May 2024

 

Cybersecurity Awareness Newsletter

Protecting yourself and information from cybersecurity threats.

NOTICE: BSD Information Security Office will be hosting a secure destruction event @

5841 S. Ellis Avenue in Room N161

This event will occur on:

Wednesday, June 26th, 10:00AM-3:00PM

Thursday, June 27th, 10:00AM-3:00PM

Friday, June 28th, 10:00AM-3:00PM

Please bring in any sensitive paper documents, hard drives, desktops, laptops, tablets, phones, monitors, USBs thumb drives, CD-ROMs and other computing media for secure destruction. If you have any questions, please feel free to contact security@bsd.uchicago.edu.

This month we want to go over AI chat (AI) awareness and the precautions we need to take when interacting with it, as well as sharing information about a resource we think you should know. AI digital entities aren’t going away and as they become more integrated into our daily lives, understanding their mechanics and potential cybersecurity risks is crucial.

Also this month… since we still have our intern, we have decided to capitalize on his fresh perspective, so we gave him several 2024 cybersecurity industry reports to read and requested that he write a section based on the material he read. For some folks, the process of digesting these reports can feel akin to taking apart a complex, intricate spider web – the details might be intimidating and even a bit gruesome, but staying abreast of the latest industry developments is an indispensable part of our professional toolkit no matter how disconcerting the facts may be.

Public Service Announcement Regarding AI

  • Reliance on technology can become addictive, especially when AI is used as a motivator. It’s essential to strike a balance between leveraging technology for efficiency (as a complement to human tasks) and using one’s own proper human judgment, emotion, empathy, and communication skills.

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10944174/

  • It is important to understand that AI can be biased and discriminate both in the data it provides, and the modifications it makes to any data you may give it. Note that AI can be manipulated to return false narratives.

https://datatron.com/real-life-examples-of-discriminating-artificial-intelligence/

  • It is also important to understand that each vendor has its own data handling practices and privacy policies so, unless you enter an agreement or create your own AI, you may be at the mercy of the vendor in cases where sensitive data may have been inadvertently given to AI. Most vendors have protocols in place to handle situations such as sensitive information being given.

AI and Web Browsers

Some AI can detect content in web browsers. This can occur if you give it a command like what is shown below. This detection is not automatic, but it can be and AI can have knowledge of the web page content regardless of any interaction.

Caution should always be taken when interacting with AI, especially when using credit cards or any sensitive information on websites. While AI technologies offer convenience and efficiency, many times they are painted as companions which could leave one open to a data theft. Always remain vigilant and be cautious with AI driven platforms.

AI Exploit Manipulation and Sensitive Information

So, what happens if we give sensitive data to AI (or if data from a security breach was captured by AI)? AI learns from content that was given to it, so AI is only as good as the content it starts with and the content it ingests later. When AI is provided with a file or sensitive content, it can utilize that information to fulfill specific requests when asked a question. All publicly available online data is fair game if AI was allowed to capture that information. Sometimes, AI has rules created for it to prevent giving away sensitive information even when captured. However, there are ways around it….

The work around to those rules to provide the results you want?   

Most of the time, AI rules are based on intent restriction. If there is a direct question without context AI can immediately halt from answering what it thinks might malicious intent. Giving AI more context can “fool” AI into giving up that information.

Side note… the content in the image above is not completely accurate for Eduardo (done with his consent). AI combed through online web pages (University and Wikipedia) and combined the information from the sources. Luckily for Eduardo, the surname Martinez is the tenth most frequent surname in the United States and Eduardo is a very common first name. Doing a Google search turns up lots of folks with the name Eduardo Martinez.

What should I do if I accidentally give AI sensitive information, or I found that it has information from a data breach?

#1) Stop interacting with AI if you just ran into the data or accidentally provided information. This will prevent it from receiving contextual information which it can use to reference data.

#2) Contact your cybersecurity team regarding the data and provide information regarding what occurred. We don’t judge, contact us security@bsd.uchicago.edu.

#3) If the contextual information was already given, depending on the data type, we can contact the support team on your behalf of the platform that is being used. We must have the exact words that were used when you interacted with AI.  A screenshot would work best.

What should I do if my data was part of a data breach?

In the case where a data breach has occurred, the National Cybersecurity Alliance recommends:

  • Keep yourself informed and updated with information from the affected company or organization to understand the scope and nature of the breach.
  • Change your password immediately for the affected account and make sure it’s strong and unique.
  • Enable multifactor authentication if possible.
  • Monitor and review your finances and credit reports. Consider credit monitoring services that are sometimes offered by vendors who experienced a data breach.
  • Be aware of phishing attempts that ask for information.

Also note that there are many reputable websites that can help you determine what information was part of a data breach as well as what data breaches your e-mail address has been a part of, such as:

https://www.malwarebytes.com/digital-footprint-att

Clicking on the closed eye will real information that was part of the breach.

Clicking on “see your data breaches” will show you other data breaches in which your information may be involve.

Nik’s Corner!

     Hi, I’m Nikola Bilaver, an undergraduate 3rd year student at the University of Chicago, and I am interning at the BSD Information Security Office! Here, I will share my insights on security topics from my perspective as a student, which might be helpful to you!

     For this corner, I’ll be discussing some statistics in the everchanging cybersecurity industry landscape, and why it is important to stress the importance of cybersecurity awareness within everyday work practices. Each year the risks of cyber-related security incidents only grows greater as we continue to live in an increasingly connected world. While 39% of people recognize cyberattacks as a global threat, there are several reasons why this figure should be higher. These reasons include the increasing prevelance of cybercrime, the large effects it can have on individuals personal data, and the widespread number of people who make themselves vulnerable due to risky behavior.

Graph from Crowdstrike:

Comparing the reported eCrime Index (ECX) from 2022 to 2023 has shown that ecrime has increased by 67%

     As the world becomes more and more connected, cyberattacks have only become more and more common. Crowdstrike, a cybersecurity company that provides advanced antivirus software for several organizations and monitors the current landscape of cyber threats to keep organizations informed, has reported an increase of ecrime occuring globally. They created an index of the level of cybercrime occuring in the world, monitoring statistics such as the amount of spam emails sent, the number of victims of ransomware attacks, and the cost of black market hacking software, and have reported that their index has increased by 67% from 2022 to 2023. Ecrime is becoming significantly more common, and so it is increasingly important for individuals to remain vigilant of potential threats.

     One result of this increase is that the number of victims on websites that sell user data, such as passwords, banking details, or SSN’s, has increased by 76%. Some ecrime groups primarily make their income through the selling of user data, often through ransomware attacks. In 2023, there were 46 hospitals affected by ransomware attacks, an increase from 25 of the previous year, and in some cases the user data held ransom by the attackers was sold regardless if the hospital paid the ransom or not. Overall, ecrime on large organizations becoming a greater and greater threat to individuals due to the increasing amount of leaked user data being sold.

Graph from Pentera

     Another statistic that may be shocking is the amount of organizations impacted by cyberattacks. While cyberattacks may seem like a rare occurance, they’re actually quite common among large organizations, and can have serious consequences. Pentera, another cybersecurity company, reports that 51% of enterprises were compromised by a cyberattack with 31% of those breaches causing a financial loss, and 36% resulted in data exposure. In many cases, these attacks are preventable, as long as individuals within these organizations avoid risky behaviors. Unfortunately, just being knowledeable of these behaviors is not enough.

Source: Proofpoint

     One of the most important ways to prevent successful attacks is through being knowledgeable of risks, and yet many people with this knowledge still take risky actions that compromise their security. A survey by Proofpoint reported that 71% of users took a risky action, with 96% of those participants being aware that their actions were risky. Perhaps this is due to the lack of recognition of cyberattacks as an ever-present threat, and so people are willing to do risky behaviors since they don’t fully understand the potential consequences. If individuals don’t take cyber-attacks seriously, they will continue to ignore email sender identities, reuse passwords, and respond to texts from unknown numbers, despite knowing the risks.

     Hopefully, this corner has highlighted the importance of remaining vigilant around cyberattacks and has taught you some important facts about the state of cyberattacks around the world.

As always, we welcome your feedback and any suggestions for topics that you would like us to cover in the next newsletter. Please send us an e-mail at security@bsd.uchicago.edu .