What a security manager needs to know about chatbots

When I last wrote about chatbots in December, they were a sideshow. Since then, they have taken center stage. In this New Yorker piece, ChatGPT is called making a blurry JPEG of the internet. Since I wrote that post, Google, Microsoft and OpenAI/ChatGPT have released new versions of their machine learning conversation bots. This means it is time to get more serious about this market, understand the security implications for enterprises, and learn more about what these bots can and can’t do.

TechCrunch writes that early adopters include Stripe, which is using GPT-4 to scan business websites and deliver a summary to customer support staff; Duolingo built GPT-4 into a new language learning subscription tier and Morgan Stanley is creating a GPT-4-powered system that’ll retrieve info from company documents and serve it up to financial analysts. These are all great examples of how it is being helpful.

But there is a dark side as well. “ChatGPT can answer very specific questions and use its knowledge to impersonate both security and non-security experts,” says Ron Reiter, Co-Founder and CTO of Israeli data security firm Sentra. “ChatGPT can also translate text into any style of text or proofread text at a very high level, which means that it is much easier for people to pretend to be someone else.” That is a problem because chatbots can be used to refine phishing lures.  

While perhaps the prediction of the coming of Skynet taking over the world is a bit of an over-reach, the chatbots continue to get better. If you are new to the world of large language models, you should read what the UK’s National Cyber Center wrote about them and see how these models relate to the bots’ data collection and operation.

One of ChatGPT’s limitation is that its training data is stale and doesn’t include anything after 2021. But it is quickly learning, thanks to the millions of folks that are willingly uploading more recent bits. That is a big risk for IT managers, who are already fearful that corporate proprietary information is leaking from their networks. We had one such leak this week, where a bug in ChatGPT made public titles of user chat histories. This piece in CSOonline goes into further detail about how this sharing works.

My first recommendation is that a cybersecurity manager should “know thy enemy” and get a paid account and learn more about the OpenAI’s API. This is where the bot will interact with other software, such as interpreting and creating pictures, or generating code, or diagnosing human behavior as a therapist. One of my therapist friends likes this innovation, and that it could help people who need to “speak” to someone urgently. These API connections are potentially the biggest threat vectors for data sharing.

Gartner has suggested a few specific things, such as favoring Azure’s version for your own experimentation and putting the right policies in place to prevent confidential data from being uploaded to the botsCheck Point has posted this analysis last December that talks about how they can easily create malware.

Ironscales has this very illuminating video shown above on how this can be done. Also, to my earlier point about phishing, IT managers need to think about having better and more targeted awareness and training programs.

Infosys has this five-point plan that includes using the bots to help bolster your defensive posture. They also recommend you learn more about polymorphic malware threats (CyberArk has described such a threat back in January and Morphisec has specialized tools for fighting these that you might want to consider), and review your zero trust policies.

Finally, if you haven’t yet thought about cloud access security brokers, you should read my review in CSOonline about these products and think about using one across your enterprise to protect your data envelope.

Book review: Stalked by Revenge by Lynn Lipinski

Stalked by Revenge (Zane Clearwater Mystery Book 3) by [Lynn Lipinski]This is the third book in a series of mystery novels featuring Zane Clearwater, a character who has had a shady past. It can be read independently of the others and there is a fourth is in the works. The story centers on Clearwater’s family, including a gun-packing grandmother and a private detective who comes to the aid of the family to stop a revengeful assailant who starts out in prison at the story’s beginning. Lipinski’s descriptive prose is first-rate, and the various characters are well drawn, with some very realistic challenges in their lives. By the end of the book you will feel that you know them and have a lot of empathy for their circumstances. Fans of mystery novels will enjoy this book, and I highly recommend it.

Buy it from Amazon here.

How to know when you are ready to expand your career

“There may be nothing I’ve seen wreck the careers of high-performing, hardworking people more commonly than stepping into a manager role the person isn’t ready for,” tweeted Kieran Snyder earlier this month. The CEO of linguistic analysis firm Textio then follows up this with some very cogent remarks about knowing when to take that leap into management that really resonated with me.

This is because I faced a similar circumstance in my own career back in 1990, when I took the job to run Network Computing, a brand new computer publication. I have often mentioned that decision as a pivot point in my professional life in these essays, At that time, I was managing a group of about a dozen editors for PC Week — and this would be a big promotion to running an entire publication, hiring its entire staff, and learning how to get the magazine from words to a coherent whole. It shaped the rest of my career, to be sure.

I also addressed this topic a couple of years ago in this post about whether super coders should take the next step into management. It is worth reviewing that piece and listening to a discussion with Jaya Baloo and Troy Hunt on the subject.

Snyder lays out four important questions you need to ask yourself whether or not you are ready:

  1. Can you communicate complex expectations clearly? And behind this question is also holding people accountable — and avoiding eventual disappointments — for these expectations too. Even when you know this, it is still hard to achieve. “This is an issue I have faced, and often management fails to set clear expectations,” said Alan Elmont, who has been a recruiter and staffing professional for decades. “This has been particularly an issue with small companies or mid-sized companies that are growing too quickly.”
  2. Can you engage and mange conflicts well? Being fair in these fights is more important that being well-liked.
  3. Where do you fit in the scale between being a hero and being predictable? “Managers mostly do hero work to compensate when their team isn’t delivering,” she says. That could be caused by a variety of failures, such as unclear feedback or expectations or poor solutions delivery — or a combination.
  4. Finally, do you have the right combination of technical skills and a solid functional foundation to properly lead your team? That is a tough one to dispassionately assess, either by yourself or with your prospective hiring manager.

Now let me take another moment from my career when I got a job to run another publication. It was a major failure, and because I couldn’t do any of the first three things that Snyder mentioned above. I barely lasted a year there before being fired. I should have spent more time understanding the lay of the landscape and the management style of my eventual boss. Now, this happened years after my Network Computing anecdote, so you would think being older and more experienced I would have spotted the danger signs. But no, I was too caught up in the thrill of being chased for a new job. Live and learn.

While on the topic of career development, I had an opportunity to talk to a group of mid-career folks who are considering jobs in cybersecurity this week. You can see my slides below, and some of the issues that we discussed.

 

 

Book review: A Likely Story by Leigh McMullan Abramson

A Likely Story: A Novel by [Leigh McMullan Abramson]I really enjoyed this new novel which has characters and a plot line I found appealing, as a full time freelance writer for many decades.

The story is about a famous novelist and his ne’er-do-well daughter who is in her mid 30s, trying to figure out her life and try to finish her first book, which seems to have been started ages ago. It is set against the death of her mom, and interwoven we are privy to the draft of a novel (which plays an important role in the character’s lives without giving away any spoilers). The description of literary life in NYC and all its trappings and ridiculousness resonated with me, as do the challenges of 30-somethings.

The novel concerns the relationship of the famous writer to his wife and daughter, how the three of them collaborated on various projects, and the perception of the dad towards his family members. That is about all I can say in this review, but it is deliciously wicked, real, and poignant. Being related to the writer and enduring his oversize ego drives many of the plot points along. At one point the daughter feels that “writing was like being on a submarine, where she spent years being submerged, silent and secret, working toward the day where she would have something to show for all her time underwater.” The novel is interesting, amusing, and thoughtful and I highly recommend it.

Book review: All That Is Mine I Carry With Me

This novel by William Landay has plot points that approach numerous other thrillers — such as the missing title character in Gone Girl — but takes things just a bit further in telling the tale of a missing mom who is presumed killed by her husband. You hear from various family members in the first person, but again it is done to introduce some interesting plot twists that I don’t want to spoil you with here. Initially I was a bit annoyed by the mixed narrator style but came to appreciate it about halfway through the novel. The narrative arc covers decades as we move way beyond the actual missing/murder conundrum and into the finer aspects of the children and other family members’ personalities, relationships, and whether they think the dad did the deed or not. Having the dad as a criminal defense lawyer is also a nice touch too!. Highly recommended.

How is that right to be forgotten going?

Right To Be Forgotten – Chicago PlaysThe right to be forgotten isn’t part of the US Constitution, or for that matter in any other country’s founding documents. But it is part of the more recent regulations, which define how this data is collected, how it is processed, and mostly importantly, how and when it is erased. The phrase refers to where individuals can ask to have their personal data removed from various digital repositories under certain circumstances.

It is not a new term. Indeed, the EU got going on this almost ten years ago, eventually enshrining rules in its General Data Protection Regulation (GDPR), which have been around now for almost five years. This motivated a few (and I emphasize very few — so far that number is five) states here in the US to enact their own privacy laws, including California’s Consumer Privacy Act (CCPA) and others that mention the “forgotten” rights. Here is a handy comparison chart of what the five states have passed so far.

Security blogger David Froud also wrote about the issue more than four years ago. He pointed out then that the term forgotten doesn’t necessarily mean total erasure of your data, such as the hypothetical case of a convicted criminal in applying for a job. But then, should the stain of that conviction follow someone for the rest of their life? Hard to say. And this is the problem with this right: the subtleties are significant, hard to define, and harder still to create a solid legal framework.

What got me thinking about this issue is a recent survey by Surfshark of the actual progress of the forgotten actions across European countries. They found that residents of France alone accounted for a quarter of the actions recorded by both Google and Microsoft’s search portals, with England and Germany residents together accounted for another quarter of cases. These requests are on the rise since the onset of Covid, and both Cyprus and Portugal have seen a 300% increase in requests since 2020. Interestingly, Estonia (which is a leader in implementing all sorts of other digital tech across the board) had the largest proportion of cases with 53 per 10,000 residents. Compare that to Bulgaria, which had 5.6 requests per 10,000 residents. At the bottom of the page linked above, you can see references to the various search portals’ request removal forms, and yes, you have to submit separate requests for each vendor (here is Google’s link). The EU “suggests” that the process from request to its fulfillment should take about a month, but the way they word it means there is no legal response time encoded in the GDPR. According to the Surfshark report, millions of requests have been filed since the law went into effect.

As the authors of the survey say, “Time will only tell which countries will join the fight for online privacy and to what ends our data is private online. Is the right to be forgotten a universal truth or a way to hide the past indefinitely?” I don’t honestly know.

Temper the Surfshark report with the results of a Spanish university research study that looked at the 500 most-visited websites in that country. They found a huge collection of tracking technologies that were hidden from any user consent, with less than nine percent of the sites actually obtaining any user consent.

But tech doesn’t stand still, and the right to be forgotten has taken on new meaning as the rise of AI chatbots such as ChatGPT that can seek out and find your personal data as a way to train their machine learning models. As my colleague Emma McGowen mentions in her Avast blog from last month, there is no simple mechanism to request removal of your data once the AI has found it online. You don’t know where your data is online, and even if you do there isn’t any simple form that you can fill out to request deletion.

Note: OpenAI released this opt-out form after I wrote this essay.

If you have ever tried to put a credit freeze on your accounts at the four major credit bureaus, you have some idea of the chore involved here. At least there are only four places that process your credit data. There are hundreds if not thousands of potential data collections that you would have seek out and try to get any action. Chances are your data is out there somewhere, and not just in Google’s clutches but on some hard drive running in some darker corner. Good luck tracking this down.

So where does that leave this right to privacy? It is a good sign that more countries and some US states are taking this seriously. But, each state has slightly different takes on what the right means and what consumers can do to remove their data. And for those you happily chatting up your AI bots, be careful about what private info you have them go searching for, lest you unwittingly add more data that you don’t want others to find about you.

FIR B2B PODCAST #158: ANNA GRIFFIN ON MARKETING IN UNCERTAIN TIMES

We are back after a hiatus and speaking to Anna Griffin, who recently joined cloud storage provider Commvault as Chief Market Officer. Anna has held marketing leadership positions at Smartsheet, Intercom, Nortel, CA and Juniper Networks, among others. That longevity has helped her gain perspective in how to operate in good times and not-so-good times, and our interview explores what she has learned from these experiences.

Anna told us about how marketers have to be careful not to let their organization appear to be a cost center. Rather, they should believe and demonstrate that they are a necessary and valuable asset to the company. Take advantage of a downturn by leaning in and focusing on customers so that the company can craft a message that’s more relevant to their needs. She suggested that marketers should fight for their budgets and focus on high-value activities that will help the company grow. “Someone has to grow, even in lean times,” she said.

Anna spoke about how she has embraced many of the tenets of B2C marketing, even though she has spent more of her career in the B2B world. “I believe that is true since the beginning of time; we are selling human-to-human after all.” Maybe we should start using the term H2H?

“We should remove any frictions in the purchasing process by understanding that community is the new B2B playbook and that customers want things now,” she said. The sales organization needs to be part of the marketing effort, and marketers should be sure playbooks are coordinated.

Being a market leader isn’t just about touting your company’s presence on some “magic quadrant” because customers don’t buy MQs, Anna said. “We have to show more specifics about how we can solve the actual customers’ problems. This means we have to be more targeted in how we can add value for them on day one.”

Listen to our 19 min. podcast here.

Book review: Who Will Accompany You by Meg Stafford

Who Will Accompany You?: My Mother-Daughter Journeys Far from Home and Close to the Heart

This book is the work of a mother’s separate travels with her two daughters: one visits Nepal and Bhutan, the other to Colombia. The two kids take the trips for specific reasons: to learn about total happiness and to work for an NGO that is helping with war-torn conflicts. The travels are enlightening for all parties concerned and are what Meg Stafford — who has written a regular column for years — says is an ongoing kaleidoscope of learning together with her daughters. She is a therapist, so her work listening and analyzing people comes through quite loudly in this memoir.

The travels aren’t your usual tourist romps through colorful foreign lands, but offer real insights into both the people they encounter along the way and the lessons they have learned about themselves and their own family relationships. “The more we know ourselves, the easier it is to connect with others, and the more connected we are with them,” she writes.

Regarding happiness, “the best way to predict it is to follow the example of someone who is currently where you will be in the future.”

There is also a lot describing problem-solving.  “everything depends on how you use your mind. The way to solve the problems in your life is to open your heart to others.”

And this insight: “Parents cannot eliminate risk. We can shore up our children so that when they encounter it they can make better and more informed choices.

The women learn that tragedy is the same in any language, but humor doesn’t translate so easily, and there are lots of moments across this spectrum.

The title comes from answering the question about who we will accompany, not just in physical travel across the world but across our life. “We cannot always know but we can hold them close when they are near, so we can still hold them when they are far with arms outstretched.”

For those who enjoy memoirs and appreciate travel, this is a very appealing book.

Red Cross blog: Jim Gallagher and Hurricane Ian’s response

What skill does a retired journalist have in common with an American Red Cross disaster action team volunteer? This is not a rhetorical question: the two jobs both require you to listen to people carefully and be empathetic to their needs. This is the story about Jim Gallagher, who spent more than 27 years working for the St. Louis Post-Dispatch, mainly as a business reporter. “As a reporter you want to get people to open up to you, but that same skill in listening to people certainly helps when you are deployed. In both circumstances, you have to project sympathy,” he said. Both he and his wife have volunteered on a number of deployments.  He responded to the aftermath of Hurricane Ian in central Florida last fall.  Both helped out with those displaced by the California wildfires and helped ease the transition of unaccompanied minors crossing the southern border in 2021. In addition to his Red Cross activities, they also volunteer at a local food bank regularly.

You can read more about Jim and his volunteer activities on the Red Cross blog here.

Disinformation mercenaries for hire

In the past week I have seen a number of reports that range from unsettling to depressing. The reports document a three-pronged foundation of the darkest parts of the online world: disinformation, cyber-terrorism, and the difficulty in trying to craft better legal approaches to stop both.

Let’s start with the disinformation. A consortium of journalists from around the world wrote about a team of Israeli contractors (called “Team Jorge”) who claim to have covertly influenced more than 30 elections and placed stories to help improve the online reputations of numerous private business clients around the world. They did this by using hacking, sabotage and automated disinformation tools. Call it disinformation-mercenaries-for-hire. If this sounds familiar, it is another news product from the French-based ForbiddenStories group that broke the series of Pegasus-related stories back in the summer of 2021 that I have written about for Avast here. The group labels this effort “Story Killers” and you can read the various pieces here.

What is depressing is how adept this industry has become: by comparison, the Russian Internet Research Agency’s antics in meddling with our 2016 election looks crude and mere child’s play. The reporters uncovered a wide-ranging collection of automated tools to quickly create hundreds of fake social media accounts and generate all kinds of fake posts that are then amplified by the social networks and search engines. “We must be able to recount the life of the characters, their past, their personality,” said one mercenary. “When it’s a small agency, it’s done in a rather sloppy way. If it’s well done, it’s the Israelis.”

info1The Israeli company behind these operations has a wide array of services, including digital surveillance, hack-and-leak smear campaigns, influence operations, and election interference and suppression. They claim to have operated for a decade.

One of the consortium partners is The Guardian and they document one of these automated systems that is used to manage a collection of social media avatars. Called AIMS, it allows for managing 30,000 seemingly real accounts to be created for nonexistent people. These can then be deployed either as a swarm – similar to a network of bots – or as single agents. Other tools are described in this piece by Haaretz.

The disinformation mercenaries sold access to their software to various national intelligence agencies, political parties and corporate clients interested in trying to resolve business disputes. Accounts span Twitter, LinkedIn, Facebook, Telegram, Airbnb, Gmail, Instagram and YouTube. Some of the identities even have Amazon accounts with credit cards and bitcoin wallets. All of this was leveraged to stage real-world events in order to provide ammunition for social media campaigns to provoke outrage.

Let’s move on to the cyberterrorism effort. Speaking about the Russians, also released this week are two reports from the Atlantic Council, a DC-based think tank that has studied the disinformation war the Russians have waged against Ukraine. (To be clear, this is completely independent of the Story Killers effort.) It is also depressing news because you realize that unlike an actual shooting war, there is never any time when you can claim victory. The totality, scope and power of this vast collection of fake news stories, phony government documents, deep fake videos and other digital effluvia is staggering and is being used by the Russians to convince both their own citizens and the rest of the world of Putin’s agenda.

And something else to worry about with the war comes from one final report, this one from Dutch intelligence forces that was covered here. The report says, “Before and during the war, Russian intelligence and security services engaged in widespread digital espionage, sabotage and influencing against Ukraine and NATO allies. The sustained and very high pressure that Russia exerts with this requires constant vigilance from Ukrainian and Western defenders.”

Taken together, you can see that disinformation has become weaponized in both the public and private sector. So what can be done? Cue up part three, which is trying to craft better laws to control these actions. Coincidentally, the US Supreme Court heard two cases that have been moving through our judicial system, Gonzalez v. Google and Twitter v. Taamneh. Both cases involve ISIS attacks. The former involves the 2015 murder in Paris of the 23-year old American student Nohemi Gonzalez, which I wrote about in a blog for Avast last fall. The latter involves the 2017 death of Nawras Alassaf in Istanbul. The first case directly involves the Section 230 statutes, the latter the various sections of the anti-terrorism act. Both were laws passed in the mid 1990s, when the internet was young and by comparison innocent.

You can read the transcriptions of the court’s oral arguments for Gonzalez here. The  oral arguments transcript for Twitter are found here. I have taken the time to read them and if you are interested in my further thoughts, email me directly or post your questions here. Making effective changes to both laws won’t be easy without drastic consequences for how online companies run their businesses, and how we legitimately use them. And that is lesson from reading all these reports: as long as the bad guys can figure out ways to exploit these technologies, we will have to deal with some dire consequences.