Letter from the CISO, Vol 3 Issue 9
Washington University Community:
Artificial Intelligence is a tool
Artificial Intelligence, or AI, has received a lot of attention and interest over the past year, primarily due to the great advances in productivity and quality it seems to promise. WashU IT is excited to be helping the university community take advantage of AI in ways that are just beginning to be understood.
Like all tools, AI can be used well and safely or poorly and dangerously. For example, just as a hammer can be used to drive nails and build something, you might accidentally smash your thumb while trying to build something. Or the hammer can be used to deliberately destroy or take things apart.
Using AI well and safely
WashU has provided guidelines for the safe use of the exciting new generative AI systems.
Key among the guidelines are:
- No one should put sensitive, confidential, or protected information into a public AI tool.
- Everyone should be careful to verify the output received from any AI tool, as they sometimes, even often, make mistakes or even hallucinate.
- Users should adhere to university, school, and department handbooks and policies.
To help with the first guideline, WashU has implemented a private version of ChatGPT, which can even be used with HIPAA data. For more information about AI at WashU, please go to https://it.wustl.edu/ai/.
But what about the AI menace?
Assuming we all use AI safely and responsibly, there is still the risk that others, especially cybercriminals, will use AI to advance their interests – namely, stealing from us. In the good old days, by which I mean 2 or 3 years ago, it was often easy to detect a phishing or spam message thanks to the poor English language skills of the scammers. While many scammers have been improving their skills for years, AI is now making this much easier.
Deep fakes will make this worse
Deep fakes, whereby someone’s image and voice are artificially replicated, have opened the possibility of malicious actors calling victims and impersonating a loved one. For several years criminals have made phone calls claiming to be police officers, attorneys, or health care providers requiring payment to help a loved one who is under arrest, in jail, or hospitalized.
These cons rely on hijacking people’s amygdala (part of the brain responsible for emotional responses) to get them to panic and send them money before they pause to think – or, as I say every month, to be “vigilant, skeptical, and a little paranoid.” Deep fakes could make this worse by presenting a credible audio and video interaction with the loved one, who would then make the plea for money.
The number one thing to do
Aside from always being vigilant, skeptical, and a little paranoid, the number one thing to do to prevent these kinds of attacks is to share a “secret code word or phrase” with your loved ones. Maybe even use different code words for different circles of loved ones.
For example, let’s say your family really likes fishing on Table Rock Lake. Your secret code phrase could be “Table Rock Lake.” If your favorite breakfast is French toast, well, there’s your secret code. Just be sure not to identify them on social media, and preferably don’t even email them to one another just in case someone’s email account is compromised.
Have secret codes with your boss and coworkers too
On February 2, CNN reported: “Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’”. This suggests that secret code words would be useful in work situations as well.
If you think you smell a phish, report it to the InfoSec team using the phish report button, and we’ll check it out for you. Better safe than sorry!
Call to action
Get together with family and your closest, trusted friends – those you would call in case of emergency – and agree on a secret code word or phrase. Don’t write it down; just make sure it’s easy to remember.
So, the next time someone contacts you claiming to be your family member in need, you can ask, “What’s the code word?” and if they don’t know it, they probably aren’t really who they say they are.
If you need help with any of these ideas, please contact the Office of Information Security at infosec@wustl.edu
Thank you for reading my column and for being a member of the university’s Information Security team!
Good luck, and be careful out there!
-Chris Shull, CISO