Main

From Disinformation to AI - Pt 2 | Security Confidential

#SecurityConfidential #DarkRhinoSecurity George Kamide was once an anthropologist, a rock climbing instructor, a wedding photographer, and a creative writer. He’s the host of the cybersecurity podcast First Watch and the podcast Bare Knuckles and Brass Tacks. As an advocate for greater representation in information security, he sits on the advisory board for Vision & Voice, a community dedicated to lifting women into cyber leadership positions. He has briefed US Cyber Command and the Congressional Cyber Caucus. 00:10 Changing the vulnerability landscape 01:48 Voice Cloning and email chat hacking 05:55 How does a machine generate context? 07:58 Social Media bots 10:06 What jobs will go away with AI? 15:40 Whose fault is it? 20:40 Can you 100% trust something? 23:03 Work from Home 26:11 Connecting with George ---------------------------------------------------------------------- To learn more about George visit https://www.linkedin.com/in/george-kamide/ To learn more about Dark Rhino Security visit https://www.darkrhinosecurity.com ---------------------------------------------------------------------- SOCIAL MEDIA: Stay connected with us on our social media pages where we'll give you snippets, alerts for new podcasts, and even behind the scenes of our studio! Instagram: @securityconfidential and @OfficialDarkRhinoSecurity Facebook: @Dark-Rhino-Security-Inc Twitter: @darkrhinosec LinkedIn: @dark-rhino-security Youtube: @Dark Rhino Security ​ ---------------------------------------------------------------------- https://www.zdnet.com/article/watch-out-for-this-phishing-attack-that-hijacks-your-email-chats-to-spread-malware/ https://www.wsj.com/articles/i-cloned-myself-with-ai-she-fooled-my-bank-and-my-family-356bd1a3 https://www.washingtonpost.com/technology/2023/03/05/ai-voice-scam/ https://abcnews.go.com/GMA/Family/mom-warns-hoax-ai-clone-daughters-voice/story?id=98551351 ---------------------------------------------------------------------- #darkrhinosecurity #securityconfidential #twitterbot #cybersecurity #cyberpodcast #ai #artificialintelligence #marketingusingai #securitypodcast #firstwatchpodcast #bareknucklesandbasstackspodcast #cybernews #technews #pepsi #cocacola #emailabuse #voicecloning

Dark Rhiino Security

9 months ago
foreign [Music] language models are getting very very Advanced yes uh and they're going to continue to get more and more advanced and you mentioned something about using them for processing I guess before we get there how do they change the vulnerability landscape this is a fantastic question I think it pulls together a lot of things that we've talked about so the Anthropologist in me is going to say right language is the underpinning of culture democracy Society it is not overstating that right
like we are primates who transmit culture and knowledge to the Next Generation through language through written text through and that is rather unique to us that we can sustain that level of transfer over Generations so when you get to a place where you can synthesize the language in what is largely plausible right because I mean an llm is designed to predict with very good accuracy the next possible word in a permutation of words you enter this age of synthetic reality right we have voice clon
ing software we have uh text generation software we you know very soon have more realistic video generation software and um in the words of uh uh colleague and friend David Mahdi the risks become the volume the velocity and the variety of attacks so you know a Wall Street Journal uh reporter just cloned her voice and got past her own Banks Voice verification right so basically we have like all content verification out the window we have a compounding of existing vulnerabilities so I don't know i
f anyone remembers but last year we had what were called like thread hijacking or conversation hijacking email attacks where someone sort of gets in and sits inside of a conversation and watches the back and forth and then jumps in as a participant in that conversation right so it it it's not like a single inbound phishing email they look like a legitimate person within that conversation look how easy that is if you are a foreign language adversary to mimic native English usage like you could ju
mp in right away right you could also process the information in that conversation for intelligence gathering at at massive scale um so I think it it really changes the landscape but I'm also hopeful that it changes for Defenders too because when you look at what Microsoft is doing with copilot when you look at what Google is trying to do with the cyber security workbench ideally the tool set is also moving in the direction of natural language commands what if we could reduce the time to build q
ueries to run scripts and you could simply ask your environment like can you reverse engineer this file can you you know that could save us a lot of time on the on the defender end so I think it brings great risks but I'm hoping it brings a lot of utility as well well yeah I mean just like you described with the bank she got past the controls I could think of a whole bunch of controls you could get past if you're really good with natural language and and you could I mean everything that someone
has set up you could just walk right past it pretty much and yeah yeah I mean you know very recently uh there was this terrible story uh in the state of Washington about some and it's not a threat actor it's just cyber criminal calling parents and basically being able to mimic their children's voice in a panicked State using a voice clone I did not hear about that yeah it's a voice cloner trained off of social media videos which is like the ultimate ocent resource right like you and I we have no
hope we have recorded so much that so far well you know I my identity has been stolen that people have created accounts and I'm sure they've used my voice and and everything else because it's all out there yeah and to date it's been like maybe spoofed email addresses maybe posing as you and people have that like fishy feeling like oh why did he misspell that or why is he asking for Amazon gift cards right but now they could call up Emily our producer and say in your voice that you need somethin
g and the human mind is evolutionary hardwired for collaboration for trust and that that is the fabric at which we are talking about the vulnerability not just systems but like the actual human trust and I think that is where things get very tricky very quickly and the processes inside of Defenders systems not just like the technological processes but how they talk to one another how they verify is going to have to change pretty radically I am so glad you said that because you know we've uh ofte
n on this show proposed that cyber security is not necessarily a technology problem it's a business problem it's a people problem and if if we build the awareness properly if people get involved which the people are the biggest cyber security asset then we could probably make a big dent in the number of successful compromises that take place out there absolutely right that's um it's interesting to think of where this is all going I guess one thing would be how does a machine generate context you
know because that is that is such a human thing that I know you George I you and I spoke and I now have context like if I was going to reach out to you on LinkedIn I know how I would have a way of reaching out to you a machine may not have that same context um I don't think they've gotten there yet I don't know what your experience is wow yeah that's a good I mean so on the one hand we have I guess context lists attacks if you want to call it right meaning you have like you know North Korea has
been like the OG fishers on LinkedIn right they find somebody who's been in a job for three years and offered them the next step up and you know they've been running that fake recruiting scam for a long time and the context is your professional life your self-worth your you know your financial compensation um but in terms of when we're looking at these new AI systems AI is a process and sort of a means not an end right it's a way to get to something the thing that scares me more than a chat gbt
which is again it's sitting there and it's a tool and it can be used for good or for ill but it has to wait for the input the thing that scares me more is the auto gpts these agents that can run tasks create their own task lists so they can actually do that in an automated fashion you could set up a series of Auto GPT agents to one run ocean reconnaissance on this target two you know scrape everything that they've said or they write so you can mimic it I mean you could send out essentially an a
rmy of robots to go and do these things for you to bring that context to the human operator or they could also conceivably launch it in an automated fashion now you on the other side of it on the defender side do you think thread Intel is catching up and saying you know we know the sources of these Bots or we know you know that is a good question you know the way that Bots have been created in the past vis-a-vis influence operations on social media is I think somewhat different than the way that
these agents are being created and I I don't know if those Technologies are watermarking or there's an indicator yet and so that is what remains to be seen in terms of how they can be detected yeah I mean we we would have to because that you know when this whole thing went down with Twitter and Elon Musk uh and the whole bot uh issue that they wouldn't declare I you know one thing might be is why was it so hard to to know how many Bots are out there yeah I mean what there should be some indicat
ion even if you just look at the volume of posts a real human may not post that much I would think there might be some metrics that that would lead you to believe that this is pretty much a bot of some kind yeah I mean you know posting at all hours or like an inhuman number of times in a certain you know like you physically could not type messages fast and you know yes it seemed like there should have been indicators that were fairly easy I can't speak to the back end Twitter architecture or why
that may have been difficult but we have seen Troll and bought Farms right where they've got these Banks of iPhones or Android devices and they're all plugged in and they're running scripts against those and they're doing that now imagine that you don't actually need the hardware right that you can just run agents essentially through the internet that are that are doing that that becomes a a much more magnified problem that was uh a little understated but you are yeah [Laughter] you're absolute
ly correct so you know go looking again at AI just putting your future Vision cap on what what do you think will become redundant what job functions do you think are going to go away yeah I mean I have my list but I'm seriously you're yours I'm I'm very I want to be very careful here because we've we've lived through a few hype Cycles I mean I'm sure anyone listening will remember that the uh the breathless hype around blockchain was like in the future we won't have Banks yeah well and we'll we'
ll know the origin of every single uh component in every single product that we ever buy that was also a big promise of blocks yeah so I think there are a few things to consider one there is an assumption that all the AI systems will be incredibly accurate right they'll be so accurate that you won't need the humans oh we've seen repeatedly that that's not the case right like with uh skin cancer detection algorithms that were really accurate until we discovered what are they looking for they're l
ooking for the ruler in the photo like that's what they optimized for and that's how they identified skin cancer okay that that was a problem so let's are the models accurate the other is that despite what would seem like Space Age leaps in technology like I mentioned a 386 right if we were talking in 1990 and I said you will have this black Square in your pocket that is a super computer attached to all human knowledge you would have been like we'll never work again everything will be so easy bu
t like actual economic productivity levels have been very level so I'm I'm very cautious about any promise that that would just replace wholesale Technologies but I will say I'm more comfortable saying that job functions will change dramatically right so we currently or we don't but poor Med students certainly pay a ton of money to become yes diagnostic computers right they go to lots of school take in the information provide the diagnosis if we can take any of that off of their shoulders and no
t just doctors think of sock analysts if we can take any of like just log data analysis off that we can then free those humans up to do more important work in the case of doctors maybe it's actually engaging with patients in care plans and things like that in the case of Security Professionals as you said maybe it's taking that data and understanding how better to get through the business and manage the risk across different departments rather than just hours and hours of analysis and running Sc
ripts I mean that would be the game changer for us I think so I think it's I think it's the work functions that ideally become redundant and not necessarily the roles I mean we've seen repeatedly promises to like replace entire uh groups of people and and even in like the most automated thing like car manufacturing we still have robots in cages working alongside humans sure I mean there's things there that a robot would find difficult to do or would be very expensive to do but you mentioned a gr
eat example with medicine in the field of radiology this changes already started right you look at that's generally a group of Physicians that doesn't interact with patients not as much as somebody else and they're in a back room looking at scans and telling you what this is you could probably train a pretty accurate data model to recognize yes we should reckon with as we said inertia and culture right so currently you know insurance companies get paid when the radiologist looks at it they don't
get right if software looks at it right so how much is that have to change before this job function has to change well who says that one radiologist now doesn't look at a hundred thousand scans right yeah yeah but that I will say medicine is very tricky because it calls into all sorts of questions about the training data and whether it's representative of you know all different kinds of phenotypes diagnoses Etc and that that is where trust becomes really big I think that's really the frontier I
think trust means a lot to a lot of people but I want to think you know as we rush into employing and deploying AI things like the nist AI risk management framework will become extremely important because providers of those technologies will want to show that they have some kind of stamp of approval we don't have any baselines or Norms yet but they will want to stand out like we've put these things through its Paces we've audited it here's the report here's where it may be biased or whatever an
d then the companies who take on those Technologies this is New Territory we don't really understand the transference of risk if I if I take on like a new HR technology because I'm like IBM and I want to just get rid of all these back office operations right and those algorithms make choices that are risky to you know who owns that risk I think that becomes a very important question well we're well and and you know we're already there so if you look at driverless vehicles if they run over a cat
whose fault is it right I don't have anything against cats but I don't want to think about humans getting hurt here um if a drone decides that it's going to shoot down or shoot at a building and and it's the wrong target a bunch of people die whose fault is it yeah you know we're already there with a lot of these things and and these questions are going to have to they will get answered in due time and and I guess would like with everything else I hate to say the term but as as humans uh you kno
w acceptable losses has generally applied throughout history yeah when you think about like our first contact with machine learning when you think about like the algorithms that were used to drive engagement you know there was there was no conniving mustache twirling person in the back room that was like this will divide Society this will you know push extremism you know unintended consequences of objective-driven machine learning so I think that learning curve was very steep for us the problem
is that now these new technologies one if they're generative it's sort of completely different than just processing data and optimizing for something and then the other part is arms and legs you know it's apis it's connecting the processes into other things right it's one thing to have a drone it's another thing if an autonomous decision-making algorithm can connect to that drone right it becomes about the connections between systems that is the the most risky yeah and uh I I think we'll we'll g
et there it's just oh yeah that Genie the genie is out of the bottle yes uh it's just a matter of time uh hopefully uh you know these functions as you as you mentioned the role may not go away there's an oversight function that is a real human in all these instances yes I I know there's like uh I'll take autonomous lawnmowers you know we've uh they're they're yeah that's a big industry that's coming up but there it's fraught with issues when you look at these self-mowing devices if that thing hi
ts a rock and it shoots out and it hits a kid yep there's a liability if you if you are mowing the highway and again you you cause some kind of an obstruction or something gets onto that Highway and a motorcyclist dies unfortunately I mean there's some real ramifications to these things so you would you would really hope that there's an OverWatch function that is uncompromising and and we don't let AI just uh say well it's a pattern recognition engine and it's recognized this pattern so it must
be right yeah and I think those again to go back to the idea that jobs change you know when we were dealing with the Fallout of de-industrialization people are like oh we'll just have these programs that teach coal miners how to be coders well I mean now we actually don't need that many coders because unfortunately the generative AI will do it for us but there will be a need at some point for humans in the loop whether it is uh OverWatch functions that can transmit into an autonomous semi you kn
ow going down the highway when it detects things um if there are security functions that need to be built around the software for those um for those systems I think the jobs change I don't know that they all vanish I mean certainly some will because that that just happens but I don't think it's like this Mass die off of of work that we're that we're looking at but yeah you bring no it won't be a it'll be everything look to me this is just cyclical it's if you look at human history and you're a s
tudent of it um these changes have happened since time immemorial whether it was the invention of fire it was the invention of the wheel or if we go back to the early 1900s the Boilermakers unions were some of the largest unions how many Boilermakers do we have today yeah and all and also like I mean I like to point out that in Victorian England they also had these dreams of like steam-powered robots that would replace workers still talking about there's a couple I forget there's a there's a cou
ple science fiction books on that topic yeah but yeah very ripe for uh yeah for steampunk novels yeah yeah yeah you know that's that's been out there so it'll be a gradual change to me this is going to be no different than any other maybe it's accelerated because technology is accelerating but it's still going to be the same cyclical process which brings us to trust you know we've had to confront these issues with trust before there I don't think do you think we can really 100 trust in something
that there's always that trust but verify yeah but yeah I would hope not and I think that you know it's one thing when you sort of live in your own age group but I think we are seeing you know we came of age before the internet and also before social media but the digital natives who are growing up I think you're seeing a lot of contention with things that we took for granted like the data brokerages the algorithms you know Snapchat rolls out this you know my AI app into Theirs to make it stick
ier they think that it's gonna make their younger user base more engaged and they just got this tidal wave of rejection I don't want this in my feed I you didn't ask me if you could pin this at the top of my chats I don't want this like robot you didn't I I just thought that was really Illuminating that we took for granted that like oh people are going to want to talk with a robot and we'll impose these features on them and we're getting a lot of pushback we also see uh kids buying flip phones b
ecause they're just Reckoning with the level of distraction that they have in their lives they don't like how they feel um I I think that we are of the generation that are more or less in power and we've got to actually keep an eye on the ones coming up behind us because they have a different understanding of how to use the technology and what that trust entails and I think we could stand to learn maybe from them and have them involved in the in the process as stakeholders that's uh that's a ver
y Illuminating response I think that that's that's interesting I I haven't had anyone that's posed it that way that There's an opportunity to learn from them and you're absolutely right because you know my generation or our generation did not grow up in that era and so we have a totally different context versus where these guys are coming from um yeah that's how about that so for all the the millennial crowd listening in there it is you know we got it got involved Generation Z and and the ones a
fter them absolutely and I guess uh before we run out of time here I wanted to touch on work from home how much you we've talked about culture human interaction here quite a bit on this episode but what what do you think the ramifications there are uh for sure so I I worked in an office pre-pandemic and then we all went home and I remember July 2020 I still had the laptop balanced on books and whatever and then I had the Revelation I was like we're never going back like why don't I just make thi
s setup more comfortable um and I think work from home is like any technological or socio-technical change it is what we make of it so you know commercial real estate brokers yeah they hate it but oh yeah yeah but if if you talk to or you see on LinkedIn especially the level of accessibility that work from home has allowed for employees who either identify as neurodivergent or they have disabilities being able to customize their setup has been life-changing um I I never thought that I'd be able
to work from home I missed the water cooler moments I do get the zoom fatigue but I will also say I probably wouldn't have met as many people as I have all over the world uh you know there are people in England that I sort of go back and forth with sharing ideas there's a group of people that I text regularly and I never would have been able to connect with them had it not been online and I do have the joy and the privilege of being able to go to conferences sometimes and meet these people in pe
rson and I think that's been really additive to to both my career but also the conversations uh and the ideas that I can engage with yeah and and I would imagine that some of these changes are going to be permanent as you mentioned people have gone back to the flip phones I'm thinking that maybe this work from home is going to take us back a little bit to a more human interactive time because we'll have more chances to spend time with our loved ones spend time doing things that don't involve an
electronic Gadget or a commute like a three-hour commute yeah a three-hour commute depending on what city you live in so and I think people have gotten a taste of that a little bit of the good life maybe they don't want to go back to the way things were yeah it'll it'll be hard I mean I remember when the big Banks like I want to say 2021 were saying like oh yeah we're going back to the office and then you'd have these little rival Banks say like well we'll pay you 10 more and you can work from h
ome I was like I I don't know how you win that argument right no you don't and there's a huge facilities is a huge cost in any business right and I'm sure that Google and uh Microsoft they're all going to have to they've probably adjusted algorithms as well because this has a huge change in the way you Market to people yeah and what you display to them so we're we're here at the hour I wanted to give you a chance to plug anything you'd like uh you know the floor is yours you can oh yeah thank yo
u for that audience know about so um in terms of the vendor customer divide um Danny Wolfe of audience first and I are doing a pretty exciting Gap analysis so we have issued surveys out to the buyer side so everyone from like director of infosec up to see so what do you want out of events what messaging resonates with you what attracts you and then we also analyzed all the booth messaging at RSA and we are looking at the contrast between those two samples to try and get at the data that shows th
at Divergence in hopes that doing so will give people the data that they need to make the case that the approach has to change because again as we say if the marketers are going in One Direction and the buyers are going in another I mean that doesn't that doesn't leave anyone safer and it doesn't leave anything on the table in terms of economic activity so when do you plan on are you going to be publishing all these results and is this yes perform or how blog how is it going to be out there for
people to access uh we are in talks with a couple media organizations that are interested in it um but it is we are in the final throws of it and hope to have something soon but people will be able to download it they'll be able to there's a whole appendix you'll be able to see what the survey questions were and um you know I don't think that it's perfect this was a good learning uh the first time out but we were trying to make it as systematic as possible that's fantastic well shoot us a note w
hen you're ready to launch and we'll put a note out to all our listeners that and in a link let people know all right sounds great available yeah I think it's that's a great project if if you can help uh shut down junk calls and junk emails hey man I'll take that that's definitely worth the lunch not just a cup of coffee so there you go all right all right hey George it's been a pleasure thank you so much for taking the time out of your busy day to do yeah it's been a blast thank you for having
me take care [Music]

Related articles

Comments