- The Weekend Byte
- Posts
- Deepfake Character Assassination
Deepfake Character Assassination
Plus, proving MFA is effective with math. How fun.
It’s the time of year when allergies are insane, and the weather alerts include a frost advisory and a heat warning…in the same week. How fun.
At least we have some cool cyber stories to keep us entertained while we blow our noses and silently cry in agony because of sinus pressure. No? Just me? Awkward…errm…well this week we’re covering:
Deepfakes take center stage in revenge plots.
Math sucks, until it proves that MFA is more secure. Yay math!
Ransomware helps Sweden practice dry January…in April.
-Jason
Spotlight
Deepfake Revenge
Last month, I wrote about the impact of deepfakes in a world that reacts to the face value of content rather than the truth. The scary part is that this empowers anyone to create a fake “reality” that can significantly impact other people’s lives.
We have another real-world example of this. In December 2023, the principal of a Baltimore County Public School began investigating their athletic director under suspicion (and later confirmation) that they were embezzling money from the high school. In retaliation for the investigation, the athletic director took what can only be described as a drastic response.
Using school computers, the athletic director began researching GenAI tools. In mid-January, they then presumably used existing audio recordings of the principal’s voice and GenAI software to create a deepfake audio clip of the principal giving a racist and anti-semitic rant.
The athletic director then created a Gmail account that mimicked a random person, which they used to send the deepfake audio clip to the athletic director’s school email address and two other high school employees. One of those employees then sent the deepfake audio clip to news organizations and the NAACP. That same employee forwarded the deep fake audio to a student who “she knew would rapidly spread the message around various social media outlets throughout the school.” Shortly after, the deepfake clip was posted on Instagram
A purported recording of the deepfake is available on YouTube. Again, this recording is a deepfake, and the content is disturbing. I include this only for educational purposes.
Although an investigation determined that the audio had been manipulated and edited, the damage was already done. Although the principal immediately denied the allegations, they were rightly placed on administrative leave while an investigation was conducted. Both the principal and the school began receiving hateful messages and even threats of violence.
Of course, this deepfake was an attempt to smear the principal’s reputation, and it likely worked. There will always be a subset of people who think it was a real audio recording, regardless of the evidence against it. Even though he is innocent, that principal will always have this on his permanent record. This is also the reality that we live in today.
Deep Dive
MFA is More Secure…Because Math
Someone always refuses to rely on expert judgment or common sense. Instead, they require math to solve a problem. Ughhh nerds. And in security, it can sometimes be challenging to use math to help support a point because the data isn’t readily available.
Take MFA, for instance. It’s not a big leap to say that MFA makes your accounts more secure. It’s just something we intrinsically know. Or that weaker forms of MFA are less secure…I’m looking at you SMS.
Just follow the logic. MFA is something you have that the attacker doesn’t. They can’t log into your accounts without it, even if they steal your password! Ignore the edge cases of MFA bypass attacks and session cookie theft. I’m trying to make a point here, jeez. We can’t solve every problem with one solution.
But leave any problem out there for too long, and some nerd will solve it. This time, it’s from a team of nerds at Microsoft. I just stumbled on a research paper they published last year that set out to prove, with math, how effective MFA is at deterring cyber attacks.
Their research focused on Microsoft Azure Active Directory users whose accounts were reviewed due to suspicious activity between April 22, 2022, and September 22, 2022. It included a mix of accounts that had MFA configured and some that did not. Then, they did math…this math:
Don’t ask me what it means. If you’re a math nerd, I’m down for a math lesson. In the interim, I will trust the judgment of people better at math than I am and roll with it. Or do I need math to trust them? Now I’m confused…
I digress. Let’s look at their findings. In regards to the effectiveness of MFA, the researchers found:
99.9% of MFA-enabled accounts remained secure
MFA reduced the risk of compromise by 99.22%
Taking their research one step further, the researchers were curious how credential leaks impacted the security of the accounts with MFA.
So, how did different forms of MFA perform when credentials were stolen? I’m so glad you asked because with stolen credentials, the strength of the second factor is all that stands between the attacker and your account.
The researchers obtained a sample of 128,000 accounts with passwords that leaked during their monitoring. They then retroactively reviewed those accounts for 30 days before the date of the leaked credentials.
They found that 7,861 of the accounts had MFA enabled, and they could confirm that attackers used passwords to attempt to log into the accounts. Of those accounts, MFA prevented 98.6% of the login attempts.
Of the MFA failures, the researchers found that SMS was 40.8% less effective than Microsoft Authenticator in protecting the accounts. Here are their findings.
MFA Type | Failure Rate |
---|---|
Authenticator One-Time Password (OTP) | 0.99% |
Authenticator Push Notifications | 0.97% |
SMS | 1.66% |
Total | 1.44% |
So, I guess math is pretty cool then…but it still isn’t invited to my birthday party. Their loss, because it’s going to be Lord of the Rings themed 🧙.
News
What Else is Happening?
📉 Mandiant’s annual M-Trends report is out. Dwell time, the time between initial access unauthorized access and the discovery of the attack, continues to trend downward to a median of ten days in 2023. This suggests that defenders are improving their detection capabilities, though we can take that with a grain of salt as this observation is based on just Mandiant’s investigations and has some bias of their larger customers.
🍾 GitHub, a developer platform that allows users and organizations to store, manage, and share their code, spent an entire year researching how to mandate MFA for their developers. During a year-long rollout, they saw 95% adoption, with 1.4 million passkeys registered! It’s a significant step forward in raising the bar of security.
🍺 Did you know that in Sweden, only one retail chain, Systembolaget, can legally sell alcohol above 3.5% ABV? The retailer relies on Skanlog to ship them the booze on time. Well, Skanlog was hit with a ransomware attack that impacted their ability to do what they do best…distribute alcohol. As a result, the liquor shelves are expected to go dry this week. Cheers?
❤️🩹 Change Healthcare confirmed to Bleeping Computer that they paid a second ransom “as part of the company’s commitment to do all it could to protect patient data from disclosure.” It’s unclear how much the second ransom payment was, but Bleeping Computer confirmed that CHC’s data was removed from RansomHub’s data leak site.
🏥 Kaiser Permanente reported that 13.4 million current and former members and patients that specific third-party tracking software installed on their websites for legitimate purposes may have transmitted patient information to third-party vendors, including Microsoft and Google. This software is often used to track website analytics or deliver ads. But when that software is on medical practices sites, that info can get linked to a specific user which the big tech companies can then see.
💳️ Brian Krebs and The Record reported that a Russian FSB counterintelligence chief was sentenced to nine years in a Russian penal colony to pretend that Russia doesn’t shelter Russian hackers for accepting a $1.7 million bribe from hackers who targeted credit card data. The bribe was meant to protect the hackers from prosecution, which the chief failed to do. When that happened, the hackers turned on him. Russian authorities seized $154,000 in cash, 100 gold bars, real estate, and expensive cars.
If you enjoyed this, forward it to a fellow cyber nerd.
If you’re that fellow cyber nerd, subscribe here.
See you next week! att
Reply