- cartomancy labs futurecast
- Posts
- Futurecast | Fakes on a Zoom, Cyber-Busts, & Your Risk Philosophy Brain on AI
Futurecast | Fakes on a Zoom, Cyber-Busts, & Your Risk Philosophy Brain on AI
#0003 Trust And Cyber Online đŽ
hello world [whatâs up]
Hey there Cartomancers, hope you are doing well. A few days ago, Punxsatawney Phil predicted an early spring after not seeing his shadow in the morning at Gobblerâs Knob. For those of you who are Gophermancy devotees, letâs take that as good news that some of us will be getting some spring sunshine soon.
Regardless, here we are back for another issue of the Futurecast â I have to admit that there is so much happening in our space that I just decided to call time on the process and shift the analysis of all of the Rest Of All The Things to next time.
Noodling in the Lab
Gearing up to go full throttle on card fraud - which is a bit of a rabbit hole, so letâs enjoy the journey
New Training Data aka News
More deepfakery shenanigansâŚAnd you may tell yourself, this is not my beautiful team meeting
A round-up of some of the interesting takedowns and cyber-busts happening
Dire warnings about unprotected state of critical infrastructure giving us all the wiggins
Relationship between AI and risk modeling getting interesting
a noodle from the lab [what weâre working on]
Techniques of credit card fraud management have set the stage for everything that has come after, including the layering of device âsecurityâ mechanisms, authentication, and applying stats/ML/AI (i.e. all the data things) to the problem in real-time. So weâre going to go on a deep diveâŚbut, this is going to take me a while to write - one, because I have so many strong opinions, and two, because theâŚbeauty? majesty? core lessons?...of card fraud kind of require a prerequisite understanding of how card payments work, and the players and incentives in the system.
Thus Iâm thinking we should take a bit of a different approach here, Iâm going to:
Publish a half-baked article (sometime soon-ish), and refer to it in this newsletter as I add to it over time. It will essentially be living lab notes, and you can peek at it as it develops, or I come back and add things.
Ask you for any questions you have on the topic, so I can be sure to answer them and to frame them up in the Living Lab Notes. If you have any questions off the bat, lmk by hitting âreplyâ to this newsletter and listing them out. Here are some questions that might inspire your thinking:
Are credit cards safer than debit cards?
What happens if I experience fraud on my company card?
Why didnât the US market adopt chip + PIN faster?
I work for a company, and the billing department keeps asking me about 3D Secure - what is it and why do we need it?
training data [whatâs news]
đ¨ď¸ New Deepfake Horrorshow - Canât Trust Internal Meetings, Either: So I thought we might be able to go a week without highlighting deepfakes, after last weekâs TayCeption, and discussion of imminent availability of real-time voice deepfake software, but no, we find ourselves instead in âthat escalated quicklyâ territory, as over the weekend a Hong Kong firm lost over $25mn after employeeâs video call with deepfake âchief financial officerâ, others.
After receiving a phishy-sounding email, an initially suspicious finance employee was pulled onto a videocon with the CFO and a bunch of other teammates - and was then convinced to initiate transfers that resulted in a $25M loss for the multinational firm.
According to CNN, â(In the) multi-person video conference, it turns out that everyone [he saw] was fake,â senior superintendent Baron Chan Shun-ching told the cityâs public broadcaster RTHK. Repeat: Everyone was FAKE. Can you imagine?
The good news (such as there is good news here), is that the deepfake apparently wasnât done ALL in real-time, but that the videos were probably created from past videocons, with deepfaked audio added on top. This was also not a quick phish, but an elaborate scam laid out over time, involving WhatsApp, email, and multiple video meetings with staff members.
đ¨ď¸ Cyber Consequences, Maybe?: Ransomware, breaches, and cybercrime schemes tend to make a big impact and then disappear into the ether. For those who have been tracking some of these situations, hereâs some of the arrests, takedowns, call-outs, and indictments weâre watching:
Myanmar Hands Over Mob Bosses in Cyber-Fraud Bust: for the past few weeks weâve been talking about the human trafficking pipeline into scam sweatshops/camps, in one notable case Myanmar is putting additional pressure on a set âpig-butcheringâ scam camps by arresting and extraditing a few of the ring-leaders, although at least 4 suspects on China's most-wanted list are still at large.
Interpol's 'Synergia' Op Nabs Dozens of Cybercriminals, Zaps Global C2s: Interpol worked with ~60 law enforcement agencies and outside cybersecurity firms (including Group-IB, Kaspersky, ShadowServer, Team Cymru, and TrendMicro) on a coordinated takedown effort which took out a slew of command-and-control (C2) servers globally. The operation was designed and executed to address a surge of phishing, banking malware, and ransomware attacks.
Three people indicted in $400 million FTX crypto hack conspiracy: Not that FTX needed help imploding, but three people were indicted for conspiracy (identity theft; the hack - powered by SIM-swapping - drained funds directly out of wallets) that allegedly included the $400 million hack from FTX on the day that the firm filed for bankruptcy protection in 2022.
FTC orders Blackbaud to boost security after massive data breach: FTC complaints regarding the Blackbaud data breach and subsequent response have resulted in a settlement requiring Blackbaud to improve security and delete unneeded customer data. This FTC complaint is in addition to a very annoyed SEC (Blackbaud left out details of the breach and risk in their 8-K) and very, very annoyed customers/stakeholders (6 months after the breach, there were already 23 proposed class-action lawsuits on the docket).
Fingerprint photo led investigators to therapy centre hacking suspect: In a long line of Oopsie Selfies that lead to locating suspects, hereâs a new one: donât take palm-pics, because that sci-fi âenhanceâ function weâve gotten used to in movies now works. Investigators were able to examine fingerprints from a social media pic, and help connect the virtual dots that led to the suspectâs arrest.
đ¨ď¸ Infrastructure gets the Hax: Now for a string of bad news - as much time as we spend talking about the human factor of cybersecurity, and how ordinary people are tricked and hacked, it turns out major infrastructure is similarly vulnerable to attack. Which means weâre all vulnerable. On the one hand, we see the U.S. government able to identify and sanction (via OFAC) 6 Iranian Officials for Critical Infrastructure Cyber Attacks (noting that sanctions aren't a preventative measure for cyber operations) on the other hand we hear leaders also issuing Warnings of Chinese Attacks on Critical Infrastructure (various sectors, including water and power). The sectors themselves are feeling the pressure:
Fulton County Suffers Power Outages as Cyberattack Continues Fulton County in Georgiaâs recent cyberattack (and a power outage) has taken government systems went down, and now - after a week offline - only some of the systems are back online. As an example of a direct impact, authorities in Georgia were looking for a murder suspect, mistakenly released atter a hearing in Clayton County - and apparently, 5 days after releasing the suspect, are still looking.
New Summits Aim to Strengthen Cybersecurity for U.S. Courts: Court systems have their own resiliency and data protection considerations, and the National Center for State Courts and Joint Technology Committee is partnering with CIS to hold summits across the country to provide awareness and facilitate planning. This initiative is funded by a State Justice Institute grant.
Not one, but two Chicago hospitals impacted by cybersecurity incidents in the last week. Chicago pediatric hospital Lurie Childrenâs forced to take its network offlineas experts warn of rising cyber threats, and over on the West Side, Saint Anthony Hospital reported hackers accessed their systems and stole data. It is unclear if there is a connection between the two incidents.
FBI joins investigation into City of Germantown, Tennessee cyberattack. On Friday morning, Germantown leaders learned that bad actors accessed the city's servers, but impacts were relatively âminimalâ, with public services unaffected (phone lines and went down at city facilities, wi-fi was still unavailable as of Monday morning).
We see attacks incoming, including municipalities and hospitals, but where are the plans? CyberScoop reports that when it comes to national cybersecurity plans, the GAO is seeing âneither the strategy nor the implementation plan included outcome-oriented performance measures for the initiatives or for the overall objectives of the strategy to gauge success.â Take a look at the implementation plan for yourself, but perhaps you could predict the response of teh ONCD staff â who agreed outcome-oriented performance measures are preferred, but that âsuch measures do not currently exist in the cybersecurity field in generalâ.
Ouch - but itâs a common sentiment. Itâs far easier to quantify impact after the worst has happened. Our infrastructure is such an obvious target, even the Onion is poking fun: China Unable To Recruit Hackers Fast Enough To Keep Up With Vulnerabilities In U.S. Security Systems
đ¨ď¸ Speaking of Measuring Risk, Would You Like Your Existential Risk with a Side of AI? Risk nerds are having a mid-AI crisis. For years weâve been leveraging Machine Learning in our models, with various frameworks and algorithms coming in and out of vogue - weâve been balancing complexity and accuracy, and the burden of supervised techniques with the need for explainability, gently nudging and training and generally juicing the tech for all itâs worth: from search to finance and back again. But how do we model the risk of AI itself?
Weâve got lots of opinions on how it can be used in cybersecurity (for example The pros and cons for AI in financial sector cybersecurity), but keep your eyes on the big-AIs in the room - A New Cause for Concern: Alphabet Inc. Class A Adds a New Technology Risk, Google and Microsoft will likely have some of the more sophisticated approaches to factoring AI-risk into their enterprise risk programs - and how they report to the street - because theyâve had a lot of practice in the arena already, thanks to Search, Ads, & Cloud.
I think this is an interesting place to look - financial statements - because the market is trying to weigh the risks and the opportunities simultaneously, a la the Motley Foolâs comments in Measuring CrowdStrike's Meteoric Rise as Its Artificial Intelligence (AI) Revolutionizes Cybersecurity. MFâs understanding of how CS is using AI might not match the depth of a cyber analystâs view, but going forward look to AI not just gracing every marketing pitch you receive this year, but also influencing valuation in a bigger way.
And if using AI to model AI risk/opportunity isnât your speed â maybe itâs time to bring backâŚprediction markets? Because crypto(currency) startups are trying to make (or quash) Prediction Markets as a Mechanism to Hedge Crypto Startups' Regulatory Risk. Coindesk goes on to report that Bitwise Asset Management has predicted (actually, Coindesk said that Bitwise had used the term âforecastedâ, but I think âpredictedâ is more poetic here) that "more than $100 million will be staked in prediction markets, which will emerge as a new 'killer app' for crypto."
find more cartomancy [whatâs happening]
coming soon
âśď¸ On Feb 22, Join me at InfoSec Compliance Now, a free virtual event hosted by AuditBoard from 8:30 AM - 12 PM PT. Iâm kicking off the event on a panel with presenters from Fannie Mae, Saviynt, and Cartomancy Labs (thatâs me!), where weâll discuss what 2023 taught us about AI and the ways itâs reshaping the compliance landscape. Reserve your spot today!
on demand
ttyl [whatâs next]
Thanks for reading to the end of this set of lab notes. Iâm thrilled to have some fellow travelers mapping out where weâve been, philosophizing about where we want to be, and building the paths to get us where weâre going.
If youâve read to the end and you find this content helpful, Iâd love feedback. My news feed is full of leads, but my personal algorithm loves learning about what interests the community, so that I can focus in on what will be most useful. Just hit reply and your comments will come whizzing into my inbox. (Itâs also a good way to find me if you are interested in working with me or with Cartomancy Labs).
See you next time on the Futurecast!
Allison
@selenakyle