In today's rapidly evolving digital landscape, the integration of artificial intelligence (AI) into everyday tools has become commonplace. However, this advancement brings with it a new wave of cyber threats that can have profound personal and professional consequences.
Consider the recent experience of Matthew Van Andel, a Disney employee who faced a significant cyberattack after downloading free AI software from a reputable platform. Unbeknownst to him, the software contained malicious malware that infiltrated his home personal computer. This breach allowed hackers to access sensitive information, including his personal accounts and Disney's internal communications. The fallout was severe: over 44 million internal messages were leaked online, and Van Andel's personal and professional life was upended. He ultimately lost his job due to allegations of accessing inappropriate content on his work computer, a claim he firmly denies. This incident underscores the potential dangers of downloading and using AI tools without proper verification. (The full article is available online on the Wall Street Journal website.)
Key takeaway:
- Password Manager becomes the HIGHEST risk if you don't protect it. In Matthews' case, he used a password manager, but it was not protected by MFA. When the hacker obtained his password to the vault through the malware installed on his computer, the game was over. Not only was the attacker able to access it remotely, but he also posted online every account password Matthew had in the vault. If you are using a password manager, make sure MFA with the highest level of security is enabled and protecting your vault
- Exercise Caution with Software Downloads: Always verify the source of any software, especially free AI tools. Download applications only from trusted and official platforms to minimize the risk of introducing malicious software into your systems
- Passwordless is THE only remedy. Password-based authentication has been vulnerable for decades. While multi-factor authentication (MFA) provides an additional layer of security, it can still be compromised under certain circumstances. Whenever possible, transition to passwordless authentication. In 2023, both Apple and Google introduced Passkey, which uses your phone's biometric features for authentication. With this method, no static data (such as passwords or codes) that can be later reused is exchanged with the website. Start migrating to Passkey
- Convenience kills security. Hackers have recently ramped up the theft of what are called session cookies. These are files that are stored by your browser and save you the annoyance of logging in every time you need to read a Gmail or check up on Facebook. Often, they are suitable for a fixed period, like a week or a month. However, once a hacker gets on your computer, they can use it to gain access to websites that require two-factor authentication. A session cookie gets created whenever users click "remember me" while logging into a website. Avoid checking "remember me" and attempt to empty your browser cache monthly
- Utilize Comprehensive Security Software: While built-in protections like Windows Defender offer a baseline defense, consider supplementing them with additional antivirus programs that can provide enhanced protection against a broader range of threats
Resources for moving to passwordless authentication:
https://passkey.org/
https://fidoalliance.org/passkeys-directory/
https://www.passkeys.com/websites-with-passkey-support-sites-directory
#ALTACyber
------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------