Week in Review: Apple encryption, gamification for security, DISA breach - Cybersecurity Headlines

Summary9 min read

Cyber Security Headlines: Week in Review – Apple Encryption, Gamification for Security, DISA Breach

Hosted by CISO Series | Release Date: February 28, 2025

The latest episode of Cyber Security Headlines by CISO Series delves into significant developments in the information security landscape from the past week. Hosted by Rich, and featuring recurring guest Andrew Wilder, CISO at VetCore, the episode examines Apple's recent move on iCloud encryption in the UK, Anagram's innovative approach to cybersecurity training, and the troubling breach at DISA Global Solutions. Additionally, the discussion extends to the impact of layoffs at CISA, vulnerabilities in GitHub repositories exposed by Microsoft Copilot, and malicious use of ChatGPT by Chinese threat actors.

1. Apple Pulls iCloud End-to-End Encryption in the UK

Overview: Apple has withdrawn its end-to-end encryption (E2EE) feature for iCloud services in the United Kingdom, responding to a government mandate under the Investigatory Powers Act (referred to humorously as the "Least Delicious IPA"). This decision affects optional settings for iCloud data, such as backups, photos, and notes, which previously ensured that only users could access their data, safeguarding against potential cloud breaches.

Key Points:

Government Mandate: The UK government's request for a backdoor access to encrypted data marks an unprecedented move in major democracies, as highlighted by The Washington Post.
Apple’s Stance: Apple expressed grave disappointment, citing the rising threats of data breaches and privacy concerns. They emphasized their commitment to user privacy and the dangers of creating backdoors that could be exploited by malicious actors.

Notable Quotes:

Andrew Wilder [03:14]: "I think this is really a negative thing. I would say, why, why an undelicious ipa? Why would you do this? It's a horrible thing."
Rich [04:06]: "It's interesting to see that Apple will continue to do business. Obviously, you know, the UK is a pretty big market I'm sure for them, but just essentially saying, hey, you would now have one less privacy feature for your users."

Discussion: Andrew Wilder criticized the UK's decision, emphasizing the risks associated with weakening encryption standards. He drew parallels to Apple's earlier resistance against creating backdoors, underscoring the potential for abuse by bad actors if such measures were to become widespread. The conversation also touched upon similar legislative pressures in other countries, like Sweden, where privacy-focused applications like Signal are contemplating market withdrawal in response to proposed backdoor requirements.

2. Anagram’s Gamified Approach to Employee CyberSecurity Training

Overview: Anagram, formerly known as Cypher, is transforming employee cybersecurity training through gamification. Moving away from traditional annual sessions, Anagram offers frequent, interactive lessons and phishing simulations. This pivot, initiated in 2024, targets the realization that non-security employees are often the weakest link in organizational security.

Key Points:

Traditional Training Flaws: The conventional approach often leads to disengagement, with employees rushing through sessions without retaining critical information.
Gamification Benefits: Anagram’s strategy involves engaging employees by immersing them in the attacker’s mindset, akin to tabletop exercises, enhancing their ability to recognize and counteract phishing attempts and other cyber threats.
Client Acquisition: The company has secured major clients, including Disney and Thomson Reuters, indicating significant market acceptance of their innovative training model.

Notable Quotes:

Andrew Wilder [05:41]: "Cybersecurity training as we know it today is broken. Everybody is doing the click through as fast as they can to get to the end of the training so they can skip it and go to the questions and pass the test."
Andrew Wilder [07:00]: "I am a big fan of anything that's going to take this in a different direction. And I think Anagram has done that."

Discussion: Andrew Wilder lauded Anagram’s approach, highlighting the shortcomings of traditional cybersecurity training methods that fail to engage employees effectively. By adopting gamification, Anagram not only makes training more enjoyable but also significantly improves knowledge retention and practical application. Rich echoed this sentiment, noting that rewarding employees with positive reinforcement, such as badges, can enhance participation and motivation compared to punitive measures.

3. DISA Global Solutions Confirms Data Breach

Overview: DISA Global Solutions, a prominent employee screening and background check firm serving a third of Fortune 500 companies, disclosed a significant cybersecurity incident. The breach, detected on April 22, 2024, involved unauthorized access beginning on February 9th, leading to the compromise of sensitive personal information, including Social Security numbers and credit card details.

Key Points:

Delayed Disclosure: DISA waited nearly a year to inform affected parties, raising concerns about transparency and compliance with regulatory standards.
Scope of Breach: Although specific data stolen remains undetermined, the breach underscores vulnerabilities in data brokers and background screening services.
Regulatory Filing: The company filed reports with Maine and Massachusetts Attorneys General but has yet to identify specific victims or the attackers responsible.

Notable Quotes:

Andrew Wilder [09:36]: "Your umbrage is validated... It’s really a negative thing... we couldn’t figure out which data they took."
Andrew Wilder [10:59]: "If you can't answer any of those questions, you should probably be spinning up a data security program because that's what we do."

Discussion: Rich and Andrew expressed significant frustration over DISA’s delayed response and lack of clarity regarding the breach. Andrew emphasized the importance of robust data security programs that can quickly identify and mitigate such incidents. The conversation highlighted the critical need for companies handling sensitive data to maintain comprehensive knowledge of their data assets and access controls to respond effectively to breaches.

4. Firing of 130 CISA Staff Raises Industry Concerns

Overview: The recent dismissal of over 130 cybersecurity professionals from the Cybersecurity and Infrastructure Security Agency (CISA) has sparked alarm within the cybersecurity community. The layoffs, orchestrated by the Department of Government Efficiency (DOGE), are seen as detrimental to U.S. and allied security efforts, potentially straining international alliances and reducing trusted information sharing mechanisms.

Key Points:

Industry Impact: Experts like David Shipley, CEO of Boseron Security, criticized the cuts as reckless, comparing them to "accelerating towards an iceberg." Frank Dixon of IDC highlighted the lack of transparency regarding the layoffs' impact on national security.
CISA’s Role: CISA has been pivotal in providing free cybersecurity tools, tabletop exercises, and breach alerts, especially beneficial for small and medium-sized businesses lacking in-house expertise.
Future Implications: The reduction in CISA’s workforce threatens the continuity and effectiveness of cybersecurity support for businesses relying on government partnerships.

Notable Quotes:

Andrew Wilder [13:29]: "They are a partnership between the government and CISOs today... Jen Easterly... is a kind of a hero in the cybersecurity community."
Andrew Wilder [14:50]: "If you’ve ever worked in small and medium sized businesses in the cybersecurity space, you know that they're really lacking in expertise... this is a big thing."

Discussion: Andrew underscored CISA’s integral role in supporting businesses with limited cybersecurity resources, lamenting the potential fallout from workforce reductions. He highlighted the invaluable services CISA provides, such as breach alerts and free cybersecurity tools, which are especially crucial for smaller enterprises. The discussion raised concerns about the broader implications for national security and international cybersecurity collaborations, emphasizing the need for maintaining and strengthening governmental cybersecurity agencies.

5. Thousands of Exposed GitHub Repositories via Microsoft Copilot

Overview: Researchers at Israeli cybersecurity firm Lasso uncovered a vulnerability in Microsoft’s Copilot, an AI tool integrated with GitHub. The flaw allows continued access to thousands of repositories that were previously public but subsequently set to private. This exposure affects over 20,000 repositories, including those of major corporations like Google, IBM, and Microsoft itself.

Key Points:

Technical Flaw: Despite repositories being set to private, Microsoft Copilot retains access through Bing’s cache, inadvertently exposing sensitive data.
Severity Assessment: Microsoft has classified the issue as low severity, a stance contested by cybersecurity experts.
Implications for AI Training: The incident highlights the challenges of balancing AI tool functionalities with data privacy, especially when AI models are trained on vast amounts of public data that may later become restricted.

Notable Quotes:

Andrew Wilder [17:35]: "Definitely not low severity in my opinion... security by obscurity, hiding a file somewhere where they shouldn't... Copilot is happy to go, boom, here it is."
Andrew Wilder [18:36]: "No way to know that it's getting trained on good data. So that's part of the problem."

Discussion: Andrew Wilder strongly disagreed with Microsoft’s classification of the issue as low severity, arguing that the vulnerability poses significant privacy risks. He drew attention to the persistent problem of data retrievability by AI tools like Copilot, which can unintentionally expose sensitive information even after repositories are privatized. The conversation emphasized the necessity for stricter data handling and privacy measures in the development and deployment of AI-driven tools to prevent unauthorized access and data leaks.

6. OpenAI Bans ChatGPT Accounts Used by Chinese Group for Spy Tools

Overview: OpenAI has taken action against ChatGPT accounts associated with Chinese threat actors who were leveraging the AI tool to develop spy tools. According to OpenAI’s latest threat intelligence report, these accounts utilized ChatGPT to edit and debug code for AI tools designed to monitor and analyze social media posts and comments, focusing on Chinese political and social discourse. Additionally, ChatGPT was used to generate descriptions and sales pitches for these tools.

Key Points:

Malicious Use of AI: The exploitation of ChatGPT for creating surveillance tools underscores the dual-edged nature of AI technologies.
Account Bans: OpenAI successfully banned some of the malicious accounts, though Andrew Wilder expressed skepticism about the comprehensiveness of these efforts.
AI Responsibility: The incident highlights the ongoing challenge of preventing the misuse of powerful AI tools by sophisticated threat actors.

Notable Quotes:

Andrew Wilder [19:51]: "Does this surprise you?... I was hoping to read the story of how they're using fraud GPT or worm GPT... Definitely not surprised."
Andrew Wilder [21:31]: "I would agree."

Discussion: Andrew Wilder reflected on the inevitability of AI tools being used for both beneficial and malicious purposes. He noted that while OpenAI’s efforts to ban malicious accounts are commendable, the pervasive nature of fake accounts and sophisticated threat actors means that completely policing misuse is exceedingly challenging. The conversation delved into the broader implications of AI in cybersecurity, emphasizing the need for ongoing vigilance and advanced safeguards to mitigate the risks associated with AI-driven espionage and cyber threats.

Conclusion

The episode concluded on a positive note, celebrating Anagram’s innovative training methodology amidst a week marked by several cybersecurity setbacks. Andrew Wilder highlighted the importance of fostering positive developments in the field to counterbalance the negative news. The hosts also promoted upcoming events and encouraged audience engagement through live chats on YouTube.

Notable Quotes:

Andrew Wilder [22:04]: "But there is one positive story we talked about this week, right, Rich? And that was this Anagram company that has taken this gamified approach."
Rich [22:33]: "How can we not love that?"

Where to Find More: Andrew Wilder can be found on LinkedIn, where he actively posts about cybersecurity topics and opportunities at VetCore. He is also scheduled to speak at RSA on ethics in cybersecurity, offering insights into the evolving challenges and moral considerations in the field.

Join the Conversation: Listeners are encouraged to participate in upcoming live events hosted by CISO Series, including discussions on the commodification of cybercrime and the continuous evolution of security programs in response to emerging threats.

For daily updates and in-depth stories behind the headlines, visit CISOSeries.com.

This summary captures the essence of the episode, providing detailed insights into each discussed topic along with relevant quotes and timestamps for reference.

Loading summary

Transcript33 lines

[00:00]
Rich
From the CISO series, it's Cybersecurity headlines. Apple pulls iCloud end to end encryption in the UK anagram takes a gamified approach to employee CyberSecurity Training and US Employee Screening Firm confirms breach these are some of the stories that our guest, my colleagues and I have selected from this past week's cybersecurity headlines. And now we're looking forward to to some insight, some opinion and definitely some expertise from our returning guest. Coming out for the third time, Andrew Wilder, CISO at vetcore. Of course we have to bring on the three stars for the third time on Andrew though, as happy as I am to see you again, I have to ask, how are you mourning the death of Skype today?
[00:51]
Andrew Wilder
Well, thank you for asking. I've given a lot of thought to this, Rich. My idea is that I'm going to set my status to away forever. How about you? How are you? Morning Skype's death.
[01:08]
Rich
I'm going to say Goodnight sweet prince on May 5th when it finally goes dark. I'll still keep it installed and looking for updates at all times. I think that'll be the most appropriate way to celebrate it. Another thing we have to celebrate though today is our sponsor cat Conveyor. From security questionnaires to SOC2 sharing, Sue handles all of that plus every step in between. We'll hear more about sue at the break. Remember, you can join us on YouTube live. Do so go to CISO series.com hit the events dropdown and look for the Cybersecurity Headlines Week in Review image. Be sure to click on to join us. You can join in with some comments. I do have to remind the chat though that we do have a very strong no pun policy in the chat. We had to issue some warnings already, but three Thrilled to have Kevin Farrell, CCL and a bunch of our regulars in the chat already making it lively and a welcome place. Just kidding. All puns are welcome. Before we get into the news, we got a loaded week of news today to cover. Just a quick reminder that all of Andrew's opinions are his own. Not necessarily though of his employer, staff, affiliates, friends, family or pets. So let's, without further ado, jump into the news. First up here, Apple pulls icloud end to end encryption in the uk. This move stems from the UK government's request for encryption backdoor access under its Investigatory Powers act, or I guess known as the Least Delicious ipa. End to end encryption is an optional setting for most iCloud data, including iCloud backup photos and notes, ensuring Only users can access their data, even in the event of a cloud breach. The Washington Post said the British government's mandate has no known precedent in major democracies. Always a statement that gives you the warm and fuzzies. Apple said they are grave disappointed that these data protections will be not available to UK customers given the continued rise of data breaches and privacy threats. So Andrew, the issue of concern, pretty obvious here of course, could represent the thin end of the government surveillance wedge. What's your take on this?
[03:14]
Andrew Wilder
So I'm a big proponent of Apple's encryption and in fact I recommend it to other people. I use it myself. I think it's a great thing to protect yourself because there's a lot of cases of people getting access to other people's private data. You know, Apple, many years ago when the privacy debate heated up was saying when everyone was asking them, the FBI and everybody else was asking them to create these backdoors, they said no, because if we create a backdoor, guess who else is going to get access to that backdoor? Bad people. And they're going to use that in bad ways. And so they intentionally didn't do that. I think this is really a negative thing. I would say, why, why an undelicious ipa? Why would you do this? It's a horrible thing. So I'm, you know, it's news, it's exciting, but it's a, it's going in the wrong direction in my opinion.
[04:06]
Rich
We've, we've had kind of two pieces of news with backdoors because Sweden is also, you know, considering a law to require backdoors and like mess things like messaging apps and stuff like that. In that case, we've seen Signal and some other more privacy focused apps. Just saying we would fully withdraw from the market. In this case, it's Apple taking away a fe.
[04:25]
Andrew Wilder
It.
[04:26]
Rich
It's interesting to see that Apple will continue to do business. Obviously, you know, the uk, pretty big market I'm sure for them, but just essentially saying, hey, you would now have one less privacy feature for your users.
[04:39]
Andrew Wilder
Yeah. I would venture to say that not too many people are using the advanced data protection. It's not a big thing. Right. Apple's not going to lose a lot of business over this. But the kind of the message that it sends and the, and you talked about the precedent that it might send, that that's really a negative thing.
[04:55]
Rich
All right, next up here, Anagram takes a gamified approach to employee cybersecurity training. Anagram, formerly known as Cypher, is revamping employee cybersecurity training with a gamified approach. Instead of annual lengthy sessions, Anagram is offering more frequent interactive lessons, including phishing simulations. The startup pivoted in 2024 after realizing non security employees were the weakest link. I hope they didn't spend a lot of money on that research and has since landed major clients like Disney and Thomson Reuters. So, Andrew, it's a known fact that people can't remember most of what they're taught in any topic. It's actually an exponentially downward curve called the Ebbinghaus curve that demonstrates this. I'm curious, do you think gamification will work better?
[05:41]
Andrew Wilder
So my answer is cybersecurity training as we know it today is broken. Okay? Everybody is doing the click through as fast as they can to get to the end of the training so they can skip it and go to the questions and pass the test. Hopefully pass the test. Phishing training is broken because people are feeling attacked. You know, you get punished if you click on an internal phishing test. There's all these things, I, I like anagrams approach to this. Right. Because what they are doing in this gamification approach is they're teaching people to get into the mind of the attacker. And if you can experience that, it's kind of like when you do a tabletop exercise, right? Because in a tabletop exercise you understand what it's like to be in the middle of a cyber attack. And in this case they're helping people to understand what it's like to be an attacker. And as you think in that mindset, then you can think from the other side as well and realize, hey, if I'm getting attacked, these are some of the tactics that they might want to use. And especially with generative AI and all of these new tools that are out there, all of the things we've been telling people for years about how to spot a phishing email, those things are going away, right? Misspellings and different fonts and weird from addresses, all of that stuff is going to stop. So I am a big fan of anything that's going to take this in a different direction. And I think Anagram has done that.
[07:01]
Rich
Yeah, I have to. Like a lot of traditional security awareness is like the pain will resume until you get the percentage that we're looking for here when we're talking about, you know, boring regular quarterly or yearly classes or something like that. Yeah, any way you can tie like a dopamine hit, no matter how small or hey, I got a badge for, for doing this. That kind of stuff. Like, you're still always fighting that, that Ebbinghaus curve, but I, I feel like you have a better chance of, of at least motivating your staff to go through with it if it's, if it's less punishment and more, hey, good job. Right? Right.
[07:37]
Andrew Wilder
Yeah. The carrot versus the stick. And I like what CCL is saying. You know, it doesn't have to be the answer, but the more options that you have. And it also really depends on company culture. You know, there's companies out there that do these kind of funny videos. I worked in companies where funny videos would never work. Right. No one is going to do that. But there's some companies where that might be fine. So it's really having more options to train people and using more things to do it. I think that's a great approach. Let's. Let's get more options. Let's have more things out there that can help people.
[08:07]
Rich
Yeah. Yes. And is probably the name of the game there. All right, next up here, US Employee screening firm confirms breach. Disa Global Solutions provides employment screenings and background checks to a third of Fortune 500 companies. This week, it submitted a filing with Maine's attorney general confirming it detected a cyber incident on April 22, 2024. After investigation, it was found that the illicit network access began back on February 9th. In a filing with the Massachusetts attorney General, it was confirmed that attackers obtained Social Security numbers, credit cards, and other financial information, as well as scanned ID documents from some screened individuals. Big week for disclosing things to New England attorneys general. The filing also states that the company did not definitively conclude the specific data. Data procured. So it can't name specific victims. Like, it doesn't. It doesn't have the ability to do so. No word on who orchestrated the attack or why the company waited almost a year to disclose it. Andrew, I need to ask a question. Should there be a category for, like, vilifying companies that make money obtaining and selling data about people and then seem careless about it when it comes to background screeners, data brokers, that kind of stuff, you know, we don't, we can't say what exactly or who exactly had stuff stolen from them. They don't tell anybody about it for almost a year. Am I wrong in having a little umbrage here?
[09:37]
Andrew Wilder
I think your umbrage is validated. So a couple of things that are, that are bothersome about this. The first is how long it took to, to report it. If you look at the SEC's requiring, you know, rules, there's you know, a number of days since you're aware of the incident, right? I think it's four days since you become aware of it. This is way too long to wait. The second thing is, this really grinds my gears in these things, is these words that they use to minimize the attack. It would be amazing if one time somebody just went out there and said, you know what, we've been attacked. They got access to all of our data. It was really bad. We're doing things to fix it. But every time you see these very kind of lawyered words of, oh, it's the sum of our network and we can't identify exactly how bad it was, and, and that bothers me as well. The third thing that bugs me about it is we couldn't figure out which data they took. How's your data security program going there? Do you know about all of your data? Do you know who has access to your data? Do you know where your sensitive data is? So if you can't answer any of those questions, you should probably be spinning up a data security program because that's what we do. That's how we know where all of our data is. If any attacker says we stole all your data, we're like, well, we know what data it is and so we know what data you took. And then we can make a better decision instead of just going, well, we trust you. Whatever. Whatever you say, attacker.
[10:59]
Rich
Anyway, the silver lining is it should be easy to improve their security program if they could tracking what we have and if someone access it, I think that would be a good first step. Okay, I'm glad I'm not alone in feeling like this is, this is like a trifecta of all things I have a big problem with when it comes to a data breach. Okay, all right. I'm feeling better in our camaraderie over this. All right. Before we move on to our next story though, have to spend a few moments with our sponsor for today, Conveyor. Let me guess, another security questionnaire just landed in your inbox. Which means all the follow up tasks you don't have time for are close behind. What are you going to do? Here's a better question. What would sue do? Sue is Conveyor's new AI agent for customer trust. She handles the entire security review process, like answering every customer request for a SoC2 from sales, completing every questionnaire, or executing every communications and coordination task in between. No more manual work, just a quick review when she's done, ready to let sue take the reins. Learn more@conveyor.com that's C O N V E Y-O-R.com all right, next up here, firing of 130 CISA staff worries cybersecurity industry. The dismissal of over 130 cybersecurity professionals from the agency is a major blow to the U.S. and allied security. Warren's expert, David Shipley, CEO of Boseron Security. He criticizes the cuts as reckless, likening them to accelerating towards an iceberg. The move orchestrated by the Department of Government Efficiency, or doge, as we've all seen in the headlines, may strain international alliances and reduce trusted information sharing. We've heard rumblings about the US and Five Eyes as of late. Shipley notes that while security personnel have maintained stability despite political turmoil, these layoffs threaten that continuity. Frank Dixon of IDC also highlights the lack of transparency regarding the impact on national security and ceases operations. So, Andrew, it seems that the current administration is, is, you know, doing its best in firing people without regard to work that they actually do, without getting necessarily into the politics of this. What does this do? How do you react to this as a ciso, I guess, like, how do you, how do you take this kind of information which we know is going to have some kind of impact?
[13:29]
Andrew Wilder
So sisa, or sisa, I'm not sure how you're pronouncing at this time, Rich. I call them cisa. So, you know, they are a partnership between the government and CISOs today. And I, you know, I know, I very well know my local CISO rep. We've done tabletop exercises with ciso, which they do for free for any company that asks them to. Jen Easterly, their former director, is, is, is a kind of a hero in the cybersecurity community and what they've done in terms of simplifying things and helping, and they also have all of these things that you can subscribe to to tell you about the biggest breaches that are happening. So a lot of times before any of my vendors say, oh, this is bad, or whatever, I'll say, well, I already got that from CISA earlier today and we're already working on it. So it's, it's a, it's a really negative thing again, from a, from a cybersecurity, from a CISO perspective, from these relationships that we've built. And I feel bad for the people that have been laid off here. These are great cybersecurity professionals. So I saw Jen posting something on LinkedIn about trying to help those people out. So totally supporting that as well. And you know, what's, what's next for us if we keep getting rid of all of these, again, staying out of the politics of it, but if we keep getting rid of all these people who are great partners with us in the government.
[14:51]
Rich
Yeah, it, you know, the, the mandate from the new administration is to, to tighten the focus of cisa to, to get them, you know, take them to a more essential. We usually read as less election misinformation and stuff like that, but there had been a real feeling going back into the first Trump administration of cisa, whatever you want to call it, moving the cybersecurity poverty line in a really meaningful way. Right. Like I mean you mentioned about the tabletop stuff, but also just in terms of like free tooling for SMBs, like, like working with private industry to provide access to you know, kind of entry level tools, but one, that could make a big difference for smaller businesses and stuff like that. And you know, I, I hope however they come out of it, that if, I hope that mandate can still be one part of CESA's mission and two, that they'll have the staff and the resources to keep delivering on it. Because as Max Tronic says in the chat, cesa, they do great work.
[15:50]
Andrew Wilder
Yeah, I'm glad you brought up small and medium sized businesses there too rich because you know they're really the, the victim here because they really rely on cisa. It's, you know, if you've ever worked in small and medium sized businesses in the cybersecurity space, you know that they're really lacking in, in expertise and so to have a government organization like CISA that they can partnership, that they can do tabletops, that they can get learnings, they can get these kind of announcements that are coming in, that's really helpful for them. Now if you're a Fortune 1000 cyber, you know, maybe it's not as much of a blow to you but for those small and medium sized businesses this is a big thing.
[16:26]
Rich
And Jen, if you ever want to come on the weekend review, you are more, more than welcome.
[16:30]
Andrew Wilder
Just I think she has more free time now so we can get it.
[16:33]
Rich
Exactly. I mean you have nothing else to do. So come on. All right, next up here, thousands of exposed GitHub repositories. Now private can be still be accessed through Copilot security. Researchers at Israeli cybersecurity company Lasso found that Microsoft Copilot retains access to thousands of once public GitHub repositories even after they've been set to private using Bing's cache Lasso identified over 20,000 impacted repositories, exposing sensitive data from major companies like Google, IBM and Microsoft. Microsoft classified the issue as low severity. It seems that bad GitHub repository news appears on this show every week, or at least exposed. I don't want to qualify it too much, but here we see it colliding with very new technology in the case of the Copilot version of AI, both of which I point out owned by Microsoft, once again, it seems like the technology is racing far ahead of the average person's ability to play it safe. I'm curious, is this is for you, Andrew, Is this as low severity as Microsoft suggests?
[17:36]
Andrew Wilder
Definitely not. Definitely not. So we see when we look at these copilot, like private installs that they're doing at large companies, you see exactly the same kind of thing. So people who are doing for many years security by obscurity, hiding a file somewhere where they shouldn't or whatever, you can just go in and go, hey, show me Rich's salary. And copilot is happy to go, boom, here it is. And then you'll be so surprised at how much more money Rich is making than you are. But so there's that part of it. And the other thing is all of these big GPTs are trained on public data and that's why we see things like hallucination. Right. Because public data is not all correct data. Right. So there's no way to know that it's getting trained on good data. So that's part of the problem. And if it was out there at one time and you've hidden it now, well, that's great for people searching on the Internet right now. But when Copilot was trained, it was still public and it was still open and too bad for you kind of thing. So, yeah, not. Not low severity in my opinion.
[18:37]
Rich
Well, especially with the lag in training sets right between the different models, you know, you could have a year, over a year in terms of that. So even with best of intentions, there's always going to be a situation where, yeah, this was public, but you know, good luck. GPTs are written in ink. I don't know if that's quite right, but like that's. Yeah, that's definitely another consideration. And our final story for today, OpenAI bans ChatGPT accounts used by Chinese group for spy tools. In its most recent threat intelligence report, the makers of ChatGPT described two operations believed to belong Chinese threat actors in which ChatGPT was used to edit and debug code for what appeared to be AI tools designed to ingest and analyze posts and comments from social media platforms, things like Facebook and X, in search of conversations on Chinese political and social topics. In addition, the threat actor used ChatGPT to generate descriptions and sales pitches for these tools. So, Andrew, you know, Here we have ChatGPT used as a cog in a much bigger machine and reveals the types of brilliant subterfuge that nation states and cybercriminal gangs are capable of thinking up. This story was on your selection for this week. Obviously struck a chord. What are your thoughts on this?
[19:51]
Andrew Wilder
So I think the first question that I would ask to everybody is, does this surprise you? Like, you know, with great power comes great responsibility. We've got this amazing tool. It's definitely being used for good. It's also going to be used for bad. Now what surprises me is that they're using the default version of ChatGPT that you and I use. You know, I was hoping to read the story of how they're using fraud GPT or worm GPT or one of these, one of these, like hacker, you know, GPTs that will let you do any of the negative stuff that you want to try to do with ChatGPT and it won't let you if you're an attacker. So, yeah, I'm glad to see that they've done that. Do you think that OpenAI has successfully banned all of the accounts used by Chinese hacking groups? Definitely not. Right. Like every, every forum that we have, everywhere is full of fake accounts and how you can try to police that and do that. Good luck. But it's, I'm glad they made some progress, but I'm not surprised.
[20:46]
Rich
Well, and especially all, like, the use case that they're giving here is also like, I'm an, I'm in a social media marketing company and I'm trying to build this tool like just, you know, like if a separate session then creates, like, okay, create this tool and then how do I, you know, sort its conversations by, you know, topics relevant to China that like, to me is, I don't know, like, how do you, how do you stop that when it's, it's just a, you're asking a tool to help you create another like general purpose tool. Yes, I'm, I'm sure, I'm glad they, they found it here. I'm glad that they are trying to find it. Like you said, glad to find these kind of operations. But I, I have to imagine with a little sophistication, this would be almost impossible to find. Yep.
[21:31]
Andrew Wilder
I. I would agree.
[21:33]
Rich
All right, before we get out of here, just want to give a thank you to everybody in our chat, making us having some fun in there. Some appreciation for Jen Easterly, former head of cesa. Francisco was saying, yeah, sad news with the firing of the CESA staff and definitely wanted to give that some time on the show. Thanks to everybody. Getting involved in the chat always helps make this show better. Before we get out of here with you, Andrew, though, any story that reacted strongly to this week, a thumbs up or an eye roller for you.
[22:05]
Andrew Wilder
So I'm going to give one thumbs up because all the stories that we talked about were kind of negative, Right. We had the Apple one about the ADP and, and the people stealing from DISA and CISA, firing people and the GitHub stuff and the chat GPT stuff. But there is one positive story we talked about this week, right, Rich? And that was this anagram company that has taken this gamified approach. I. Let's go for positive this week, right? It's Friday. Let's do it. So that, that one excited me this week. Yeah.
[22:34]
Rich
And hopefully, hopefully it will not be notable that like positive, like just in time, interactive training, like I hope in the near future. That is not a notable story, but it definitely is and I'm glad we were able to give it a highlight for sure. Thank you so much, Andrew Wilder, CISO over at vetcore, for just bringing the expertise, the positivity to end the show. How can we not love that? Where can people find you online if they are so inclined?
[23:03]
Andrew Wilder
Well, you can find me on LinkedIn. I'm on there, you know, fairly regularly. I post some stuff. I am hiring. So if you know someone who is a network security manager who's looking for a role at an amazing company, great people, great mission, you know, 900 pet hospitals, saving our pets, taking care of them. And also I'll be speaking at RSA on Monday morning. I don't remember the exact time, but I'm sure you can find it in the agenda. And I'm with Dee Dee and Doreen and another gentleman who I can't remember his name right now, sorry, but we're talking about ethics in cybersecurity. So something that's big and come join us. Come heckle me. Love to see you out there and looking forward to it.
[23:49]
Rich
Well, thank you so much, Andrew. I cannot wait to have you on a fourth time. As always, exceptional and I appreciate your time.
[23:56]
Andrew Wilder
Thanks, Rich.
[23:57]
Rich
Thanks also to our sponsor for today, conveyor from security questionnaires to SOC2 sharing. Sue handles all that plus every step in between. Also, again, thanks to our audience today. I know we can't always get everything up on screen as it's coming in, but we appreciate being here making the chat better and making the show better. Please join us next week. First, we got a busy Friday. It starts off with Super Cyber Friday. Our topic of discussion is going to be hacking the commodification of cybercrime. An hour of critical thinking about how your security program changes with the entry. The entry barrier goes away. That's at 1pm Eastern. And then you know the week in review. It starts at 3:30pm Eastern. You're planning on joining in the chat? I know. Update your calendar, be here for the live show. It's a blast to register to to join us on YouTube and add your comments live. Just go to the events page@cisoseries.com and of course, in the meantime, you get your daily news fix every single day through cybersecurity headlines. Give us about six minutes, we'll get you all caught up until the next time we meet. For myself, for our producer, Steve Prentice, for Andrew, for all of us here at the CISO Series Family, here's wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.