Use and in your AI prompt chain to refine the responses
You can use and in your AI prompts to refine the responses your favorite AI engine gives you. I am using Perplexity.AI, which lets you follow-up prompts. You may prompt Perplexity “tell me the 10 largest cities in the United States,” get the response and follow-up with “and tell me each city’s population from the 2020 census.”
CIA Triad in Cybersecurity
Let’s step into the world of cybersecurity. I am showing how to tweak Perplexity AI’s response to “Tell me about the CIA Triad in cybersecurity.” Perplexity. AI replies with:
The CIA Triad is a fundamental model in cybersecurity, representing three core principles: Confidentiality, Integrity, and Availability. These principles guide the development and implementation of security policies and ... Read More
Kroger's AI-Driven Dynamic Pricing Overview
Kroger is implementing AI-driven dynamic pricing. You walk into a Kroger grocery store, go to an aisle with a product you buy often, cameras detect your face and raise prices. Scary? Yes. True? Yes. I am sharing quotes from https://www.perplexity.ai/page/kroeger-s-new-dynamic-ai-prici-yYXqe_z4SkOZq62JYBnVUQ.
“The system, which allows for real-time price adjustments based on factors such as demand and customer data, has been presented by Kroger as a way to enhance the customer experience…” Kroger argues, or wants us to believe, detecting when we are about to buy something we buy often and then adjusting the price according, is good for us. I call BS on that. This article further reports: “Moreover, the Enhanced Display for Grocery Environment (EDGE) system allows Kroger to build detailed customer ... Read More
Phish attack meeting requests
A widespread phishing campaign is targeting executives across a number of industries. The messages ask to reschedule a board meeting in an effort to steal logins and passwords.
Spotted by researchers at security firm GreatHorn, the phishing messages spoof the name and email address of the CEO of the company being targeted and uses a subject line including the company name and a note about the meeting to gain the attention of potential victims. Users are more likely to fall for attacks they believe to come from their boss.
The contents of the phishing email is simple: it says a board meeting has been rescheduled and asks users to take part in a poll to choose a new date.
Office 365
If users click the link, they're taken to a ... Read More
Late last month, Daniel R. Coats, Director of National Intelligence reported on Threats to US national security gave the 40,000 foot view of cyber threats. I'm quoting them here.
Summary of Cyber Threats
China and Russia are more aligned than at any point since the mid-1950s, and the relationship is likely to strengthen in the coming year as some of their interests and threat perceptions converge, particularly regarding perceived US unilateralism and interventionism and Western promotion of democratic values and human rights.
As China and Russia seek to expand their global influence, they are eroding once well-established security norms and increasing the risk of regional conflicts, particularly in the Middle East and East Asia.
At the same time, some US allies and partners are seeking greater ... Read More
Phishing attack uses DocuSign
Here is a brilliant new social engineering phishing scam that you may have already seen. It will sail through all your spam / malware filters and email protection devices, because it's entirely legit by using the Docusign infrastructure. Prime example of an info grabbing phishing attack that does not use a malicious payload.
Easy money?
Clicking on the yellow "Review Document" button gets you to—again an entirely legit—Docusign page, which requires you to fill out the form as per the normal process. I broke it up in two parts. The top half is more or less normal for a loan application. But wait, the second half really takes the cake.
Looking for financial information
Continuing to fill out the form allows the bad guy to completely steal the ... Read More
Gift cards new vector in CEO fraud
January 29 saw the arrival of yet another interesting variant of the gift card phishing campaigns that have become more common this year (see below). Today's email demonstrates that bad guys are actively adapting and evolving their pitch into CEO fraud.
There are couple interesting things going in this new gift card phish:
The bad guys work to establish a credible pretext ("incentives" for staff) -- something they've been getting better at recently.
They explicitly request confidentiality -- another tactic we've been seeing more of recently.
They're getting really greedy -- $4000 total in gift cards, the largest request we've yet seen (most requests in these gift card phishing schemes range from $500-$2000).
But there's something else very significant going on here, ... Read More
Conversation with a Mac and security expert RE: malware
We need to have a conversation about Macs, says TJ Letourneau of VIPRE Security. I’ve been a long-time fan of Mac. In fact, my first personal Mac was a Power Mac G5 and I absolutely loved that device. So much so that when I had to evacuate my home due to a hurricane…I brought it with me! Yeah, it was like that. Some call it the greatest love story ever told.
With my love of the Mac in mind, I feel that the time has come to discuss the state of Macs today and some of the preconceived notions around their security and security needs. Specifically, I want to discuss malware-related security, for Mac devices.
“Macs are Completely Safe, ... Read More
Spear phishing popular avenue for DNS hijacking
On Jan. 22, 2019, the Cybersecurity and Infrastructure Security Agency (CISA), which is a part of the U.S. Department of Homeland Security (DHS), issued Emergency Directive 19-01. The title of the directive is: Mitigate DNS Infrastructure Tampering. A series of actions are required for federal agencies. Watch how targeted spear phishing has become. Here is the background:
“In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents involving Domain Name System (DNS) infrastructure tampering. CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.
Using the following techniques, attackers have redirected and intercepted ... Read More
CCPA listening tour in full swing
The California Attorney General's Office (AG) made its fourth stop on its statewide California Consumer Privacy Act (CCPA) listening tour, holding in Los Angeles a public forum on the CCPA. The forums invite public comment as the AG prepares regulations for implementing and enforcing the law. Although the AG specifically requested comment on the seven areas identified in the law for the AG’s regulation,[1] it was clear that some categories caught the attention of the public more than others. And even though the forum was structured to allow participants to provide ideas and suggestions (the AG did not respond to comments or questions presented), most commentators asked for clarity and specific direction from the AG regulations, to help decipher the reach ... Read More
Test your users' gullibility to social engineering
Stephanie Carruthers, People Hacker for IBM- X-Force Red wrote an excellent post on why you should social engineer your own organization. I'll quote the first paragraph or so, and you should read the rest of the article, it makes an excellent point for the need to "social engineer your employees" and assess the strength of your human firewall!
"It was one of the highest phishing rates I had ever seen: Almost 60 percent of employees clicked the malicious link. Yet the client, a chief information security officer (CISO) of a Fortune 100 company, asked a question that caught me completely off-guard.
“So what?” he said, clearly unimpressed.
As a “people hacker” for X-Force Red, IBM Security’s team of veteran hackers, I’ve performed social ... Read More