Holiday cybersecurity prep

Plus: Apple says ransomware on the rise | Friday, December 08, 2023

Open in app View in browser   Presented By Google   Axios Codebook By Megan Morrone · Dec 08, 2023 Heyyy! Welcome back to Codebook. 🕎 Happy Hanukkah, however you spell it. 📬 Have thoughts, feedback or scoops to share? codebook@axios.com. Today's newsletter is 1,297 words, a 5-minute read.     1 big thing: Protect your network this holiday season Illustration: Shoshana Gordon/Axios   While holiday-prep checklists often include cleaning off your desktop (physical or virtual) or cleaning out your email inbox, this year you should have a new top cleanup priority: your online security, Axios' Scott Rosenberg reports. Why it matters: Weak passwords and ill-considered clicks don't just put your personal information and property at risk. In the interconnected digital world, they also make your organization more vulnerable to mischief and mayhem. Here are three big steps you can take to protect yourself and your information right now. 1. Think before you click. Most garden-variety cybercrime happens as a result of phishing — deceptive emails, text messages and websites that capture your login credentials. This kind of attack is how most digital break-ins begin and how most of the ransomware attacks that have plagued the IT world in recent years get started. The single most important step you can take to protect yourself and your employer is to train yourself to look around before you click, the same way you instinctively look both ways before you cross a street. If a link came to you in an email or a text, examine the URL if you can — it could well be pointing to a fake web address, like Facebookuserhelp.com instead of Facebook.com. If the message tries to make you rush, which is often a sign of fraud, do the opposite. When in doubt, instead of clicking on what looks like a message from a company, go directly in your browser or app to the service in question and log yourself in. Or call them if you can! Today, anything can be faked — including texts from your CEO and QR codes. Take your time and listen to your inner doubter. 2. Stop reusing passwords. We've all done it! Remembering dozens of passwords is hard. One is easier. Unfortunately, when you do this, you're choosing convenience over safety. A single compromised website or service turns into an open gate for thieves to access all your digital stuff. Instead, start using a password manager. These tools create a relatively safe library of difficult-to-crack passwords that you can unlock as needed to log in to all your services and subscriptions. If making this switch feels like an impossible hurdle, remember that you can make the transition gradually, and the best tools will help you out along the way. 3. Limit your digital footprint. The more accounts you have with access to your attention, the less secure you are. No one ever said, "I'm not getting enough emails, texts and notifications!" Make it a regular habit to uncheck the box that says "Send me offers and emails" unless you really love the vendor. If you haven't opened an email newsletter in weeks or months, consider unsubscribing. If you have accounts you never use, probably with passwords you never changed or updated, close them out — before the service provider closes them for you. Such accounts are at best conduits for spam and at worst launchpads for attacks. Keep an eye out for flagrant privacy invasions masquerading as "sharing" opportunities. If you use Venmo, for instance, remember that all your transactions are public by default — yes, it's crazy — unless you explicitly make them private. (If this is news to you, stop reading and go fix this now.) The bottom line: No one likes to spend time on the tedious work of online self-protection. But future you will thank you.     2. Apple says data breaches are increasing Shoshana Gordon/Axios   Data breaches and ransomware attacks are getting worse. Some 2.6 billion personal records have been exposed in data breaches over the past two years, and that number continues to grow, according to a new report commissioned by Apple, Axios' Ina Fried reports. Why it matters: Apple says the escalating intrusions, combined with increases in ransomware, mean the tech industry needs to move toward greater use of encryption. By the numbers: According to the report, prepared by MIT professor Stuart E. Madnick: Data breaches in the U.S. through the first nine months of the year were already 20% higher than for all of 2022. Nearly 70% more ransomware attacks were reported this year through September than in the first three quarters of 2022. The U.S. and the U.K. were the countries most targeted in ransomware attacks in the first nine months of 2023, followed by Canada and Australia. Those four countries accounted for nearly 70% of reported ransomware attacks. One in four people in the U.S. had their health data exposed in a data breach during the first nine months of 2023. The big picture: Apple, for its part, touts its strategies of encrypting as much customer data as possible and minimizing what information is collected. Yes, but: While encryption and data minimization can be effective data protection strategies when adopted widely, the fact that Apple encrypts its copies of user data doesn't help iPhone and Mac users when another company is breached. Go deeper: Why "don't pay ransom" pledges are so hard to implement.     3. Meta's new plan to thwart bad AI actors Illustration: Lindsey Bailey/Axios   Meta released benchmark cybersecurity practices for large language models this week, which it says is an effort to "level the playing field for developers to responsibly deploy generative AI models," Axios' Ryan Heath reports. Why it matters: The White House has urged AI companies to ramp up their safety efforts and codify some safety requirements in its AI Executive Order, worried that AI chatbots and open-source LLMs like Meta's Llama 2 will lead to dangerous misuse. LLMs can serve as attack vectors, can be hacked to access proprietary information, and can be manipulated to produce harmful content, even when they've been designed not to. The big picture: Cybersecurity risks around LLMs are "a pervasive problem that we need to mitigate," Joseph Spisak, Meta's director of product management for generative AI, tells Axios. "There's no real ground truth: We're still trying to find our way into how to evaluate these models" and need to "build a community to help standardize these things," he says. What's happening: Meta's two key releases in its Purple Llama initiative are CyberSec Eval, a set of cybersecurity safety evaluation benchmarks for LLMs; and Llama Guard, which "provides developers with a pre-trained model to help defend against generating potentially risky outputs." The tool is intended to help developers make it harder for bad actors to manipulate LLMs to generate malicious code and to evaluate the frequency of insecure code suggestions. Spisak tells Axios that Purple Llama will partner with members of the newly formed AI Alliance that Meta is helping lead and others such as Microsoft, AWS, Nvidia and Google Cloud. The intrigue: Purple Llama is a reference to what you get when red teams (attacking teams) and blue teams (defense) are combined and added to Meta's open-source foundational model. Meta named Papers With Code, HELM, Together.AI and Anyscale as additional project partners. Flashback: Meta previously released a Llama 2 Responsible Use Guide, an approach that critics say is insufficient for managing how an open-source model can be misused in the wild.     A message from Google Google for Startups Growth Academy: AI for Cybersecurity     To accelerate product development in the next generation of AI powered cybersecurity startups, applications are now being accepted to attend a new series of workshops in the U.S. and Europe. Learn more about the second installment of the three-month program.     4. Catch up quick @ D.C. 🗳️ The U.S. and the U.K. have charged two Russian intelligence officers with conducting widespread hacking campaigns targeting U.S. energy networks and British politicians, among others. (Wall Street Journal) 🩺 The Centers for Medicare and Medicaid Services is proposing new cybersecurity mandates for hospitals. (Politico) @ Industry 🔑 Facebook is finally rolling out end-to-end encryption for Messenger. (Axios) 👀 Apple and Google have warned that governments and law enforcement can spy on you through your push notifications. (Axios) @ Hackers and hacks 📹 Celebrity videos are being manipulated to spread Russian war propaganda, according to a Microsoft report. (Wired) 🧬 23andMe has updated its terms of service, presumably to avoid lawsuits after customer information was stolen in a recent hack. (Axios)     5. 1 fun thing How many answers did you get right on the TechCrunch Pub Quiz?     A message from Google Entering the era of generative AI-enabled security     A new landscape of cyberthreats demands a new approach. What's needed is a way to transform threat detection, investigation, and response and help security teams stay one step ahead of adversaries. See how Google Cloud and Deloitte are combining their expertise. Read the whitepaper.   Thanks to Khalid Adad for copy editing this newsletter. If you like Axios Codebook, spread the word. Are you a fan of this email format? Your essential communications — to staff, clients and other stakeholders — can have the same style. Axios HQ, a powerful platform, will help you do it.   Axios thanks our partners for supporting our newsletters. Sponsorship has no influence on editorial content. Axios, 3100 Clarendon B‌lvd, Arlington VA 22201   You received this email because you signed up for newsletters from Axios. To stop receiving this newsletter, unsubscribe or manage your email preferences.   Was this email forwarded to you? Sign up now to get Axios in your inbox.   Follow Axios on social media: