Welcome to Cyber Security Today. This is the Week in Review edition of the podcast for Friday, January 13th, 2023. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Joining me in a few minutes will be Jim Love, IT World Canada’s chief information officer, to discuss recent cybersecurity news. But first a look back at some of the headlines from the past seven days:
Fake ChatGPT applications temporarily appeared in the Apple and Google app stores. This comes after news reports touting the usefulness of the artificial intelligence app spread around the world. Jim will have some thoughts. We’ll also discuss a survey suggesting ransomware attacks are decreasing, a report on the vulnerabilities found in the apps created by major car manufacturers and a suggestion by an American regulator that telecommunications companies notify customers faster about data breaches.
The Guardian news service has confirmed the December cyber attack that forced all editorial and office staff in the U.K. to work from home was ransomware. Not only that, the crooks copied personal data of British employees — but not subscribers. The organization doesn’t think it was targeted because it is a news service.
Also in the U.K. a cyber attack affected operations at the Royal Mail service so much that it asked people to stop sending letters and parcels to international destinations. Mail within Great Britain was not affected. The Telegraph newspaper says the LockBit ransomware gang is responsible.
Hackers could have exploited a web page vulnerability to see personal information held by Experian, one of the biggest credit rating agencies in the world. Security reporter Brian Krebs wrote about the hole this week, describing how altering the Experian URL crooks could have gotten around a security feature that was supposed to allow people to see only their own data held by the company. The hole was patched in December. We asked Experian for comment. No answer was received.
SugarCRM administrators have been warned some products may need to have two hotfix patches installed. They close a serious vulnerability in systems that don’t have SugarIdentity enabled. The applications that are affected include Sugar Sell, Enterprise, Professional and Ultimate.
Do you have an end-of-life Cisco Systems small business RV-series router? Cisco says they won’t be getting patches for a newly-discovered critical vulnerability. The best way to mitigate the problem is to disable remote management for the devices and block certain ports. Or buy new routers.
Finally, the U.S. Supreme Court dismissed an attempt by the Israeli spyware manufacturer NSO Group to claim immunity in the United States from being sued. It is being sued by WhatsApp over the alleged use of the NSO Pegasus hacking tool to target WhatsApp’s IT infrastructure and users.
(The following transcript has been edited for length and clarity)
Howard: We’ll start with ChatGPT. It’s a text creator run by artificial intelligence that has captured tech headlines. You ask it to create a letter, a speech, a book chapter or correct your software code and poof! Like magic, a solution appears.
But as so often happens on the internet, when an application becomes popular someone creates a phony version to cash in. According to news reports, fake ChatGPT mobile apps have appeared in the Google Play store and the Apple App store. However, no mobile app has been released by the developers. These fake apps have been removed by Google and Apple, but there are lots of other places on the internet where they might pop up. We shouldn’t be surprised.
Jim Love: We shouldn’t be surprised. And a matter of fact, if you try to download the app it tells you all sessions are full. Right now it can’t deal with the download request. So we shouldn’t be surprised that people are taking something with that much excitement behind it and trying to make a few bucks. But there are a couple of things that people need to know: One is that ChatGPT does not have an official API so there’s nothing these people [creators of fake apps] can hook into. Second, if you get the real one the amount of cycles that it takes to run this type of AI is expensive … No little firm that doesn’t have Microsoft throwing $10,000,000,000 into them is going to be able to afford to have the type of AI that ChatGPT has. I did a check on some of the fake apps that had been reported, and a lot of them have been taken down. There’s one up [on an app store] that’s got a 5-star review from one person.
Howard: And the thing is if you come across an app that’s supposedly ChatGPT that you have to pay for that’s one of the reasons to flee, because the real application is free.
Jim: Right, because when there is a paid version it’s going to come from ChatGPT itself.
Howard: This speaks to the care you have to take when you’re downloading mobile apps, even if they’re in the Google or Apple stores. You’ve got to check the reputation of the app, the source of the app. You just can’t automatically trust something just because it’s in one of those big stores.
Jim: Absolutely. I’m not 100 per cent certain because I haven’t tested these [fake] apps to see if there’s any hidden malicious code in them, but I think they’re just scams. But I think we can reasonably depend on these app stores to look for obvious hacks. However, a scam where I give you something that doesn’t really work and you download it and it shoves ads at you or anything like that, I think you’re on your own on that. But when an app has one person [review] with five stars, lights should go on
Howard: The other thing about the real ChatGPT users need to know is not all of the text that it generates is necessarily accurate. It’s not perfect. It pulls what it thinks is relevant text from the internet. You need to check everything that it produces for accuracy, which of course can take time.
Jim: It is surprisingly accurate, but I don’t disagree with you. You must check it [the results]. But I’ve gone on to it and done all kinds of things. When we were talking [at IT World Canada] about running a version of ChatGPT code on our own servers I asked it, ‘How would I run chat gpt on my own server?’ It came back with the instructions. I’ve done a lot of things with it. I think where it really fails is answers that may not necessarily be great in the context. It has been reported to that if you tell it, ‘I’m feeling awful. My life is terrible. Should commit suicide?’ it will say, ‘Yes.’ So it’s not intelligent. It’s not sentient, but within the confines of what it can do it’s pretty darn good — and it’ll get better and better. The reason why I say that is because I hear a lot of people saying it’s going to be inaccurate, it’s going to be this … It’s is the alpha version. It’s not even in beta yet. But it’s moving at an incredible rate. It will become very, very accurate over time.
Howard: News item number two: A survey of 300 U.S.-based IT decision-makers done by a security company called Delinea suggests that the incidence of ransomware is dropping. Only 25 per cent of respondents said their organization was victimized in 2022 by ransomware. By comparison 64 per cent of respondents in 2021 said their firm was a ransomware victim. That suggests that ransomware is dropping. What do you hear from your IT colleagues?
Jim: I hear noises that it’s going down. And because people won’t speak publicly about whether they’ve been hit by ransomware I believe that the occurrences of ransomware are going down. That doesn’t mean that the damage is any less. But the sense I get is that the [cyberseurity] tools are better and there’s a lot more prevention. There’s been a lot more [employee] education. I’m not going to jump behind these [particular] numbers because I’m not sure I believe them. But I do believe that there is a downward trend.
Howard: Maybe the work being done by international law enforcement is having some effect on ransomware gangs?
Jim: I think some of the groups are being broken up by law enforcement. I think some of the messaging [to CEOs] saying don’t pay is getting through. Overall, I think there’s a shift happening. I’m not sure quite what it is, but I think there’s a lull. It could be a lull that things are moving down. Or could be a lull before the storm. I don’t know.
Howard: Thing is, in that survey there was quite a drop. In 2021, 64 per cent of respondents said the were victimized by ransomware. It dropped to 25 per cent last year. That’s quite a plunge. So was one of these surveys a rogue poll — you know, every once in a while a poll is wildly wrong.
Jim: I went back and compared this to a Telus poll [last year of Canadian IT leaders]that totally conflicts with this in terms of the number of companies that paid a ransom. So I’m wondering should we believe these studies? I don’t think you should take the numbers and claim they’re accurate. I just don’t believe they are, and I question the survey logic in this. We [IT World Canada] do a lot of research and I’m not sure that these things would stand up under any real research. So let’s look at the trend, and I think we can believe that the trend has gone down. And I think that’s all we can take away from any of these Surveys. I wouldn’t believe the numbers. But if you aggregate them there is a downward trend.
Howard: This [Delinea] was a survey of IT people and they if things had changed in their firm over the past year. There’s another way, and that’s by counting the number of reported ransomware attacks. Emsisoft recently did a report saying they tried to find a number for ransomware attacks in the U.S. and said it’s impossible because so many attacks aren’t publicly reported — and counting victims listed by ransomware gains on their data leak sites doesn’t work because, well, crooks aren’t necessarily trustworthy. So what do we do?
Jim: You don’t worry about precision. You worry about accuracy … The best way is to get aggregate polls and if they all moving in the same direction that tells you something.
… Does it matter in terms of prevention whether it’s 88 per cent or 72 per cent or 60 per cent? The trend is what matters … If you hear a number and it doesn’t help you take an action that is something. The number that frightens me in [the Delinea survey] is 93 per cent said in 2021 hey were they were allocating budget to protect against ransomware but in 2022 it was 68 per cent … Are we getting comfortable? Are we are we relaxing? I don’t think we should. Look at that what the consequences of a breach are. The Telus report says the average ransom paid was $140,000. IBM said the average cost of a data breach is $4.4 million. Look at the Rackspace ransomware attack. They had a service for hosted Exchange that was less than one per cent of their revenue. But 27 of their customers got hit with ransomware that knocked them out and the share price of Rackspace dropped 30 per cent. So we can’t get complacent. That’s my message: No matter what the polls say keep doing the things you’re doing to fight ransomware. Do the fundamentals.
Howard: You mentioned the Delinea numbers suggest that firms are spending less on ransomware [protection] last year than they did in 2021. Is that a reasonable question to ask? Do companies spend specifically to defend against or ransomware, or do they spend in general on cybersecurity defence?
Jim: I was talking to Greg Young at Trend Micro the other day about the same question, and he said a lot of these things have been rolled into regular software. So it’s really hard to distinguish between what you’re spending to protect against ransomware versus what you’re spending on overall cybersecurity. But if anybody tells you the number of ransomware attacks are going down and that caused them to relax, that’s malpractice.
Howard: News item number three: Your new Honda Ford BMW, Porsche, Mercedes Benz or Ferrari may come with a gift A bad remote access app or insecure customer portal security researchers looked at apps from a wide number of car manufacturers and they found a lot of bugs and I’m not talking about bugs on the windshield but in their mobile and remote access apps in some cases. The researchers could remotely unlock vehicles, start engines or access the personal information of vehicle owners that they had registered with a car maker now. This isn’t new but it keeps happening. Is the car industry less vigilant than others?
Jim: I don’t think they are less vigilant. But I think things are moving so fast. You’re old enough to remember stories about people getting into the wrong car because their key would fit [in the door]. Or someone with a remote garage door opener could drive along a street and open your garage door. We were less secure in those days; we’re more secure now, with some exceptions. What these people [researchers] are talking about is playing with the exposure that you have in the APIs that are out there. There’s some real weaknesses in APIs. I read one story from about a 19-year-old German kid who’d been able to hack 25 Teslas through a third-party app. The car industry has to be careful: What you ask for, you might get it. The cars have become sophisticated computers, but they have the same vulnerabilities at the API level on third-party apps. And, like people have had to do with the internet of things and remote devices they have to play catch up. I think they are, but there are still significant vulnerabilities.
Howard: One final item, and that’s the proposal by the American telecom regulator, the Federal Communications Commission to eliminate the seven-day delay that communications carriers in the U.S. can take before notifying customers of a data breach. I think the delay is intended to give carriers time to gather as much information as they can in a short time before notifying victims. But it can also be argued that what it does is give crooks a seven-day advantage to exploit stolen data. Generally speaking, how fast do you think companies should notify victims when the company knows that there’s been a data breach?
Jim: I’m not going to answer this one as a tech professional. I’m going to answer it as a business owner. I’m glad I live in Canada because this is ridiculous. You can’t put a day on it. It’s not possible. Seven days in a large organization to get back to people? It may seem like everybody should say do it right away. But if that was in place do you tell all of your customers every day because there was maybe an issue? These [telcos] are large companies. It’s not easy. I saw one government example where it was months before they actually got back to people [about a data breach]. That’s wrong. But Ireland’s data protection commission fined Twitter 450,000 euros or US$600,000 for not reporting in two days. We [Canada] might not be thought of as being at the world level here. But I’m glad Canadian legislation uses the principle of reasonability: You should get back [to victims] as fast as a reasonable company can, and judge it by is there a real risk of harm [to victims]. That’s the type of legislation you need. In some cases you should tell people the minute you’re breached, in other cases you have to do some real work [before notifying]. This [U.S. proposal] is another case of legislators who know nothing about technology, let alone business, putting together legislation. If we were hacked tomorrow … I’ve got to find a way to determine what got exfiltrated from our site. Do people know how hard that is? You don’t know [what’s been copied] in a lot of cases. It takes time. There are other places where you know if they got into a data set and there’s just too big a risk, but that’s the reasonability factor and that’s what we need in the legislation in my less than humble opinion.