Wanna know the hottest new way to pull off a bank heist? Call it “speaking and entering.” A reporter, Joseph Cox, was able to break into his Lloyds Bank account by tricking its automated phone service line with a machine-generated mimicry of his own voice, demonstrating how weak an authentication factor voice is in the era of AI.

According to the reporter in Motherboard, the process was simple: Cox created a voice sample roughly five minutes long and uploaded it to ElevenLabs, a generative AI company that creates ultra-realistic copies of peoples’ voices. After several attempts and a few tweaks, Lloyds’s voice ID system eventually accepted a fake clip of the reporter saying, “My voice is my password” as genuine.

The only other form of authentication necessary to get into the bank account was knowledge of the target’s birth date, information not exactly difficult to acquire. Although Cox had easy access to his own voice sample, Motherboard reported that it takes only a few minutes of a person’s voice to replicate it, which can feasibly be gleaned from an online clip.

Other banks, including TD Bank, Chase, and Wells Fargo, use a similar voice ID service, according to Motherboard. The clip was generated before ElevenLabs introduced features intended to cut down on abuse, such as requiring identity verification to access more powerful voice tools.

Lloyds told Motherboard in a statement: “Voice ID is an optional security measure, however we are confident that it provides higher levels of security than traditional knowledge-based authentication methods, and that our layered approach to security and fraud prevention continues to provide the right level of protection for customers’ accounts, while still making them easy to access when needed.”

Read more here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.

The modern-day water wars are already here, and the feds want utilities to prepare. This month, the US Environmental Protection Agency (EPA) announced new rules that will require state governments to audit public water utilities for cybersecurity procedures and preparedness—and will allow regulators to force them to improve their security.

While the EPA’s new guidance is intended for immediate implementation, the agency is accepting public comment until May 31, 2023. An extensive checklist the EPA has distributed states that “potential significant deficiencies” can include everything from use of default or insecure passwords in operational technology, to inadequate vulnerability mitigation, to a lack of a named cybersecurity chief, separately stored backups, or incident response plan.

While federal officials have long fretted about the state of cybersecurity for the nation’s critical infrastructure, water supplies have been a point of particular concern, given that an attack could have immediate and widespread physical consequences on public water systems (PWS). In 2021, hackers allegedly deleted programs controlling water treatment at a San Francisco Bay Area plant, while another incident that year in Florida saw a threat actor attempt to pump dangerous amounts of sodium hydroxide (also known as lye) into a municipal water system.

In 2021, the Water Sector Coordinating Council conducted a survey of the US water and wastewater sector, finding nearly 60% of respondents reported conducting cybersecurity risk assessments less than once a year or never, or otherwise had no idea when they were. Top challenges for the sector included minimizing control system exposure, risk assessment, vulnerability detection, identifying threats and best practices, and incident/emergency planning.

Over 42% of respondents said their utility had no cybersecurity component to their risk management plan.

Keep reading here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.

Last, pass, or grass—nobody hacks for free.

Password manager LastPass was breached last year in at least two separate instances, resulting in exposure of user information vaults. The company announced on March 1 that the attack went further and customer data is more vulnerable than previously reported.

LastPass initially detected a breach in August on an engineer’s corporate laptop that resulted in hackers accessing 14 software repositories and internal scripts and documentation. Then, later the same month, the attacker accessed a senior engineer’s home system.

“Our investigation has revealed that the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022, to October 26, 2022,” LastPass wrote in a summary of the second incident.

Hackers used a Plex media server vulnerability, now being cited by CISA over its exploit potential, to infiltrate the senior engineer’s home system and access a corporate-controlled vault containing encryption keys to 30 million customer backups stored on AWS servers. Making things worse, the Plex vulnerability was a flaw that had been patched in May 2020.

“The LastPass employee never upgraded their software to activate the patch,” Plex told PCMag. “For reference, the version that addressed this exploit was roughly 75 versions ago.”

LastPass is also facing a class-action lawsuit over its handling of the breach, filed in Massachusetts in January. The lawsuit alleges that the company’s behavior exposed users not only to password insecurity but also to further attacks—they are “anxious and alert, as they are at a substantial risk of being bombarded with phishing emails and other scams,” the suit claims.—EH

Today’s top IT reads.

Stat: 1,100. That’s the number of AI experts and tech leaders who signed an open letter calling for a six-month halt to development of generative AI more powerful than OpenAI’s GPT-4 model. (Bloomberg)

Quote: “Databases are hard to manage, and people have taken the easy path: given lots of people admin privileges and hardcoded database credentials into their software.”—Mark Ryland, a director in Amazon Web Services’ Office of the CISO, on the complexity of database security (The Register)

Read: Google destroyed evidence and lied in court in an antitrust case brought by Epic Games, a judge found. (Ars Technica)

End to endpoint: Don’t let security lapses leave you vulnerable. With CIS Endpoint Security Services (ESS), you have the tools to identify, detect, respond to, and remediate endpoint issues in real time. Get started here.*

^{*This is sponsored advertising content.}