Using AI to Draw My Name

Quote

I decided to give a few AI drawing tools a try, just to see what all the fuss was about. Out of curiosity, I just typed in my name, without an image or description, and clicked generate. Here’s what I got…

Site: craiyon.com
Generation term: Adora Myers

Site: craiyon.com
Generation term: Adora

Site: starryai.com
Generation term: Adora Myers
Art style: Pop Art

Site: starryai.com
Generation term: Adora
Art style: In the style of Banksy

It’s About the Rush

Quote

Watters had spent his entire career working for money. Hackers, McManus explained, aren’t in it for money. At least, not in the beginning. They are in it for the rush, the one that comes with accessing information never meant to be seen. Some do it for power, knowledge, free speech, anarchy, human rights, “the lulz,” privacy, piracy, the puzzle, belonging, connection, or chemistry, but most do it out of pure curiosity. The common thread is that they just can’t help themselves. At their core, hackers are just natural tinkerers. They can’t see a system and not want to break it down to its very last bit, see where it takes them, and then build it back up for some alternate use. Where Watters saw a computer, a machine, a tool, McManus saw a portal.

This is How They Tell Me The World Ends: The Cyberweapons Arms Race, Nicole Perlroth

World’s Largest Attack Surface

Quote

What had saved Ukraine is precisely what made the United States the most vulnerable nation on earth. Ukraine wasn’t fully automated. In the race to plug everything into the internet, the country was far behind. The tsunami known as the Internet of Things, which had consumed Americans for the better part of the past decade, had still not washed up in Ukraine. The nation’s nuclear stations, hospitals, chemical plants, oil refineries, gas and oil pipelines, factories, farms, cities, cars, traffic lights, homes, thermostats, lightbulbs, refrigerators, stoves, baby monitors, pacemakers, and insulin pumps were not yet “web-enabled.”

In the United States, though, convenience was everything; it still is. We were plugging anything we could into the internet, at a rate of 127 devices a second. We had bought into Silicon Valley’s promise of a frictionless society. There wasn’t a single area of our lives that wasn’t touched by the web. We could now control our entire lives, economy, and grid via a remote web control. And we had never paused to think that, along the way, we were creating the world’s largest attack surface.

This is How They Tell Me The World Ends: The Cyberweapons Arms Race, Nicole Perlroth

Cyberwar Power Move

Quote

There was no financial profit to be gleaned from turning off the power. It was a political hit job. In the months that followed, security researchers confirmed as much. They traced the attack back to a well-known Russian intelligence unit and made their motives known. The attack was designed to remind Ukrainians that their government was weak, that Russia was strong that Putin’s digital forces were so deep into Ukraine’s every digital nook and cranny that Russia could turn the lights off at will. And just in case that message wasn’t clear, the same Russian hackers followed up one year later, turning off Ukraine’s power again in December 2016. Only this time they shut off heat and power to the nation’s heart—Kyiv—in a display of nerve and skill that made even Russia’s counterparts at the National Security Agency headquarters in Fort Meade, Maryland, wince.

This is How They Tell Me The World Ends: The Cyberweapons Arms Race, Nicole Perlroth

Security Breach Notification Laws

The National Conference of State Legislatures (NCSL) has provided a complete list of security breach notification laws implemented at the state level (USA):

All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.

This link provides links to each and every law: Security Breach Notification Laws

 

GDPR: Search Engines and Privacy

Quote 1:

The European Court of Justice set out the general rule for these decisions in 2014: the search engine which lists results leading to information about a person must balance the individual’s right to privacy against Google’s (and the greater public’s) right to display / read publicly available information.

Quote 2:

The bigger issue though is the – almost deliberate – lack of clarity. Each person’s details need to be considered on their own merit, and a decision made based on this balance between the rights of the individual and the rights of the wider society, based on a subjective consideration of the original crime, the persons actions since and the benefit to society as a whole. This is further complicated by the fact that different rules will apply in different countries, even within the EU, as case law diverges. The result: Google is likely to face challenges if it takes anything other than a very obedient approach to those requests to be forgotten which it receives.

Google or Gone: UK Court Rules on ‘Right to be Forgotten,’ Data Protection Representatives (DPR), by Tim Bell, April 16, 2018

Phishing: Setting Traps

Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy. When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that with a “+” sign just to the left of the “@” sign in your email address. For example, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to Gmail and create a folder called “Example,” along with a new filter that sends any email addressed to that variation of my address to the Example folder. That way, if anyone other than the company I gave this custom address to starts spamming or phishing it, that may be a clue that example.com shared my address with others (or that it got hacked, too!). I should note two caveats here. First, although this functionality is part of the email standard, not all email providers will recognize address variations like these. Also, many commercial Web sites freak out if they see anything other than numerals or letters, and may not permit the inclusion of a “+” sign in the email address field.

After Epsilon: Avoiding Phishing Scams & Malware, Krebs on Security, by Brian Krebs, 04/06/2011

Unintentional Insider Threat (UIT)

An unintentional insider threat is (1) a current or former employee, contractor, or business partner (2) who has or had authorized access to an organization’s network system, or data and who, (3) through action or inaction without malicious intent, (4) unwittingly causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability.

Unintentional Insider Threat and Social Engineering, Insider Threat Blog, Carnegie Mellon University (CMU) Security Engineering Institute (SEI), by David Mundie, 03/31/2014

Spear Phishing: Effective Because it’s Believable

Quote 1:

Spear phishing is targeted. The attackers did their research, usually through social engineering. They might already know your name or your hometown, your bank, or your place of employment—information easily accessed via social media profiles and postings. That bit of personalized information adds a lot of credibility to the email.

Spear-phishing emails work because they’re believable.

Quote 2:

Spear-phishing attacks are not trivial or conducted by random hackers. They are targeted at a specific person, often times by a specific group. Many publicly documented advanced persistent threat (APT) attack groups, including Operation Aurora and the recently publicized FIN4 group, used spear-phishing attacks to achieve their goals.

-Best Defense Against Spear Phishing, FIreEye

Quote 1:

Phishing emails are exploratory attacks in which criminals attempt to obtain victims’ sensitive data, such as personally identifiable information (PII) or network access credentials. These attacks open the door for further infiltration into any network the victim can access. Phishing typically involves both social engineering and technical trickery to deceive victims into opening attached files, clicking on embedded links and revealing sensitive information.

Spear phishing is more targeted. Cyber criminals who use spear-phishing tactics segment their victims, personalize the emails and impersonate specific senders. Their goal is to trick targets into clicking a link, opening an attachment or taking an unauthorized action. A phishing campaign may blanket an entire database of email addresses, but spear phishing targets specific individuals within specific organizations with a specific mission. By mining social networks for personal information about targets, an attacker can write emails that are extremely accurate and compelling. Once the target clicks on a link or opens an attachment, the attacker establishes a foothold in the network, enabling them to complete their illicit mission.

Quote 2:

A spear-phishing attack can display one or more of the following characteristics:

  • Blended or multi-vector threat. Spear phishing uses a blend of email spoofing, dynamic URLs and drive-by downloads to bypass traditional defenses.
  • Use of zero-day vulnerabilities. Advanced spearphishing attacks leverage zero-day vulnerabilities in browsers, plug-ins and desktop applications to compromise systems.
  • Multi-stage attack. The spear-phishing email is the first stage of a blended attack that involves further stages of malware outbound communications, binary downloads and data exfiltration.
  • Well-crafted email forgeries. Spear-phishing email threats usually target individuals, so they don’t bear much resemblance to the high-volume, broadcast spam that floods the Internet.

White Paper: Spear-Phishing Attacks, FIreEye

GDPR: Search Engines and The Right to Be Forgotten

The “right to be forgotten” rule has caused a great deal of outrage over the past four years, since the EU’s top court ruled that it applied to search engines. It states that people should be able to ask for information about them to be removed from search results, if it is “inaccurate, inadequate, irrelevant or excessive.”…The right to be forgotten, which stems from EU privacy law, is not an absolute right. It is supposed to be balanced against the public interest and other factors.

Google Occupies an Odd Role in Enforcing Privacy Laws. A Businessman’s Landmark ‘Right To Be Forgotten’ Win Just Revealed It., Fortune, by David Meyer, April 16, 2018.