Intercast April 2024 – AI Governance Committees

Welcome to the April 2024 edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed.

Client Insight: AI governance committees

Each month we ask our clients what’s on their mind to find out more about what’s important in the industry. This month we’ve noted an ongoing debate about AI governance committees. It’s a way for a business to have a dedicated group of staff to think about how it uses AI, what limitations it places on the technology, and what counts as responsible or irresponsible use. Our feedback suggests the most effective committees include people from a range of departments and roles to get the broadest possible view of the topic. In some cases, a lack of technical familiarity with AI isn’t a bad thing and can bring a fresh perspective on the opportunities and risks.

Fake Obituary Sites Exploit Grief

Despite fears of AI writing new and devastating malware code, the real danger could be that it makes old fashioned techniques more powerful. We’ve already seen evidence of generative AI creating thousands of targeted phishing emails ready to test at scale. Now scammers are using the technology for a particularly despicable tactic.

They are scraping news sites for recent deaths, then using AI to create supposed obituaries. Some questionable SEO tactics get them to the top of the rankings and attract grieving visitors to the scam obituary site. Not all the obituaries are on the money – one came as a particular surprise to a very much alive subject – but it’s a simple numbers game.

From here, the victims are either redirected to adult sites or shown bogus malware warnings leading to legit antivirus software sites. In both cases the goal is to earn the scammers commission, either from page views or software downloads. Secureworks, which highlighted the problem, fears the current setup may be

a test of concept before escalating to direct malware delivery.

IT Helpdesks Targeted By Cybercriminals

We’ve all seen scams where fake IT support staff call victims and try to get remote access. Now the process is reversed with scammers trying to fool helpdesks.

It’s a sneaky tactic that unfortunately makes sense when you think about it. The idea is to pose as an employee with a bogus problem and try to trick support staff into a fix that involves changing access controls, for example to “regain” account access and “get back to work”.

Awareness of the problem by IT support staff is probably the best way to combat the tactic. Red Canary, a security company that highlighted the problem, suggests some other solutions. One is using a specific passphrase to identify legitimate staff, though that could be a tricky solution to scale. Another possibility is getting staff to verify their work device by giving a serial number that’s only accessible with physical access.

Links On X A Security Threat

Since Elon Musk took over, much of the discourse about X (formerly Twitter) has been on the thorny topic of free speech and moderation. Unfortunately X has also had technical problems that have now extended to a significant security failing.

The site no longer shows posted links in full but instead display an image; hovering on the image shows the destination site rather than a URL. The problem is that scammers realised the listed site is the intended final destination and not necessarily where the initial link points. (Even worse, mobile users can’t always see any details of the destination.)

The scammers used the simple tactic of setting links to behave differently depending on who or what clicks them. Humans are sent on a redirect chain that winds up at a bogus website, either for malware or phishing. Meanwhile automated tools – including Twitter’s own bots – are taken to the supposed legitimate destination.

It’s an issue that could theoretically be fixed with a policy change, but in the short term it effectively meant clicking any link on the site was a security risk.

Microsoft Ditches 1024- Bit RSA Keys

Microsoft’s Transport Layer Security will soon only support RSA keys with a minimum length of 2048 bits. It’s the first such update since 1024 bits was made the minimum in 2012.

It’s arguably a long overdue security boost given certification authorities recommended ditching 1024 bits as far back as 2013. Bleeping Computer notes that a 2048-bit key is theoretically four billion times more secure than a 1024-bit equivalent.

The switch will likely mean headaches for some system admins dealing with older software installations or older devices. In particular, businesses using some network attached printers may need a rethink to avoid staff frustration.

University of South Florida to launch AI and Cybersecurity College

Cybersecurity is still growing as a university subject, but it will be firmly on the map at the University of South Florida. It plans to create a dedicated college covering cybersecurity and AI subjects.

USF says it wants to be a global leader in the topic and will bring together staff from across its 13 existing colleges. Full academic details are still being worked out, but the plan is for “a range of disciplinary and interdisciplinary undergraduate, graduate, and professional programs, in addition to certificate and continuing education options.”

The idea isn’t simply to launch new courses, but to integrate the specialist teaching with research and industry. The University notes it already has 200 faculty members researching on relevant subjects and has strong partnerships with tech and defense companies in the Tampa Bay area.

Best of the Rest

Here’s our round up of what else you need to know: