WyzGuys Tech Talk

A quick Saturday digest of cybersecurity news articles from other sources.

Teacher’s Guide to Cybersecurity – Everything You Need to Know in 2024

The days of handwritten homework assignments, heavy printed textbooks, and mailed paper report cards are slipping away. Learning is digital in the 21st century. Students often complete their homework, communicate with classmates, check their grades, and conduct research for assignments online.

The internet speeds up students’ ability to study and instantly connects them with more information than a printed school library could possibly hold. However, the cyber world of modern education can be dangerous, both to your students and to you as a teacher.

Your Risks as a Teacher

Your students are more tech-savvy than you can possibly imagine. While many adults rely on the occasional tutorial to learn how to use a new program or application, students are digital natives. They intuitively know how to use apps, mobile devices, and online platforms, since they’ve been using them their whole lives.

This means that, with the right motivation, your students could probably figure out how to hack into your accounts. For example, if a student wasn’t satisfied with her grade, she might be able to figure out your password and change a grade or two. Similarly, a student who wanted to play a joke on you could change all the images in your PowerPoint presentation.

You need to know how to protect both yourself and your students from cyber attacks.

Cyber Safety for Students

In some cases, students might be the culprits of cybersecurity issues in your classroom, but in others, they might be the victims.

While many young people are able to easily learn digital programs and might even have some hacking skills, they still have a lot to learn about the world. They may not be savvy enough to spot every cybersecurity risk that they encounter.

As a teacher, you can both directly protect your students and teach them about cybersecurity so they can better safeguard themselves online.  More…

Articles from Bruce Schneier

European Court of Human Rights Rejects Encryption Backdoors

[2024.02.19] The European Court of Human Rights has ruled that breaking end-to-end encryption by adding backdoors violates human rights:

Seemingly most critically, the [Russian] government told the ECHR that any intrusion on private lives resulting from decrypting messages was “necessary” to combat terrorism in a democratic society. To back up this claim, the government pointed to a 2017 terrorist attack that was “coordinated from abroad through secret chats via Telegram.” The government claimed that a second terrorist attack that year was prevented after the government discovered it was being coordinated through Telegram chats.

However, privacy advocates backed up Telegram’s claims that the messaging services couldn’t technically build a backdoor for governments without impacting all its users. They also argued that the threat of mass surveillance could be enough to infringe on human rights. The European Information Society Institute (EISI) and Privacy International told the ECHR that even if governments never used required disclosures to mass surveil citizens, it could have a chilling effect on users’ speech or prompt service providers to issue radical software updates weakening encryption for all users.

In the end, the ECHR concluded that the Telegram user’s rights had been violated, partly due to privacy advocates and international reports that corroborated Telegram’s position that complying with the FSB’s disclosure order would force changes impacting all its users.

The “confidentiality of communications is an essential element of the right to respect for private life and correspondence,” the ECHR’s ruling said. Thus, requiring messages to be decrypted by law enforcement “cannot be regarded as necessary in a democratic society.”

Microsoft Is Spying on Users of Its AI Tools

[2024.02.20] Microsoft announced that it caught Chinese, Russian, and Iranian hackers using its AI tools — presumably coding tools — to improve their hacking abilities.

From their report:

In collaboration with OpenAI, we are sharing threat intelligence showing detected state affiliated adversaries — tracked as Forest Blizzard, Emerald Sleet, Crimson Sandstorm, Charcoal Typhoon, and Salmon Typhoon — using LLMs to augment cyberoperations.

The only way Microsoft or OpenAI would know this would be to spy on chatbot sessions. I’m sure the terms of service — if I bothered to read them — gives them that permission. And of course it’s no surprise that Microsoft and OpenAI (and, presumably, everyone else) are spying on our usage of AI, but this confirms it.

EDITED TO ADD (2/22): Commentary on my use of the word “spying.”

Details of a Phone Scam

[2024.02.21] First-person account of someone who fell for a scam, that started as a fake Amazon service rep and ended with a fake CIA agent, and lost $50,000 cash. And this is not a naive or stupid person.

The details are fascinating. And if you think it couldn’t happen to you, think again. Given the right set of circumstances, it can.

It happened to Cory Doctorow.

EDITED TO ADD (2/23): More scams, these involving timeshares.

AIs Hacking Websites

[2024.02.23] New research:

LLM Agents can Autonomously Hack Websites

Abstract: In recent years, large language models (LLMs) have become increasingly capable and can now interact with tools (i.e., call functions), read documents, and recursively call themselves. As a result, these LLMs can now function autonomously as agents. With the rise in capabilities of these agents, recent work has speculated on how LLM agents would affect cybersecurity. However, not much is known about the offensive capabilities of LLM agents.

In this work, we show that LLM agents can autonomously hack websites, performing tasks as complex as blind database schema extraction and SQL injections without human feedback. Importantly, the agent does not need to know the vulnerability beforehand. This capability is uniquely enabled by frontier models that are highly capable of tool use and leveraging extended context. Namely, we show that GPT-4 is capable of such hacks, but existing open-source models are not. Finally, we show that GPT-4 is capable of autonomously finding vulnerabilities in websites in the wild. Our findings raise questions about the widespread deployment of LLMs.

NIST Cybersecurity Framework 2.0

[2024.03.01] NIST has released version 2.0 of the Cybersecurity Framework:

The CSF 2.0, which supports implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy. The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation.

[…]

The framework’s core is now organized around six key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly added Govern function. When considered together, these functions provide a comprehensive view of the life cycle for managing cybersecurity risk.

The updated framework anticipates that organizations will come to the CSF with varying needs and degrees of experience implementing cybersecurity tools. New adopters can learn from other users’ successes and select their topic of interest from a new set of implementation examples and quick-start guides designed for specific types of users, such as small businesses, enterprise risk managers, and organizations seeking to secure their supply chains.

This is a big deal. The CSF is widely used, and has been in need of an update. And NIST is exactly the sort of respected organization to do this correctly.

Some news articles.