IT people and they if things had changed in their firm over the past year. There\u2019s another way, and that\u2019s by counting the number of reported ransomware attacks. <a href=\"https:\/\/www.itworldcanada.com\/article\/are-ransomware-attacks-in-u-s-up-or-down-why-its-hard-to-say\/519855\" rel=\"noopener\">Emsisoft recently did a report<\/a> saying they tried to find a number for ransomware attacks in the U.S. and said it\u2019s impossible because so many attacks aren\u2019t publicly reported \u2014 and counting victims listed by ransomware gains on their data leak sites doesn\u2019t work because, well, crooks aren\u2019t necessarily trustworthy. So what do we do?<\/p>\n<p data-ar-index=\"28\"><strong>Jim:<\/strong> You don\u2019t worry about precision. You worry about accuracy \u2026 The best way is to get aggregate polls and if they all moving in the same direction that tells you something.<\/p>\n<p data-ar-index=\"29\">\u2026 Does it matter in terms of prevention whether it\u2019s 88 per cent or 72 per cent or 60 per cent? The trend is what matters \u2026 If you hear a number and it doesn\u2019t help you take an action that is something. The number that frightens me in [the Delinea survey] is 93 per cent said in 2021 hey were they were allocating budget to protect against ransomware but in 2022 it was 68 per cent \u2026 Are we getting comfortable? Are we are we relaxing? I don\u2019t think we should. Look at that what the consequences of a breach are. The Telus report says the average ransom paid was $140,000. IBM said the average cost of a data breach is $4.4 million. Look at the Rackspace ransomware attack. They had a service for hosted Exchange that was less than one per cent of their revenue. But 27 of their customers got hit with ransomware that knocked them out and the share price of Rackspace dropped 30 per cent. So we can\u2019t get complacent. That\u2019s my message: No matter what the polls say keep doing the things you\u2019re doing to fight ransomware. Do the fundamentals.<\/p>\n<p data-ar-index=\"30\"><strong>Howard:<\/strong> You mentioned the Delinea numbers suggest that firms are spending less on ransomware [protection] last year than they did in 2021. Is that a reasonable question to ask? Do companies spend specifically to defend against or ransomware, or do they spend in general on cybersecurity defence?<\/p>\n<p data-ar-index=\"31\"><strong>Jim:<\/strong> I was talking to Greg Young at Trend Micro the other day about the same question, and he said a lot of these things have been rolled into regular software. So it\u2019s really hard to distinguish between what you\u2019re spending to protect against ransomware versus what you\u2019re spending on overall cybersecurity. But if anybody tells you the number of ransomware attacks are going down and that caused them to relax, that\u2019s malpractice.<\/p>\n<p class=\"western\" data-ar-index=\"32\"><strong>Howard:<\/strong> News item number three: Your new Honda Ford BMW, Porsche, Mercedes Benz or Ferrari may come with a gift A bad remote access app or insecure customer portal security researchers looked at apps from a wide number of car manufacturers and they found a lot of bugs and I\u2019m not talking about bugs on the windshield but in their mobile and remote access apps in some cases. The researchers could remotely unlock vehicles, start engines or access the personal information of vehicle owners that they had registered with a car maker now. This isn\u2019t new but it keeps happening. Is the car industry less vigilant than others?<\/p>\n<p class=\"western\" data-ar-index=\"33\"><strong>Jim:<\/strong> I don\u2019t think they are less vigilant. But I think things are moving so fast. You\u2019re old enough to remember stories about people getting into the wrong car because their key would fit [in the door]. Or someone with a remote garage door opener could drive along a street and open your garage door. We were less secure in those days; we\u2019re more secure now, with some exceptions. What these people [researchers] are talking about is playing with the exposure that you have in the APIs that are out there. There\u2019s some real weaknesses in APIs. I read one story from about a 19-year-old German kid who\u2019d been able to hack 25 Teslas through a third-party app. The car industry has to be careful: What you ask for, you might get it. The cars have become sophisticated computers, but they have the same vulnerabilities at the API level on third-party apps. And, like people have had to do with the internet of things and remote devices they have to play catch up. I think they are, but there are still significant vulnerabilities.<\/p>\n<p class=\"western\" data-ar-index=\"34\"><strong>Howard:<\/strong> One final item, <a href=\"https:\/\/www.fcc.gov\/document\/fcc-proposes-updated-data-breach-reporting-requirements\" rel=\"noopener\">and that\u2019s the proposal by the American telecom regulator, the Federal Communications Commission<\/a> to eliminate the seven-day delay that communications carriers in the U.S. can take before notifying customers of a data breach. I think the delay is intended to give carriers time to gather as much information as they can in a short time before notifying victims. But it can also be argued that what it does is give crooks a seven-day advantage to exploit stolen data. Generally speaking, how fast do you think companies should notify victims when the company knows that there\u2019s been a data breach?<\/p>\n<p class=\"western\" data-ar-index=\"35\"><strong>Jim:<\/strong> I\u2019m not going to answer this one as a tech professional. I\u2019m going to answer it as a business owner. I\u2019m glad I live in Canada because this is ridiculous. You can\u2019t put a day on it. It\u2019s not possible. Seven days in a large organization to get back to people? It may seem like everybody should say do it right away. But if that was in place do you tell all of your customers every day because there was maybe an issue? These [telcos] are large companies. It\u2019s not easy. I saw one government example where it was months before they actually got back to people [about a data breach]. That\u2019s wrong. But Ireland\u2019s data protection commission fined Twitter 450,000 euros or US$600,000 for not reporting in two days. We [Canada] might not be thought of as being at the world level here. But I\u2019m glad Canadian legislation uses the principle of reasonability: You should get back [to victims] as fast as a reasonable company can, and judge it by is there a real risk of harm [to victims]. That\u2019s the type of legislation you need. In some cases you should tell people the minute you\u2019re breached, in other cases you have to do some real work [before notifying]. This [U.S. proposal] is another case of legislators who know nothing about technology, let alone business, putting together legislation. If we were hacked tomorrow \u2026 I\u2019ve got to find a way to determine what got exfiltrated from our site. Do people know how hard that is? You don\u2019t know [what\u2019s been copied] in a lot of cases. It takes time. There are other places where you know if they got into a data set and there\u2019s just too big a risk, but that\u2019s the reasonability factor and that\u2019s what we need in the legislation in my less than humble opinion.<\/p>\n<p data-ar-index=\"36\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-friday-january-13-2023\/521733\">Cyber Security Today, Week in Review for Friday, January 13, 2023<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode features a discussion on fake ChatGPT apps, whether\u00a0 successful ransomware attacks are decreasing, vulnerabilities found in the apps created by major car manufacturers and how fast firms should notify customers about data<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[762,389],"class_list":["post-33984","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-chatgpt","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/33984","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=33984"}],"version-history":[{"count":3,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/33984\/revisions"}],"predecessor-version":[{"id":34077,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/33984\/revisions\/34077"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=33984"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=33984"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=33984"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}