Riverbank Ruminations
Observations from the banks of the technology river
Multiple Choice
As part of Security Awareness training I conduct for Ashton Technology Solutions, I include a quiz to help end-users understand the concepts clearly. Let’s see what you know.
- Line trapping is ___?
- Setting out several muskrat traps to increase your chances of success
- A style of dancing made popular by the family in the movie “Sound of Music”
- A technology that lets a caller stay connected to your phone line after you hang up
- AI is ____?
- The sound you make when you hit your finger with a hammer
- Artificial intelligence
- The main word in the chorus of songs sung by mariachi bands in old westerns
- Deepfakes are ___?
- Putting one person’s face on another person’s body in video or altering a video to make it seem the person said (or did) something they never said (or did).
- Really well-made knock offs of high-end products
- Artificial fish used to lure other fish into a specific location
The answers are C, B, and A. But what do these things have to do with each other and security? The bad guys use technology in some inventive ways, so let’s look at how combining these has led to some difficulty defending against attacks.
Always Wanted to Be In “The Movies”?
A basic understanding of the process of creating deepfakes can be found in this video from Bloomberg. Originally, people put famous faces on the bodies of actors in pornographic films by using artificial intelligence (AI) to make facial features between dissimilar faces to mimic the other. Today, detecting the fakes has become very difficult. The software is available to anyone and doesn’t need enterprise-grade software. Unless you do a lot of business via video call, this does not present a significant security risk.
Can You Trust Your “Colleagues”?
AI can also obtain samples of someone’s voice and then create entire speeches using that voice. Imagine that you work for a company that regularly uses wire transfers to move money. A policy is in place stating these transfers can only be initiated by two or three people, and you know them all well. You get a phone call from one of them telling you to initiate a transfer to a new company. This is not the usual scam email that says the sender is in a meeting and can’t be disturbed. This is a live phone call. Do you do it? How do you know it really is the person it sounds like? If you don’t already, have a policy in place that require more than one form of authorization to move money, as this deepfake voice problem will only get worse.
Can You Trust Anybody???
Basically, line trapping occurs when the bad guy calls, tells a story, then says you should call someone (your bank, police, FBI, etc.) to verify the details. They are still connected to you after you hang up. If you call for confirmation (as we are supposed to do) before the line trap times out, you may dial the police, but you are connected back to the bad guys. How widespread this has become has yet to be seen. The take away here is, when calling to verify something, wait a few minutes or use a different line to make the call.
I haven’t heard of this next combination yet but it seems inevitable. You get a deepfake call to get you to do something, and the caller performs a line trap. Now you have a voice that you supposedly know telling you to do something that seems strange, but it really sounds like them. Ever cautious, you hang up and then decide to call the person back to make sure it really was them. The line trap connects you back to the bad guys, so the deepfake voice calms your worries.
Take Precautions Now to Prevent Big Losses
You may think that your business or personal account is not worth the time for someone to invoke the above schemes, since they do seem like a lot of work. Unfortunately, technology is putting these techniques in the hands of almost anyone. In the cyber underworld technical services are now available for a fee to those without the skills. Ransomware is offered this way. Spam is offered as a service. Even DDoS attacks to knock a website off the internet are offered as a service. Deepfakes as a service can’t be too far behind.
The evolution of the attacks we are seeing requires the evolution of company policies. Bad guys have multiple choices when it comes to attacks. Companies need to help employees protect assets, and take extra care if something seems suspicious. You just might be right.