As we approach the first anniversary of ChatGPT’s launch, many of us are continuing to explore the potential of this incredible tool. Including hackers.
Our lead story this month highlights the growing concern among experts that AI tools will be increasingly weaponised by criminals in the months and years ahead.
We’ll keep you up to date on emerging AI threats as and when we hear about them.
We’ll also continue to ensure our newsletter subscribers are among the first to know about preventative technologies that can shore up your defences.
Hackers could use Chat GPT to bring down NHS and MOD
An Oxford professor of computer science has warned that ChatGPT could be used by cyber criminals to shut down government websites including those of the NHS and Ministry of Defence.
Michael Wooldridge said that ChatGPT and other AI tools are similar to an “extremely capable computer programmer” that has no “ethical principles whatsoever.” He thinks that this would eliminate the need for hackers to either personally code or hire programmers.
The UK government has promised to tackle concerns around the use of AI “head-on” and is hosting a global safety summit on the issue in November.
Still not using a password manager?
81% of cyber security breaches are down to compromised, weak or reused passwords. Quora, Facebook and Yahoo have all been hacked due to poor password policies.
But many individuals and businesses are simply overwhelmed by the idea of managing passwords for multiple online accounts.
We strongly recommend using a password management system that removes the need to remember multiple passwords. Such tools generate unique and random passwords and store them securely using Zero Trust security architecture.
Keeper is a highly trusted password management platform for SMEs and enterprise organisations. This piece of software can literally let you forget your password and still stay safe online.
Says Richard Geyman, Technical Director, Intersys, “Having unique passwords for every site and service are crucial in the fight against cybercriminals, and password managers make this an incredibly simple task. We highly recommend Keeper for businesses, due to its robust security credentials, and extensive centralised management features”.
Controversial online safety bill becomes law — and here’s what we think
It’s been a contentious topic for many years and, finally, the government’s Online Safety Bill has become law. It aims to make the internet safer for children – and no one’s going to argue with the virtues of that.
However, it may also require messaging services to examine the contents of encrypted messages for harmful material. That, according to many in the cyber security industry – including our MD Matthew Geyman – is deeply problematic.
He says, ‘There are some ambiguities in the law that threaten the security of legitimate end-to-end encryption and may pose a threat to encryption use – so crucial for cyber security.’
There’s a lot more to discuss here and we’ll be getting more of Matthew’s thoughts on this subject in the next newsletter.
Beware of scammy links from LinkedIn
A new type of phishing scam is growing in popularity and if your business uses LinkedIn Sales Navigator or Enterprise plans, you need to be vigilant. Hackers have found a way to harvest Microsoft Office logins using smart links on LinkedIn.
These smart links are often used by business accounts on LinkedIn to track marketing engagement metrics. They are also considered ideal attack surfaces because emails with smart links embedded in them can bypass security controls. (They are less likely to be flagged as suspicious because they come from a trusted domain such as LinkedIn.)
Unsuspecting users are lured into clicking on links that redirect them to phishing pages that steal their data. Security experts say that the finance and manufacturing sectors have been particularly targeted.
Pay close attention to ANY external email with embedded LinkedIn smart links that claims to need financial/HR information.
Genetic data of super rich – HACKED
A hacker has boasted on an online forum of stealing millions of users’ data from genetic testing company 23andMe. According to the claims, millions of individuals’ private data, including genetic information, has been leaked in the cyber underworld.
The hacker bragged that the data includes information on “the wealthiest people living in the US and Western Europe”.
This leak comes close on the heels of an earlier hack this month by the same individual. In this instance, 23andMe revealed that criminals had stolen data using credential stuffing, a hacker ploy where emails, usernames and passwords already public from previous breaches are tried in various combinations to gain access to user accounts.
Thousands of businesses using Cisco IOS XE software attacked
Cisco has revealed that hackers have exploited vulnerabilities in the Web User Interface (Web UI) feature of their IOS XE software for business.
These flaws are being tracked as CVE-2023 – 20198 and CVE-2023 – 20273. They affect both virtual and physical devices when exposed to the internet or insecure networks.
Attackers have used these weaknesses to gain privileged access to devices, create local user logins and run arbitrary commands on devices.
Cisco has recommended that users disable the HTTP Server feature on all internet-facing systems or confine access to trusted addresses only. They have also released updates to fix the issue here.
It’s believed that a whopping 34.5 thousand Cisco IOS XE IPs have been compromised.
The strange and unsettling growth of ‘…ishing’ scams
Phishing is the cyber world’s term for email scams. Smishing is the text-based version. Now we have two more ‘…ishings’ to look out for that complete an unholy quartet – Qishing and vishing. Qishing is the term used to describe a phishing scam that uses a malicious QR code to gain access to its victims’ logins.
We have seen several of these attacks recently and our in-depth blog post sheds more light on prevention and safety tips.
There is also vishing – a frighteningly successful cyber threat that tries to steal information or money over the phone.
The MGM Resorts casino hack being a recent case in point (see next story). Our Vishing blog post is full of tips and security advice.
How a 10-minute phone call cost MGM resorts $100 million
Last month, we revealed how it took hackers just a 10-minute phone call to gain access to MGM Resorts systems and bring the gambling giant to its knees. The cost of that devastating attack is now estimated at $100 million.
The casino shutdown led to guests being locked out of rooms, websites crashing and slot machines falling eerily silent. MGM Resorts were lauded by security experts for refusing to pay the ransom demanded by the hackers.
While customers’ bank details seem to be safe, other personal data such as names, drivers’ licenses and social security numbers have been stolen.
Other vulnerabilities to watch out for:
- VMware has disclosed an out-of-bounds write CVE-2023 – 34048 and a partial information disclosure CVE-2023 – 34056 which they describe as critical. Fixes are available here.
- A new malware attack is targeting Jupyter Notebooks.
- Don’t miss this critical patch update from Oracle.