hello world [what’s up]

Mālō e lelei Cartomancers! 

So I’ve had a draft newsletter sitting in draft for 6 weeks now and fellow perfectionist procrastinators can relate - the longer you put something off, the more perfect you feel something needs to be. So I’m just going to stick that draft in a drawer and give you a couple of thoughts, as I get back into the swing of things after Hacker Summer Camp, aka Cyberpalooza aka my annual trek to Las Vegas. 

Let’s get into it:

• Noodle from the Lab: Basically just a recap of my BH-USA

• Nuggety News-ish Updates:

  • Artificial Intelligence in the Natural World - That’s Not a Wild Strawberry: What’s worse that medical misinformation? Well, maybe (undisclosed) AI-generated reference material fanfic about what’s poisonous and what’s safe to imbibe.

  • Sad Trombone for SMShers: Follow one researcher’s deep dive into the “lost package” USPS-themed text-based phishing scam

  • Banking on “banks”: A cautionary tale from the smart folks at Planet Money - it’s worth it to check the nutrition label on your money movement and “banking” apps

a noodle from the lab [what we’re working on]

I attended Black Hat USA and the CISO Summit this summer in Las Vegas (early August). As a member of the review board (selection committee) for both events, it was fantastic to see and hear from so many innovators as they shared their experiences and research. I got to introduce a couple of great talks, and also got to have my own (on camera) discussion with Jeff Man - it was streamed live, but if you weren’t able to catch the stream you can catch the replay here:

Jeff and I discussed increasing concerns around fraud, scams, and especially deepfake-driven scams. We started off by discussing some of the differences between fraud and cyber teams (problems sets, technology, philosophies, and metrics), and we were also able to talk a bit about some of the research I’ve been doing in my role with IANS  - how to adapt defenses given the shift in threats across cyber and fraud (and of course, the rise of deepfakes!). 

I am on the Black Hat USA Review board - this year I reviewed proposals submitted to four tracks - AI, ML, & Data Science, Human Factors, Policy, and Community & Career. And was delighted to introduce the speakers on a few very excellent talks:

• Narayana Pappu - Unmasking Privacy Risks in Post-Cookie Adtech Solutions

  • Unfortunately this talk needed to be rescheduled at the last minute, but fortunately the reschedule means that Narayana’s talk will be recorded and made available online.

  • With his team at Zendata, Nara’s already been working on issues around privacy observability and related data protection capabilities, this presentation will talk through the privacy “attack” cycle, how it manifests within adtech, and lessons learned from privacy breaches.

  • Stay tuned for when this talk becomes available online!

• Julien Voisin - Modern Anti-Abuse Mechanisms in Competitive Video Games

  • Having worked on game “cheating” several times in my career, I know well that cheating can be both obnoxious, and difficult to define. So I appreciated that one of the first things Julien did was to differentiate between cheating and other forms of in-game abuse.

  • Julien’s talk went deep on the tech associated with cheating, and detecting cheating, and what platforms should consider as far as setting and enforcing policies on bad behavior on multi-user (and competitive) platforms.

  • You don’t have to be a gamer to find this talk interesting, but I do think gamers will find it especially entertaining. Catch it on the replay!

• Peleus Uhley - Tracing Origins: Navigating Content Authenticity in the Deepfake Era

  • Peleus, in his time at Adobe conducting security research and driving security strategy, gave an outstanding talk on a particular set of mechanisms being considered in the fight against deepfakes.

  • Specifically, Peleus is working with the folks at c2pa.org to build out standards for managing content provenance. Yo, if you’ve tried your hand at software provenance, this is a pretty wild ride, but Peleus explained how the (open) standards are being built out, and how the ecosystem of content creation is building on these capabilities - from software to hardware through to content sharing/dissemination networks.

  • While the current form of the standard addresses use cases associated with “big” media (for example, a photo taken and distributed by a large media outlet like the AP of Wall Street Journal), it will be interesting to see how this standard evolves (and how the ecosystem productizes the capabilities to meet use cases of other folks who want to share…but without seeing their pics, vids, and audio manipulated downstream).

  • (pssst, check out the C2PA Github for what’s current on the project, and consider contributing if you wanna get in on the authenticity movement)

training data [what’s news]

🗨️ Artificial Intelligence in the Natural World - That’s Not a Wild Strawberry: A thing you might not know about me is although I’m a city person that never leaves my house, I actually really love the outdoors. Birds, trees, and wild plants - love ‘em.

And I really love watching the content of Instagram’s @blackforager, aka Alexis Nicole, one of my favorite Ohio-ans that shares her knowledge about foraging wild plants (even better, IMO, foraging wild plants in urban areas).

As risk-minded cartomancers such as yourself might guess, when foraging it’s pretty important to have accurate information when you’re trying to learn how to identify edible plants. [Alicia Silverstone please take note]

We know that AI-generated content is…at best…*roughly* accurate - but generally not data we’d want to bet the farm on (so to speak). Consider this another object lesson in not just doing your own research, but in qualifying the data sources from which you pull your research. Information quality matters.

blackforager

2 followers

View more on Instagram

🗨️ Your package cannot be delivered unless…sad trombone: People really are clicking on these sketchy SMS messages showing-up in their inboxes - if they weren’t the scams would probably drop off.

Most savvy phone users just tired-ly mark them as spam and move on, but at least one enterprising recipient (Grant Smith) decided to take a moment to reach back through the ether and map out the supply chain / operation behind the campaign.

What he found led to a standout talk at Defcon, and a better sense of what defenders are up against when it comes to these sophisticated financial crime operations. Matt J of VulnU breaks it down quick (below), or check out the Wired story for more details, and Grant’s blog for the full run-down.

🗨️ Banking on “banks”: A hot topic between me and some of my fintech nerd friends has been the rise of the sponsor bank, and other financial institutions that sit behind fintech services and companies.

At Cartomancy Labs, we e talked about some of the sponsor bank risk issues briefly a few posts ago when Green Dot was in the news for their FRB consent order (TL;DR KYC / AML before you move those dolla dolla bills y’all). [Note: the latest I have on that is that GD was fined $44M for their violations].

As I was scrolling through my podcast feed, it was cool to see that Planet Money dedicated an episode to the topic - although the story itself was heartbreaking - talking about the impact on thousands of consumers after after Synapse filed for Chapter 11 bankruptcy in April, discrepancies with Evolve Bank & Trust (who later experienced a data breach), and how that turned into a nightmare for users of the Yotta app/system, among others. Enjoy!

find more cartomancy [what’s out there]

coming soon

▶️ I’m hoping to catch a few talks at the Datos Insights sponsored Financial Crime and Cybersecurity Forum happening August 27-28, 2024 in Charlotte, NC. If you’re also in the Queen City next week, let me know.

on demand

▶️ I had so much fun with my talk (entitled “Watching the Detectives: Scam Artistry, Deep Fakery, Fraudsters, Frame-ups & Other Highlights of the High Speed Card Chase“) at BSides Knoxville’s 2024 event (their 10 year anniversary!). The discussion focused on parallels and differences between the evolution of detection technology in fraud/T&S versus cyber, and how Maturity Frameworks might apply to fraud programs. Here’s video (below) of the full talk:

I was delighted to spend some time discussing cybersecurity career paths, leadership development, and industry trends while reconnecting with my friend and colleague Sandra Liu (if you haven't seen what she's working on over on YouTube I encourage you to check out her projects). this interview, we cover cybersecurity career and industry topics including:

• 🤝 What do hiring managers look for when hiring candidates for a job?

• 💻 What cybersecurity skills are most relevant?

• 💭 What are the biggest challenges facing organizations today?

A bit of a throwback to but it was so much fun chatting with Andy Ellis, and so much in here is true even a couple of years later.

ttyl [what’s next]

Thanks for reading to the end of this set of lab notes. I’m thrilled to have some fellow travelers mapping out where we’ve been, philosophizing about where we want to be, and building the paths to get us where we’re going.

If you’ve read to the end and you find this content helpful, I’d love feedback. My news feed is full of leads, but my personal algorithm loves learning about what interests the community, so that I can focus in on what will be most useful. Just hit reply and your comments will come whizzing into my inbox. (It’s also a good way to find me if you are interested in working with me or with Cartomancy Labs).

See you next time on the Futurecast!

Allison

@selenakyle