Stay one step ahead of cyber criminals with our regular news and tips
How worried should you be about AI and cyber security?
It certainly is a concern, but it’s worth getting this into context. Every new tech tool you introduce to your organisation should be properly assessed from a security point of view.
Look at it this way. Would you allow open access to your internet connection to all and sundry? Of course not. And, just as you use firewalls, intrusion detection and prevention systems and other controls to protect your network, so you should introduce appropriate controls for AI.
Our Head of Security, Jake Ives, looks at some of those safeguards in this newsletter.
Also, this month, a massive data breach that could affect us all, why you should exercise caution around Chrome extensions and a massive cyber crime bust involving 270 arrests.
How to respond to the ‘biggest data breach in history’
Security researchers at Cybernews have uncovered a whopping 16 billion exposed online login credentials that could potentially give hackers access to a host of services, from email and social media to government platforms.
Researchers say that most of the leaked data comes from a mix of infostealers (malware designed to infect computers and steal sensitive information), credential stuffing sets and recycled old leaks. It’s still unclear who put all this leaked information together.
Some security experts are calling it the biggest data breach in history, with the stolen data spread across 30 different databases on the dark web.
In the wake of this mass breach, do this now:
1. Monitor your email address for breaches using a dark web monitoring service such as haveibeenpwned.com or a password manager.
2. Immediately change your passwords if you have been breached.
3. Stop reusing passwords across accounts. Instead, start using a password management tool to securely generate strong, unique passwords for different accounts.
4. Enable MFA (multi-factor authentication) where possible.
5. Contact your online service’s customer support if you suspect any foul play.
6. Scan your computer for viruses often and ensure your primary account does not have local administrator privileges.
7. Avoid downloading illicit software or software from questionable sources as these are commonly packed with malicious payloads.
8. Sign up for identity theft protection / insurance from services such as Clearscore or Experian.
9. If you feel you have become a victim of identity theft, sign up for the CIFAS protection Protective Registration | Identity Protection Service | Cifas.
The good news is that passwordless authentication – a far more robust security model – is already being rolled out by big tech companies and is imminent across the UK government’s digital services.
The AI cyber risk and how to stay safe
A new government report has warned of the coming ‘digital divide’ between organisations that can keep up with AI-enabled threats and those that can’t. The report predicts this divide will likely increase the UK’s overall cyber risk.
AI-enabled cyber security threats include sophisticated phishing attacks, ‘data poisoning’ (when the data used to train the AI model is maliciously manipulated), creation of toxic content and ‘AI hallucination’, where AI simply gets things wrong and presents made up information as facts (something we covered in detail in this post).
The National Cyber Security Centre provides a range of resources to help organisations get their cyber security AI-ready. This includes the Cyber Assessment Framework and 10 Steps to Cyber Security, as well as the new AI Cyber Security Code of Practice.
Our Head of Security, Jake Ives, also offers the following tips, which closely reflect our internal security best practices for using AI.
Where possible:
Use only company-approved AI platforms. And don’t connect AI services to third-party apps such as OneDrive.
Create secure logins. Use your company email, ensure MFA is enabled and use a unique password stored in a reputable password manager.
Redact company names, sensitive information and private company data from AI input fields before submitting queries or prompts to AI systems.
Avoid uploading documents to any non-approved or third-party AI service. In other words, avoid uploading content to browser-based services not integrated into reputable platforms such as Microsoft 365 Copilot (and ensure your organisation has configured it correctly).
Use a ‘Work’ AI system – one your organisation has approved for sensitive information. For example, Microsoft 365 Copilot’s enterprise architecture configured correctly, will not expose sensitive organisational information. Copilot’s AI Prompt Orchestrator separates sensitive information to process elements of it separately, using M365’s security and compliance features (e.g. sensitivity labels and data access controls). This ensure that users only access information they are authorised to see and that prompts don’t expose sensitive information either to users who do not have the necessary permissions, or to the wider internet. More details here.
Be careful when using an AI service to generate scripts or write code – it may introduce errors.
Images generated by AI may infringe copyright – exercise caution.
Turn off the ‘Improve the model for everyone’ option in ChatGPT.
Finally, look out for the Intersys AI Safety Guide, coming to our website soon. It will include 10 Commandments for AI Use in the Workplace and a free AI Governance Policy template.
Be wary of those shiny Chrome extensions
We’ve explored the security loopholes in browser extensions before, and now it appears that even more gaps have been found in some very popular Chrome ones.
Browser extensions allow users to customise their browsing by installing features that add more functionality. Think handy grammar tools, or ad blockers for ad-free browsing.
But a recent investigation by Symantec found that popular Chrome extensions were accidentally exposing sensitive data over simple HTTP. The types of data included browsing domains, operating system details, usage analytics, machine IDs and more.
Security experts warn that data transmitted when it’s unencrypted via a public Wi-Fi or insecure network could attract hackers. In particular, it could arouse interest from Man-in-the-Middle attackers – criminals who place their fraudulent website between a user and an application, often to steal login details.
The extensions that have been found to expose data include SEMrush Rank (a popular website visibility checker), MSN New Tab/Homepage (a customisable page in the Microsoft Edge browser) and Browsec VPN (a private browsing tool), to name a few.
Users of these extensions have been asked to remove them from their browsers until the flaws have been fixed. As general advice, it’s also recommended to install a reliable Endpoint Protection tool to secure your device and data, avoid downloading extensions from unfamiliar sites, regularly backup important data and thoroughly read the permissions that each extension is requesting.
And finally… some good news
European and American law enforcement agencies have coordinated a major crackdown on dark web vendors and buyers. Police have arrested 270 cyber criminals, seized over EUR 184 million in cash and cryptocurrencies as well as tonnes of drugs, firearms and counterfeit products.
Operation RapTor has been credited with breaking up hard-to-reach dark net networks where criminals use encryption and anonymity to ply their illegal trade.
Police were also able to identify suspects from earlier raids on dark web marketplaces such as Nemesis, Bohemia and Tor2Door.
Other vulnerabilities and updates
Citrix patches for NetScaler ADC and Gateway
Apple multiple product vulnerabilities
Microsoft Windows External Control of File Name or Path Vulnerability
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability