infrastructure

TikTok Under Scrutiny Again

TikTok Under Scrutiny AgainTikTok is back under scrutiny from cybersecurity professionals and many world governments for the third time in two years. The social media platform rocketed to popularity during the pandemic but has slowly lost market share, falling below Instagram again last year. The latest security concerns and response by government legislation may be the final blow to the Chinese-owned social media platform trying to stay relevant in the US market.

The latest government bans on TikTok include New Zealand, Britain, the European Union, Belgium, and Canada. These countries have banned the app on government-owned devices or devices that can access government databases. The US voted to remove the app from all government-owned devices in December, but a deadline was finally set for March 20th for all removal to be done. Over half of State governments followed suit and banned the app from state government devices. Both the FBI and FCC have warned that the owner of the social media platform, ByteDance, could share data with the Chinese government. India banned the app in the summer of 2020, the first time the issue came up, which instantly knocked 200 million users off the platform.

World governments have concerns over the app for government employees and citizens. The first is sensitive data could be accessed on government devices and shared with the Chinese government. The second is location information. The US military was the first group to ban the app in January 2020, and location sharing played a part in that ban. There are also concerns over intelligence gathering of user preferences and demographic that could be used for misinformation campaigns in the future on citizen populations.

The current bill that could ban the app for US citizens names TikTok specifically, but it includes “…information and communications technology product or service.” from six adversarial nations: China, Cuba, Iran, North Korea, Russia, and Venezuela.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts

Sharing Confidential Data with AI

Employees Sharing Data with ChatGPTOur previous blog on AI and cybersecurity showed how criminals use AI to help them write and debug malicious code and create more convincing phishing prompts. However, employees are beginning to utilize ChatGPT and other large language models (LLMs) to increase productivity, raising concerns about sensitive business data.

Businesses are beginning to use ChatGPT to write job descriptions, compose interview questions, create PowerPoint presentations, and refine or check code. However, companies are concerned that employees are giving the chatbot proprietary, secure, or customer data, which may open that information up to the public.

Walmart and Amazon warned their employees against sharing confidential information with ChatGPT. Amazon has already said it has seen internal Amazon data as responses on the chatbot, which means their employees entered the data into the tool to check or refine. JPMorgan Chase and Verizon have blocked employee access to ChatGPT, and the owner, OpenAI, changed how the chatbot learns new information last week. Previously ChatGPT was set to train on users’ input information; that service was turned off following privacy concerns.

From a cybersecurity standpoint, it’s challenging to control copied and pasted data if the employee needs the data to do their job. Like many other cybersecurity vulnerabilities, employees may use a chatbot tool to streamline their workflow without considering the security implications.

Cyberhaven Labs tracked the use of ChatGPT across their customer base and published a report. They found that 5.6% of employees tried to use the tool in their workplace, and 2.3% of employees have entered confidential information into ChatGPT since its launch three months ago. The use of the chatbot tool is growing exponentially, and all categories of business data are being shared with the tool. Client data, source code, personally identifiable information (PII), and protected health information (PHI) have all been shared with the tool in a percentage that grows weekly.

Employees should be aware of the cybersecurity ramifications of sharing company data with any external source not approved by the business. ChatGPT growth in popularity shows how AI will continue to influence business tools for good, but it poses a security risk for business data in its current open state.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business

Calendar Invitation Phishing

Calendar Invitation PhishingCriminals are using calendar invitations to launch phishing attacks and break through email filtering. Over the summer, we saw a new phishing tactic used against the corporate world to steal employees’ login credentials. Criminals used compromised email addresses to send employees meeting invites with malicious links in the body of the invitation disguised as a virtual meeting link. The attack vector has recently worked its way down to individuals at such a rate that Google had to take action last week.

Many phishing attacks use Microsoft documents or PDFs as part of the attack because they will typically make it through email filtering. A calendar invite attack uses a .ICS file for the same reason. Some email clients will even add a calendar invite to a user’s calendar before they respond to the invite. The attacks are even more convincing now that virtual meetings are the norm in the workplace, and employees are regularly invited to unusual virtual meetings.

Like SMS phishing when it first became popular, criminals are weaponizing a business tool that most people interact with daily and trust. Calendar phishing is a new attack vector that users may not know is a threat yet.

The tactic was used extensively in the first part of the year against personal user accounts to the extent that Google took action and added calendar invitations to their list of automatically filtered spam just last week. Users can also change account settings so only calendar invitations from known contacts automatically appear on their calendar. Calendar invitations from unknown users will still appear in the user’s email inbox but will not be added to the calendar without accepting the invitation.

Businesses should educate users on calendar phishing and remind them not to accept or click links in meeting invitations from contacts they do not recognize.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business

City Government Phishing Victim

City Government Phishing VIctimHilliard, Ohio, a suburb of Columbus, suffered an email phishing attack in December that cost the city over $218,000 and the jobs of two city employees. In early December, the city accounting department received emails pretending to be a third-party vendor of the city. The emails convinced an account assistant to change the bank account routing numbers associated with the vendor. A few days later, the city paid a bill they thought was going to the third-party vendor but instead went to the criminal.

“Our investigations have shown the loss of funds was a result of human error in not following established protocol,” City Manager Michelle Crandall said in a statement. “This scam did not involve any breach of the city’s network, systems, or data.”

The city manager said verification protocols were in place to change third-party banking information, but they were not followed. The financial director contacted the police about the incident but waited 35 days to disclose the mistake to the city.

“Unfortunately, phishing is a rapidly growing problem, and government agencies are common targets,” Crandall said. “In 2022 alone, the Anti-Phishing Working Group observed more than 1.2 million phishing attacks, with nearly one-fourth of these scams aimed at the financial sector.”

Criminals convincing financial departments to change bank routing information is a common phishing tactic. It’s possible the third-party vendor suffered a Business Email Compromise (BEC), and the financial department thought they were corresponding with a trusted email contact. In other cases, criminals may use an email address similar to the one they are spoofing but use a different domain, or the employee’s name may be misspelled. In all cases, employee education is the first step in preventing attacks. Financial and HR departments are most often targeted and should be first on the list for security awareness training. In this case, the city manager said protocols were in place, but they were able to be bypassed. Software tools can require approval before banking routing information can be changed to prevent human error.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business