Audio dupes have been around since Kevin McCallister needed a hotel room in New York City, but voice mimicry is easier and more convincing than what was possible with a Talkboy in 1992.

Today’s accessible AI tools can machine-learn vocal patterns and offer realistic-sounding audio of, say, President Biden reviewing We Bought a Zoo, or a bunch of Presidents playing Battlefield 2042.

Many deepfake demos get laughs, but audio impersonation can also help scammers get cash, and some IT pros say companies should prepare for a, shall we say…phoicemail.

“Think of this as an early-entry attack vector in a persistent attack from an advanced attacker,” said Tim Callan, chief experience officer at the cybersecurity provider Sectigo.

Straight to voicemail. I hate to do this, but I’m on the road, working on a major acquisition. This is all hush-hush, but I need you to wire $300,000…

That’s an example, according to Callan, of what someone who sounds like your CEO might say in an audio-deepfake scenario. A seemingly urgent verbal message could also convince an employee to send company data or open a malicious email.

For now, such deepfake attacks are a “labor of love,” said Callan, requiring the collection of audio, construction of a message, and available tools that complete the impersonation.

The imposter option arrives just as AI tools like ChatGPT have helped phishers fix up their typos.

Read more here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Got growth on the ? If you want to close bigger deals and take your org to the next level, turn your focus to your compliance game. And Thoropass’ new guide takes you through what it takes to become SOC 2 compliant, from implementation to post-audit.

Good information security hygiene is crucial for growing orgs, and SOC 2 is the compliance gold standard. Thoropass’ guide has your back as you prepare for audit, covering everything from time and budget to scope as you scale. In the guide, you’ll learn:

• the value of SOC 2 for your organization
• compliance requirements and how to prep
• how to maintain compliance as your org grows

Ready to kick-start your compliance journey? Check out Thoropass’ complete compliance solution in a demo and get $100.

Snag the full guide here.

Exactly how long does it take a hacker to brute-force a password? Depending on the strength, it’s between “instantly” and…two septillion years. (For those keeping track, that’s something like 146 trillion times the known age of the universe.)

That’s according to a recent report by password management and authentication firm Specops Software, which estimated how long an attacker would need to guess a password based on how many characters it has and how complex it is. Specops researchers modeled the findings on a theoretical attacker running the Hashcat password recovery software using an Nvidia RTX 4090 graphics card—the fastest gaming card on the planet.

At an MSRP starting at $1,599, the RTX 4090 is well out of the price range of most gamers, but it would allow a cybercriminal to crack many weak passwords. For example, the 4090 can crack passwords consisting of 13 separate single-digit numbers “instantly.” But since brute-force difficulty scales exponentially depending on complexity and length, the same 13-character password containing only lowercase letters would take six weeks. Take it to a mix of 13 uppercase and lowercase letters, and the time jumps to 995 years, according to Specops. A 13-character password consisting of mixed-case letters and numbers would take 10,000 years.

Single-celled organisms first appeared on Earth some 3.5 billion years ago. If those germs had an RTX 4090, they’d have cracked a 16-digit password using numbers and mixed-case letters sometime during the early Cambrian period (500 MYA). But they’d still be working on a 17-digit password made just of mixed-case letters, which would take another 4.5 billion years (assuming the Sun hadn’t already absorbed the Earth slightly ahead of schedule). And so on and so forth.

Read more here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.

Concerned about who’s on the other side of that Zoom call? Afraid it might be a sophisticated, real-time deepfake? You’re not alone.

Crypto projects were the subject of scams relying on the technology last year when hackers purportedly used doctored videos of Binance CSO Patrick Hillmann to get money from unsuspecting blockchain users. But those videos were manipulated after the fact, not in real time.

IT Brew asked experts at RSA ’23 in San Francisco this April about the potential for danger from the new technology.

Who are you? Deepfake technology isn’t yet so easily available where we’re going to be regularly navigating real-time interactions on video. But that day may be coming soon, part of an ongoing social engineering approach to hacking being deployed by threat actors looking to access identity and credentials.

It doesn’t mean that the technology doesn’t already exist, GitHub CSO Mike Hanley told IT Brew, nor does it mean that motivated adversaries can’t access it.

“You can get a pretty reasonable fake now of somebody interacting and speaking with you in real-time on a Zoom for a price that’s easy for admission for a bad actor,” Hanley said.

But the cost-benefit analysis doesn’t always work out, Proofpoint EVP of cybersecurity strategy Ryan Kalember told IT Brew.

“You would have to do something extremely custom and extremely expensive,” Kalember said.

Keep reading here.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Today’s top IT reads.

Stat: 500,000. That’s how many downloads OpenAI’s ChatGPT got in its first 6 days. (TechCrunch)

Quote: “What took so damn long.”—one Twitter user’s reaction to a suit against Avid Telecom, accused of making more than 7.5 billion robocalls (Insider)

Read: How repealing a law against municipal internet in Colorado is inspiring communities to develop their own networks. (the Colorado Sun)

Join the club: Memberful’s software makes building membership websites easy. They handle the hard stuff (like integrating with tools and providing analytics) so your clients can create and you can relax. Start for free.*

^{*This is sponsored advertising content.}