Deepfaking of Some Senior US Government Officials

Do you think AI-powered smishing and vishing are far off? Then do think again. (Smishing uses text messages to trick users; vishing relies on voice calls to do the same.)

Today, these social engineering attacking tactics might seem low-level, but the developments in AI-technology is rapidly changing that. With tools that can generate natural-sounding texts and mimic real voices, attacks are getting more sophisticated and convincing. What’s now a minor risk could soon escalate into a widespread and highly effective threat.

The FBI has warned that fraudsters are impersonating "senior US officials" using deepfakes as part of a major fraud campaign.

According to the agency, the campaign has been running since April and most of the messages target former and current US government officials. The attackers are after login details for official accounts, which they then use to compromise other government systems and try to harvest financial account information.

https://bit.ly/4ks5Jff

Headlines:

"'AI-generated content has advanced to the point that it is often difficult to identify,' the FBI advised. 'When in doubt about the authenticity of someone wishing to communicate with you, contact your relevant security officials or the FBI for help.'"

"Attackers have used this approach for over five years. The technology needed to run such attacks is so commonplace and cheap that it's an easy attack vector. Deepfake videos have been around for a similar period, although they were initially much harder and more expensive to do convincingly."

Chinese AI DeepSeek Database Is Exposed

A Chinese company DeepSeek AI Database is exposed recently and over 1 million log lines and secret keys are leaked.

Choose your AI wisely. Choose your software wisely. Cheap software might end up costing you far more in the long run. While no choice is entirely risk-free, it's best to use software from countries that uphold strong democratic values, justice, and human rights. Your data is being collected and sold to third parties. This is almost unavoidable. If it must happen, it's (relatively) safer in the hands of democratic countries. (Consider it the lesser of two evils.)

https://bit.ly/4hmIqBQ

[Headlines]

"Buzzy Chinese artificial intelligence (AI) startup DeepSeek, which has had a meteoric rise in popularity in recent days, left one of its databases exposed on the internet, which could have allowed malicious actors to gain access to sensitive data.

The ClickHouse database 'allows full control over database operations, including the ability to access internal data,' Wiz security researcher Gal Nagli said.

The exposure also includes more than a million lines of log streams containing chat history, secret keys, backend details, and other highly sensitive information, such as API Secrets and operational metadata. DeepSeek has since plugged the security hole following attempts by the cloud security firm to contact them.

The database, hosted at oauth2callback.deepseek[.]com:9000 and dev.deepseek[.]com:9000, is said to have enabled unauthorized access to a wide range of information. The exposure, Wiz noted, allowed for complete database control and potential privilege escalation within the DeepSeek environment without requiring any authentication."

"Furthermore, DeepSeek's apps became unavailable in Italy shortly after the country's data protection regulator, the Garante, requested information about its data handling practices and where it obtained its training data..."

"Bloomberg, Financial Times, and The Wall Street Journal have also reported that both OpenAI and Microsoft are probing whether DeepSeek used OpenAI's application programming interface (API) without permission to train its own models on the output of OpenAI's systems, an approach referred to as distillation."