Top Tips to Spot Deepfakes

Plus: Hackers steal 33 million phone numbers from Twilio

Will we have to choose between AI advancements and protecting the environment? Google’s carbon footprint has expanded by 48% since 2019, with most of the energy coming from data center usage. It’s unsurprising, given that all of these AI models require a ton of computing power to create them, let alone run them.

In the meantime, police are pulling over Waymo cars for driving on the opposite side of the road, which makes for amazing body camera footage.

Today in the cyber world, we’re covering:

  • Top tips to spot deepfakes

  • How hackers stole 33 million phone numbers

  • An evil twin goes to jail

-Jason

P.S. this is the first newsletter that will reach over 1,000 people! Thanks to everyone for joining me on this journey! If you know someone who would benefit from these byte-sized knowledge nuggets, have them subscribe here.

AI Spotlight
Tips to Spot a Deepfake

Someone pinged me a few newsletters back and asked if I had any good tips for spotting deepfakes. I didn’t have a great answer outside of what felt like overly obvious things. Let’s change that.

Having had more time to think about it and do more research, I’ve compiled some tips for you.

Step 1: Assess the Context

Your first step in detecting deepfakes is to assess the context of what you’re seeing. This requires you to slow down and not instantly react to what you read, see, or hear in media. Easier said than done.

Let’s be honest too. It’s unrealistic that you will slow down and scrutinize every piece of information you consume. It’s just too much.

Instead, create pre-made triggers to catch yourself in the moment, especially before you share it with someone else. These triggers may include:

  • Media that seems overly sensational

  • Something feels too good to be true…or false

  • It just doesn’t feel right

If you’re feeling any of the above, take a second and cross-reference what you’re seeing with another source or two…preferably a legitimate source that isn’t rooted in social media. Step outside of your typical echo chambers.

Step 2: Inspect the Media

Great job, you’ve paused long enough to take a second look at the media. Here are some tips I compiled from Axios, the Guardian, and even the DHS to help you spot deepfakes:

  • Object distortion: Are any objects pointing in weird directions or not obeying the laws of physics? Does anything not feel like it’s in the right place?

  • Body Distortion: Are human limbs acting in ways that aren’t possible or seem odd? Are the body parts proportional in size, or are there extra limbs?

  • Textures: Do things feel “airbrushed” or overly smooth? Does it feel "fake?” Is there inconsistency in textures or material in an image (e.g., does a carpet have different designs in different areas of the image, or is the background varied in different areas?)

  • Text: Is there any text in the media that is unreadable, misspelled, or just looks like gibberish? This is probably one of the easiest giveaways with current GenAI tech.

  • Lighting: Do the shadows in the image appear correct or is the lighting different in different areas of the media?

  • Mouth movement: Do the lips match the movements of the audio? Is there less detail around the mouth, or does the chin look blurry or smudged?

  • Audio: Does the timing feel weird or off? Does it sound choppy, or have an edited “feel” to it?

You’ll notice that all of these are tips for you to suss out whether the media is fake. While technology is emerging to detect deepfakes, the fact of the matter is that it’s your responsibility to catch them. No detection is built into existing workflows that will proactively flag media as a deepfake when you consume the information. That may change in the future, but until then, equip yourself to have a fighting chance.

💡 If you want to test yourself on your ability to spot deepfakes, I found a new site to test out your internal deepfake detector. It’s a good resource for anyone interested in learning more about deepfakes.

Security Deep Dive
How to Steal Millions of Phone #’s

Like a hungry raccoon, ShinyHunters posted on a hacking forum on June 27, 2024, that they not so casually walked away with 33 million phone numbers associated with Twilio Authy users. Authy is a free two-factor authentication service that is provided through a mobile app.

You might be thinking, “big deal, it’s just a phone number.” And you might be right. But attackers knowing phone numbers specifically for Authy users can pose an increased risk of targeted phishing or smishing to those users in the future.

After learning of the posting, Twilio responded with a security alert on their website that gave some background on how the attack happened. They stated:

Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.

Ummm, cool story. So wtf is an endpoint and how does a raccoon hacker use it to steal my phone number? To understand this, we need to step back a second and talk about APIs. An Application Programming Interface (API) is a way for two applications to communicate with each other. Like understanding your partner’s love language, it establishes known communication protocols between a client and a server so they know how to talk with each other and transfer information.

In the case of Authy, the mobile application on your phone needs to know how to talk with the Twilio servers to send requests or execute certain functions. Without it, the mobile application would just be ghosted by the server.

This brings us to an API endpoint. An API endpoint is just a URL that acts as the point of contact between the client (your Twilio mobile app) and the API server (Twilio’s servers). It’s like knowing what restaurant you’re meeting someone at.

Okay, cool but what about that “unauthenticated” comment? If you leave your garbage open with lots of delicious leftovers, your garbage can is unauthenticated. Any old trash panda can meander on over to it and pick their favorite snacks.

For Twilio, instead of it being a garbage can, they left an API exposed to the Internet that could validate phone numbers of legitimate users. The attackers just needed to figure out how to communicate with it and interact with it. Depending on the level of public documentation or the availability of the source code for the application, this can be either relatively easy or very difficult if you’re just making best guesses.

So there you have it. An API endpoint is just a side door to access your application. And like any door, if you don’t have a lock on it, random people can walk in and steal your things.

Authentication is key for any API security strategy, especially if you’re dealing with sensitive data (or, even better, any data). This helps prevent some random stranger on the Internet from connecting to it and doing funky things…like stealing 33 million phone numbers. Here are some best practices for locking down your APIs:

  1. Authentication: only allow authorized users to access the API

  2. Validate Input: ensure that users are requesting data in the right format

  3. Rate limit: don’t allow someone to send 33 million requests for phone numbers…

  4. API gateways: this can help centralize your security controls and monitoring

  5. Log and monitoring: if you aren’t looking for bad things you won’t find them…unless someone posts your data on a hacking forum…then you’d find it.

All of this is why security is hard…

Security News
What Else is Happening?

👊 An absolutely crazy story about how thugs took to violent break-ins, threats of violence and torture, and physical assault to force their victims to provide credentials to crypto exchanges to drain their accounts. Not all cyber crime stays in the confines of the Internet.

🛫 An Australian man was charged with having an evil twin conducting an evil twin attack on airplanes. An evil twin attack creates a new wi-fi network that mimics a legitimate one, in this case, the in-air wifi. The man used this technique to trick users into entering their login credentials to fake web pages.

🌋 A new ransomware group called Volcano Demon isn’t winning the award for the coolest hacking group name, but it is kicking tradition to the curb. In lieu of a leak site, they’re just calling the victims’ leadership teams on the phone to let them know they’re being extorted. This is a technique that other groups have tried in the past. It’s both creepy and annoying.

🚓 Europol teamed up with the private sector last week to give hosting providers across 27 countries 690 IP addresses associated with malicious Cobalt Strike servers. Cobalt Strike is a post-exploitation framework that can help attackers move around environments once they break in. By the end of last week, 593 of those Cobalt Strike servers had been taken down.

🏥 LockBit has claimed to have attacked the largest hospital in Croatia. In the process, they stole patient information and employee data. Why is LockBit still a thing

🤝 An honest hacker? How refreshing. Brian Krebs reached out via email to the alleged real identity of x999xx, an access broker. He wasted no time admitting that was his real identity. In his role as an access broker, he hacks into companies and then sells access or stolen data to others. Oh, and he’s also mentoring students now too. What a good chap.

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week!

Reply

or to participate.