Deepfake videos in job interviews, UK demands access to Apple data, SBOMs, and software composition analysis; what’s the need?
By John Bruggeman virtual Chief Information Security Officer
Deepfake videos in job interviews
I learned a new trick for spotting deepfakes two weeks ago, thanks to Dawid Moczadlo from Vidoc Security Lab. He recorded a video interview for a developer position and posted it on LinkedIn so that we can see how the deepfake looked in a video call.
The trick I learned is to ask the candidate in the interview to put their hand in front of their face. Current deepfake software will try to display the face on top of the hand if you do that, so it’s a quick way to see if the person is real.
The other thing Dawid noted was that all of the answers to his questions were provided by ChatGPT.
Sadly, this is happening a lot these days, sometimes by citizens of other countries to earn U.S. currency and transfer it to their economy, and sometimes by others who want to gain access to a company. The risk is real.
What can you do?
Stay aware that this is a growing risk.
There is an article in The Register that details what Dawid went through as part of the interview process.
So, raise awareness and let others know about this risk. It’s not just deepfakes on social media; these fakes are appearing even in situations as seemingly honest as job interviews.
UK seeks key to data stored in iCloud
The United Kingdom made a significant request of Apple last month via the Investigatory Powers Act. To summarize in my own words, they said, "Give us a key to data stored in iCloud.”
Initial reports about the request from the UK government thought that it might mean anyone who uses an Apple device and stores data in iCloud might be vulnerable.
But what Apple did instead was remove a security feature called Advanced Data Protection (ADP) for use in the UK. iCloud users in other countries and regions can still use ADP, and I strongly recommend that you turn on that feature because it reduces the risk of data compromise.
The ADP feature provides end-to-end encryption for iPhones and iPads, encrypting the data on the device and then sending it to Apple to be stored in iCloud. The key needed to decrypt the data is known only to the user, Apple does not have a copy of the decryption key with ADP.
Apple does have the key for decryption if you only use Standard Data Encryption (SDE), which is what UK users now are forced to use.
What can you do?
Share this information with others, particularly if they are in the UK. We can help you implement more robust data security for your corporate-owned devices.
We have Backup-as-a-Service options for those who want a managed solution, or we can help them evaluate and assess their current security program.
SBOMs and software composition analysis; what’s the need?
When I do a security program assessment using either the NIST Cyber Security Framework (CSF) or the Center for Internet Security (CIS) controls framework, there are two questions that virtually every organization struggles to problem answer:
1) Do you have an inventory of your hardware assets (computers, switches, routers, firewalls, access points, etc.)?
2) Do you have an inventory of your software assets (Windows 10 or 11, Mac Sonoma or Sequoia, Office, Adobe, Google Chrome browser, Firefox, or Edge, etc.), also known as a software bill of materials, or SBOM?
I ask those two questions because you can't secure what you don't know about. That's just basic security. The hardware inventory can be hard for companies because a company might allow bring your own device (BYOD), employees can work from home, or a company has never kept track.
However, you can develop an inventory to see what devices are on your network with various tools, or you can use a spreadsheet (though we certainly don’t consider this best practice). Things get a bit more tricky on the software side, particularly when you want to dig deeper and ask what open-source tools/libraries exist in your environment.
This is where a software bill of materials (SBOM) comes into play. There is a well-known vulnerability in a very popular software library called Log4J. The vulnerability is called Log4Shell because it gives you command line access to devices that have the vulnerable version of Log4J. Log4J is a software library that is free to use, and because it's free, it's used a lot!
When I say a lot, I mean that nearly every hardware device that can give you a log of activity (switches, routers, access points, etc.) uses it. So, how do you know if your software has a vulnerability in it? First, you must know what software you have deployed in your environment to answer that question, so check your SBOM, i.e., your software inventory!
Second, you need to determine if that software is vulnerable or not, so scan your environment for vulnerabilities. Application security vendor Blackduck.com conducted an audit of over 950 commercial software applications to see how many of them contained vulnerable open-source software packages. The bad news is that 86% of these applications have vulnerable open-source software.
What can you do?
How do you fix this problem?
1. Conduct regular monthly patching.
2. Run regular weekly vulnerability scans.
3. Maintain an inventory of the software you use in your environment so you know what to check.
Do you have developers in-house or contract workers writing software? If so, let them know about this risk and require them to conduct scans of their internal applications. We can help them with that, either via a penetration test, or with a tool in the software composition analysis space.
To read more about the vulnerable software, you can read this report from Blackduck.
About the author
John Bruggeman is a veteran technologist, CTO, and CISO with nearly 30 years of experience building and running enterprise IT and shepherding information security programs toward maturity. He helps companies, boards, and C-level committees improve and develop their cybersecurity programs, create risk registers, and implement compliance controls using industry-standard frameworks like CIS, NIST, and ISO.