(Credit: Getty Images)
Many years ago, when I was working in IT for a government agency, I was helping a colleague with a deputy director’s email account, which had run out of storage space (back when that was a common issue). We needed his credentials to log in, and my colleague explained that he already knew: It was “Password.” Without the period. Why would someone so important have such a hideously insecure password, I asked, only to be told that he was important enough to get the exemption and not to ask questions.
Speaking of which, did you hear that the password to the security system at the Louvre was “Louvre”?
Human factors like bad passwords are often the weakest links when it comes to cybersecurity, as we’ll see when we get to this week's news roundup, but before that, I encourage you to turn your attention to our reporting on how humans are using AI, and how your search terms and results are big business for marketers, governments, and anyone else with the money to buy your data. And as we’ve mentioned before, that includes even your most personal details.
Even if you do your best to avoid voluntarily giving out your private information, scammers are still eager to trick you into giving it away instead. For example, this week we reported on a new attack that mimics a Windows Update screen to trick users into visiting a site that’s actually a thin veil for ClickFix, a hack that we’ve covered in the past (and is easy to avoid, thankfully).
And speaking of scammers, if you’ve received any of those “E-ZPass toll warning” or “USPS package undeliverable” text messages in the past few years, you’ll be happy to hear that Google has identified the fraudsters involved and is suing them to force them to stop. Meanwhile, across the Atlantic, Europol is taking action against multiple organizations behind several strains of malware that can remotely control compromised computers, capture their screens and keystrokes, and use them in DDoS attacks. Anyway, if all this talk of scams has you worried as you start thinking about holiday shopping, we have some tips to ensure your money and identity are both protected.
Meanwhile, new reporting revealed that Meta, the company behind Facebook, Instagram, and WhatsApp, has been generating billions of dollars by serving up malicious ads to users, in some cases over 15 billion “higher risk” ads per day. Advertising is big money and powers much of the web, so Meta isn’t alone here. In September, X staff were offered bribes to unban scam accounts, and Google shut down over 39 million ad accounts suspected of fraudulent behavior last year. The significant difference here is that Meta appears to be taking no action on the issue, at least not yet.
65% of Leading AI Companies Found With Verified Secret Leaks
I know we’ve discussed the security issues with companies rushing to implement AI several times, but as long as the threat is clear, present, and real, it’s worth sounding the alarm over. For example, according to Wiz, a cloud security provider, their research reveals that 65% of the most popular AI companies are accidentally leaking highly sensitive data, such as API keys, tokens, and hardcoded credentials, in their public GitHub repositories.
So how does something like this happen? Simple: it’s human error, and the coding equivalent of clicking “remember password” so you don’t have to type it every time you log in to something. Developers will simply include credentials, tokens, or API keys in their code, allowing the software they’re building to work seamlessly without requiring authentication or reconnection every time a part of the program runs. Then they upload the finished product to GitHub or some other public repository so they can continue to work on it (and get input from other developers). So far, so good, until someone decides to dig through that code for those keys and use them for their own purposes. This kind of thing happens all the time, but the stakes are higher for AI, considering how businesses are spending huge amounts of money to embrace it and quickly (and sometimes without the appropriate security oversight) integrating it into their products.
Luckily, both the Wiz report and a similar report from cybersecurity provider Fortra, which led me to the story, offer several recommendations for AI companies to address this issue.
How Credentials Get Stolen in Seconds, Even With a Script-Kiddie-Level Phish
You likely already know that phishing attacks are designed to steal your passwords so hackers can use them to breach your accounts. But what you may not know is exactly how those attacks work behind the scenes, and how quickly they can ruin your life, and that’s where this recent report from MalwareBytes comes in. It may look technical, but trust me, it’s worth reading. It walks you through exactly what happens when someone clicks on a phishing email, how those messages encourage you to believe that the page you’re looking at is legitimate, and what happens after you open it and fill in your credentials. The worst part is that phishing attacks are so common now that very little social engineering goes into convincing a user that the message is actually legitimate: all you need is a few people to fall for it out of the dozens of thousands of emails you fire off, and you still get the credentials you’re looking for.
The one thing that surprised me is that captured passwords are no longer stored in databases to be retrieved later; instead, they are sent directly to the attacker (or attacking group) via Telegram, allowing them to be used immediately while they’re still fresh. In some cases, like spear phishing attacks, where a person or group is being specifically targeted, that’s the whole point. In other, broader phishing attacks, the data can either be used immediately or packaged up with other passwords and sold on the dark web.
That also means now is a good time to review our guide on what to do if your data has been lost in a breach, and consider using a password manager that only autofills passwords on valid, legitimate sites, so you don’t have to worry about entering them manually.
New UK Laws To Strengthen Critical Infrastructure Cyber Defenses
It’s rare that I get to highlight potentially good news on the cybersecurity front, but new legislation proposed in the United Kingdom may be just that. Introduced in Parliament on November 12, the Cyber Security and Resilience Bill would designate infrastructure like water supply systems, hospitals, energy systems, and transportation networks as essential services, and require operators to harden them against attacks like ransomware, which, as we’ve discussed, can render them inoperable, like we saw in the massive Land Rover hack, which required a $2 billion infusion from the government to address, or worse, shut them down entirely, like the KNP Logistics Group hack.
The bill will also require technical support providers and cybersecurity companies in those critical fields to uphold basic cybersecurity standards and empower government regulators to audit those companies, requiring them to improve their security if they’re found lacking. It also seems to have some teeth, since it outlines penalties and fines for serious breaches and lapses in security. The news isn’t all great, though, as the UK is considering a potential ban on VPN use, which would be a step backward in terms of security and privacy.