David Weissman (12:17)

Foreign.

Dave Bittner (12:22)

Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. David Weissman is vice president of secure communications at BlackBerry. I recently interviewed him for our Caveat podcast where we discussed implementing CISA's encrypted communications guidelines.

David Weissman (13:45)

I think there's two sets of guidelines, and they're both actually pretty pragmatic. So the first is for telecom carriers, networking equipment organizations, and the second is more for the general public. So maybe we kind of focus on that second one for a moment. Sure, and what they've really done is summarize the risk of salt typhoon, which is any typical phone call that you make. Any use of sms, whether for communicating with someone or using it as a tool to validate identity, is at risk at this point in time. So they recommend that people move to encrypted applications end to end encryption. For the general public, they recommend using some of the popular free applications people are aware of things like Signal WhatsApp, those types of things. And then they also give guidance on, you know, what are some basic security configuration settings you should put on your phone, whether you have an iOS phone or an Android phone. And so, you know, I think what they provided is very consumable for the most part. There's some areas getting into authentication that, you know, maybe you probably need a bit more of a tech background to really understand what they're talking about. But for the most part, you know, they're providing solid advice that I think, you know, the typical person on the street can take advantage of.

Dave Bittner (15:15)

Yeah, that's what I wanted to dig in with you a little bit on. I mean, from your perspective, how achievable is this for folks who are, you know, just going about their lives trying to keep their messaging private? Are these apps within their reach?

David Weissman (15:35)

I think if we look at it from just an individual keeping their data private and by their data, because we need to talk about this more in a moment. I really mean what they're saying to people, what they're sharing, I think it's within reach. I think the vast majority of people, if they're already doing texting, they can use a messaging app. And I think by doing that they are increasing their own levels of privacy for their information. But at the same time they need to be aware of, you know, it's a public system, anyone can sign up. You still need to really think about how do I know for sure who I'm talking to? Is that really the right person? You still have that risk. You had that risk before. And also it's free. So what's the cost? Well, the cost is you're giving up control over your communications, metadata, who you're communicating with, you know, different sets of information about yourself. Even though they're protecting what you're actually saying, there's a lot of information around that.

Dave Bittner (16:40)

How do you recommend that folks go about choosing what app they want to use here? I mean, I think for a lot of folks who are coming from just regular text messaging, SMS messaging on their phone, which is sort of effortlessly cross platform and interoperable, not all of these platforms talk to each other.

David Weissman (16:59)

For the most part they don't. That's starting to evolve. There's some new regulations coming out of the EU that are pushing these applications once they reach a certain size, that they have to support interconnectivity between the platforms. But that's a new emerging area. I think it's going to still take a few years, see how that plays out. But I think for most people, the Answer to the question is which one should I use? Is which one are their family members and their friends already using? And I think the other thing to think about is you probably want to segregate what you might use for business from what you might want to use personally. Just as a good data hygiene technique to one, just keep yourself from accidentally sending things to the wrong people. But also keeping your business information, your company information separate from your personal information is just a good practice in general.

Dave Bittner (17:59)

Yeah, how about people protecting themselves from things like identity spoofing, deep fakes, things like that. Any recommendations there?

David Weissman (18:08)

Yeah, there's some in the CISA guy that really have to do with authentication techniques and using things like, you know, hardware, devices and things. And that's the part of the advice that I think the vast majority of people are going to find difficult to act on now. The part of it is, hey, don't use just a simple text message for authentication. So there are, I think people are becoming more comfortable with authentication apps where you scan the QR code, you get a two factor authentication. But a lot of times that's driven by, it's not necessarily the consumer's choice, that's driven by the website or the application they're using. But that's still the biggest risk I think that people are still exposed to the end to end encryption does a lot to protect the privacy or data. But the more people start to use these applications, the more exposed they're going to be to spoofing attacks. I think even if you use popular apps today, you get messages that says hey I found your number in my book who are you again? Or something along those lines, those happen even in these, these encrypted applications. So that's a risk. And then the other risk is particularly with the Salt Typhoon and the information that's already been exposed when you use AI techniques, it's now going to be, even going forward, it's going to be easier for these to be very compelling. And what I mean by that is if you want to target a particular person, the data is available to identify what are their communication patterns, who do they typically message, what time of day might they message these people? And if you're trying to do an attack based on that, if you mimic those patterns, the person's going to be much more open to accepting that I'm really talking to who I think I'm talking with. And then you layer on the next level of that, which is since the Salt Typhoon was able to actually read SMS messages, actually listen in to voice calls that data is there forever now, and people don't really typically change their phone numbers. If you have someone's number, it's probably going to be good for a decade or more. And so since the data was already there, the AI models can take that. And not just when you engage and who you engage with, but the tone of your message that how do you text, or your voice that sounds like you if you leave a message. And all of these things mean that people are just going to have to be much more skeptical if anything seems off at all, that they're communicating with who they think they are. And that's something the the advice of moving to an encrypted commercial app doesn't really help.

Dave Bittner (20:59)

That's David Weissman from BlackBerry. Be sure to check out the Caveat podcast wherever you get your favorite podcast.

David Weissman (21:06)

Tests.

Dave Bittner (21:20)

Tired of investigation tools that only do one thing at a time? Spending more time juggling contracts with data vendors than actually investigating Maltego changes that for good. Get one investigation platform, one bill to pay, and all the data you need in one place. It comes with curated data and a full suite of tools to handle any digital investigation. Connect the dots so fast cybercriminals won't even have time to Google what Maltego is. See the platform in action@maltego.com and finally, courtesy of our False Accusations desk, Imagine casually asking chatgpt about yourself, only to discover it has labeled you as a child murderer. That's exactly what happened to Norwegian man Arve Jalmar Holman, who was horrified when the AI falsely claimed he was imprisoned for killing two of his kids. Adding insult to injury, the chatbot mixed real details like his hometown and his family size with the fabricated crime, making the lie seem oddly credible. Holman and a digital rights group say this is a clear violation of GDPR, which requires data accuracy and correction rights. But OpenAI has argued it can't fix individual errors, only block outputs. That means Holman's AI generated horror story may still be lurking in ChatGPT's training data. This isn't OpenAI's first brush with defamation complaints. Past victims include an Australian mayor, a law professor, and a radio host. Now Norway's regulators might push OpenAI to overhaul its model or risk another hefty EU fine. It's cold comfort at best, but the only thing that actually got murdered here was Mr. Holman's reputation. And that's the cyber wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2n2k's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Hey, everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Deleteme. I have to say, Delete me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data Privacy is protected. DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your DeleteMe plan when you go to JoinDeleteMe.com n2k and use promo code n2k at checkout. The only way to get 20% off is to go to JoinDeleteMe.com N2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.