This is an excerpt from a longer paper. You can read the whole thing (complete with sidebars and illustrations) here.

Our message is simple: it is possible to get the best of both worlds. We can and should get the benefits of the cloud while taking security back into our own hands. Here we outline a strategy for doing that.

What Is Decoupling?

In the last few years, a slew of ideas old and new have converged to reveal a path out of this morass, but they haven’t been widely recognized, combined, or used. These ideas, which we’ll refer to in the aggregate as “decoupling,” allow us to rethink both security and privacy.

Here’s the gist. The less someone knows, the less they can put you and your data at risk. In security this is called Least Privilege. The decoupling principle applies that idea to cloud services by making sure systems know as little as possible while doing their jobs. It states that we gain security and privacy by separating private data that today is unnecessarily concentrated.

To unpack that a bit, consider the three primary modes for working with our data as we use cloud services: data in motion, data at rest, and data in use. We should decouple them all.

Our data is in motion as we exchange traffic with cloud services such as videoconferencing servers, remote file-storage systems, and other content-delivery networks. Our data at rest, while sometimes on individual devices, is usually stored or backed up in the cloud, governed by cloud provider services and policies. And many services use the cloud to do extensive processing on our data, sometimes without our consent or knowledge. Most services involve more than one of these modes.

To ensure that cloud services do not learn more than they should, and that a breach of one does not pose a fundamental threat to our data, we need two types of decoupling. The first is organizational decoupling: dividing private information among organizations such that none knows the totality of what is going on. The second is functional decoupling: splitting information among layers of software. Identifiers used to authenticate users, for example, should be kept separate from identifiers used to connect their devices to the network.

In designing decoupled systems, cloud providers should be considered potential threats, whether due to malice, negligence, or greed. To verify that decoupling has been done right, we can learn from how we think about encryption: you’ve encrypted properly if you’re comfortable sending your message with your adversary’s communications system. Similarly, you’ve decoupled properly if you’re comfortable using cloud services that have been split across a noncolluding group of adversaries.

Read the full essay

This essay was written with Barath Raghavan, and previously appeared in IEEE Spectrum.

Read More

A proposed amendment of eIDAS could “weaken the security of the Internet as a whole”, said a letter signed by over 500 individuals and organizations

Read More

Want to crash someone’s iPhone or iPad? Turns out it’s not that tricky, if you have a Flipper Zero.

Read More

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In an era where technology advances at breakneck speed, the corporate world finds itself facing an evolving and insidious threat: deepfakes. These synthetic media creations, powered by artificial intelligence (AI) algorithms, can convincingly manipulate audio, video, and even text – posing significant risks to businesses, their reputation, and their security. To safeguard against this emerging menace, a forensic approach is essential.

Understanding deepfakes

“Deepfake” is a term used to describe a type of synthetic media that is created or manipulated using artificial intelligence (AI) and deep learning algorithms. The term “deepfake” is a combination of “deep learning” and “fake.” Deep learning is a subset of machine learning that involves training artificial neural networks to perform specific tasks, such as image or speech recognition.

Deepfake technology is primarily associated with the manipulation of audio and video content, although it can also be applied to text. It allows for the creation of highly convincing and often indistinguishable fake content by superimposing one person’s likeness and voice onto another person’s image or video. Deepfake technology has been used in various real-world scenarios, raising concerns about its potential for misinformation and deception.

For instance, a deepfake video of former President Barack Obama was manipulated to make it seem like he was delivering a speech using synthetic audio and video. In the entertainment industry, deepfake technology has been used to recreate deceased actors for film or commercial purposes. For example, a deepfake version of actor James Dean was used in a Vietnamese commercial. Deepfake content has been circulated on social media and news platforms, contributing to the spread of fake news and disinformation. This can include fabricated speeches, interviews, or events involving public figures. Deepfake technology has been exploited to create explicit content featuring individuals without their consent. This content is often used for harassment, revenge, or extortion.

These examples illustrate the versatility of deepfake technology and the potential risks associated with its misuse. As a result, there is growing concern about the need for effective detection and countermeasures to address the potential negative consequences of deepfake manipulation in various contexts.

Here are some key aspects of deepfake technology:

Face swapping: Deepfake algorithms can replace the face of a person in a video with the face of another individual, making it appear as though the second person is speaking or acting in the video.

Voice cloning: Deepfake technology can replicate a person’s voice by analyzing their speech patterns and using AI to generate new audio recordings in that person’s voice.

Realistic visuals: Deepfake videos are known for their high degree of realism, with facial expressions, movements, and lip-syncing that closely resemble the original subject.

Manipulated text: While less common, deepfake technology can also be used to generate fake text content that mimics an individual’s writing style or produces fictional narratives.

Misinformation and deception: Deepfakes have the potential to spread misinformation, deceive people, and create convincing fake content for various purposes, both benign and malicious.

Implications for corporations

Reputation damage: Corporations invest years in building their brand and reputation. Deepfake videos or audio recordings featuring corporate leaders making controversial statements can have devastating consequences.

Financial fraud: Deepfakes can be used to impersonate executives, leading to fraudulent requests for funds, confidential information, or financial transactions.

Misleading stakeholders: Shareholders, employees, and customers can be misled by deepfake communications, potentially affecting stock prices and trust in the organization.

Industrial espionage: Competitors or malicious actors may use deepfakes to obtain confidential information or trade secrets.

Mitigating deepfake threats: A forensic approach

Awareness and education: The first line of defense against deepfakes is to educate employees, executives, and stakeholders about the existence and potential risks associated with deepfake technology. Training programs should include guidance on recognizing deepfake content.

Digital forensics expertise: Corporations should invest in digital forensics experts who specialize in deepfake detection and investigation. These professionals can conduct in-depth analyses of suspicious media to identify inconsistencies, artifacts, or signs of manipulation.

Advanced detection tools: Employ state-of-the-art deepfake detection tools and software. These solutions utilize machine learning algorithms to identify patterns and anomalies indicative of deepfake content.

Metadata analysis: Digital forensics experts can examine metadata and file properties to trace the origin of deepfake content. This can help identify potential sources of threats.

Secure communication channels: Encourage the use of secure communication channels, such as encrypted video conferencing and messaging platforms, to reduce the risk of deepfake attacks during virtual meetings.

Authentication protocols: Implement strong authentication protocols for sensitive financial transactions and communications, ensuring that only authorized personnel can initiate such actions.

Incident response plan: Develop a comprehensive incident response plan that outlines steps to take in case of a deepfake incident. Timely action can minimize damage.

Legal recourse: Be prepared to pursue legal action against those responsible for creating and disseminating deepfake content with malicious intent. Consult with legal experts experienced in cybercrimes.

Conclusion

Deepfake threats in the corporate world are a reality that cannot be ignored. As AI technology continues to advance, so too will the sophistication of deepfake attacks. A proactive and forensic approach to mitigating these threats is essential for corporations to protect their reputation, assets, and stakeholders.

By raising awareness, investing in digital forensics expertise, utilizing advanced detection tools, and implementing security measures, corporations can significantly reduce their vulnerability to deepfake attacks. Furthermore, a robust incident response plan and the ability to pursue legal action when necessary, can serve as a deterrent to potential threat actors. In this digital age, corporate resilience against deepfake threats is a vital component of modern cybersecurity.

Read More

Government campaign aims to promote cyber-resilience

Read More

A ransomware attack impacting five hospitals in southwestern Ontario, Canada, has seen hackers gain access to a database containing 5.6 million patient visits, and the social insurance numbers of over 1400 employees.

Read more in my article on the Hot for Security blog.

Read More

Sophos claims more victims are taking longer to recover

Read More

Group-IB lifts the lid on prolific cyber-criminal

Read More

Keeping your child safe online is a growing concern for many parents. Instagram, a popular social media platform among tweens and teens, is no exception. Despite privacy settings that can effectively limit who sees your child’s posts, their Instagram bio nonetheless remains public by default. This leaves an opening through which those with ill intentions can glean personal information about your child. However, there are ways you can help safeguard your child’s Instagram bio and enhance their online safety. Here are 5 tips to consider:

1. Approve Your Child’s Profile Picture

The first step towards protecting your child’s online identity on Instagram starts with their profile picture. This image is the face your child presents to the world, and unfortunately, it can sometimes attract unwanted attention. As such, it’s crucial that you approve your child’s profile picture. Make sure that the photo does not in any way make your child look older than their age. For instance, if your child is 13, their photos should reflect their age and not make them look 20.

Moreover, it’s important to ensure that their chosen profile picture is not suggestive or revealing. It’s worth noting that what may seem normal to your child might come off as suggestive to others. As a parent, you need to hold your ground and make the final decision on what constitutes an appropriate profile picture.

→ Dig Deeper: McAfee Survey: Parents Share Pictures of Their Kids Online, Despite Understanding the Risks Involved

2. Edit Bio or Omit Entirely

Another critical step to safeguarding your child’s Instagram bio is to carefully oversee its contents. While it’s tempting for your child to share personal information such as their age, hometown, school, favorite sports team, etc., these can potentially serve as breadcrumbs for predators. By piecing together these nuggets of data, it’s easy for individuals with ill intentions to form a complete picture of your child’s life. Therefore, it’s best to either completely omit these details or edit the bio in a way that it does not divulge any personal information.

Teach your child about digital privacy and the dangers of sharing too much online. Explain that while it may seem like sharing a tidbit about their favorite band or TV show is harmless when combined with other pieces of information, it can end up providing a clear window into their personal life.

→ Dig Deeper: Oversharing: Are You Ignoring Your Child’s Privacy When You Post Online?

3. Do not Allow Links in Bio

Often, Instagram users will add a link to their bio that directs to another social media platform, an email address, or some other online platform. While this might seem like a simple way of connecting different aspects of their online presence, it can, unfortunately, also provide potential predators with additional ways to access your child’s personal information.

Therefore, do not allow your child to include any links in their Instagram bio. By limiting the information available about your child online, you make it harder for anyone to trace or track them, thereby enhancing their online safety.

4. Turn off Geo-Tagging/Location-based Services for Instagram

The Geo-Tagging feature on Instagram allows users to add their exact location to their posts. While this might seem like a fun and harmless feature to your child, it can unfortunately put them at risk. Predators can use this feature to track your child’s routines, activities, and even their real-world location. This is why it’s crucial to turn off Geo-Tagging/Location-based services on your child’s Instagram account.

→ Dig Deeper: What Are the Risks of Geo-Location?

Teach your child that it’s not safe to share their location online. Make sure they understand that leaving the location feature enabled can potentially allow strangers to figure out where they live, go to school, or hang out. You can turn off this feature by going to the settings in the Instagram app and turning off the location services. Remind your child not to manually add their location to posts. If they need to share their location, they should do it privately and only with trusted friends or family.

5. Let Them See You Monitoring

One of the most effective ways to ensure your child’s online safety is to stay involved and keep a close eye on their online activity. While this might seem like an invasion of your child’s privacy, it’s crucial to remember that as a parent, your number one priority is keeping your child safe. Let them know that you’ll be checking their Instagram account regularly, and make sure they’re aware of the potential risks they face online.

Studies show that about 50% of teens would change their online behavior knowing their parents are watching. Digital safeguards are an essential part of maintaining online safety. Make it a regular habit to browse your child’s Instagram and monitor their posts, their followers, and the people they follow. This can help you to quickly pick up on anything suspicious and take necessary action.

McAfee Pro Tip: Although parental controls can play a significant role in nurturing positive online behaviors, it’s vital for these tools to work in tandem with a devoted and actively involved parent who is enthusiastic about guiding their children through the digital world. Explore how parental controls can contribute to the development of healthy habits.

Final Thoughts

Ensuring your child’s online safety requires a combination of education, open discussion, and vigilant monitoring. Profile pictures should be age-appropriate, and their bio free from personal details or links. Location services should be switched off for Instagram to avoid sharing real-world locations. Finally, a regular check of their Instagram account helps to keep a tab on their online activity. Remember, safeguarding your child’s Instagram bio is not about controlling them but rather, it’s about protecting them from potential online threats.

By taking these steps to safeguard your child’s Instagram bio, you not only protect them but also teach them the importance of online safety and the steps they can take themselves. In the age of growing digital threats, it is crucial to stay vigilant and proactive in protecting our children online.

The post 5 Ways to Safeguard Your Child’s Instagram Bio appeared first on McAfee Blog.

Read More