A breach of a pet app yields more than just steps taken and butts sniffed. Compromised passwords and locations can be a treat for hackers going after humans.

An early 2023 study demonstrated a clear difference between precautions taken with general online use and precautions taken with pet technologies—a concern for researcher Scott Harper, who sees animal trackers as a source of potential hacks for the owners, ranging from password compromise to location revelations.

“I don’t think when you’re buying a GPS device to keep your dog safe, you’re thinking too much about your own privacy and safety concerns,” said Harper, a postgrad student at Newcastle University, who conducted the study with colleague Matthew Leach, alongside Royal Holloway academic Maryam Mehrnezhad.

Pet apps, often worn on the animal’s collar, provide a Fitbit-like set of activity information, like location, barking, and wandering.

The survey showed that end-user security practices, like using complex passwords and multi-factor authentication, are less present when employing pet tech.

• Generally, 373 of the 593 respondents reported using unique passwords. Only 153 admitted to using unique accounts with pet tech.
• Of the surveyed, 514 said they typically deploy strong passwords. Only 245 had them with their pet-app trackers.

A compromised password, like “dog123,” becomes a bigger problem if that’s also a password to another account that a hacker might want access to.

Read more here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Y’know the old saying, “It’s not the destination, it’s the journey”? Believe it or not, you can say the same about cybersecurity. Because protecting your tech from data breaches and malware is a long, exhausting voyage—and you’ll need a map.

CIS Secure Suite is here to help. They’ll show you how to create a plan of action by combining an assessment of current capabilities and gaps with a short- to long-term vision for integrating security practices.

CIS Secure Suite’s road map is built on these four steps:

• Know your needs.
• Align to a framework.
• Implement your road map.
• Review, revise, and repeat.

And through April 30, you can get up to a 20% discount on a new CIS SecureSuite Membership using promo code CYBER2023.

Prepare for the journey.

AI devs are being stymied by an industry-wide shortage of GPU capacity at server farms, The Information reported, with Amazon Web Services, Microsoft, Google, and Oracle all limiting access.

AI development is heavily dependent on graphics processing units (GPUs), which offer parallel processing that helps power through machine learning workloads at greatly accelerated rates. Chipmaker Nvidia, which historically specialized in GPUs for gamers, is now the dominant player in manufacturing them for server farms.

According to The Information, current shortages may be driven not by supply-chain issues, but by chipmakers not having anticipated the gold rush on AI development. Erik Dunteman, CEO of GPU server startup Banana, told the site that the situation is exacerbated by large cloud providers’ practice of renting the servers out on an always-on basis. This ensures access to customers, but means many GPU servers are sitting idle during client downtime.

“It is literally not possible to get access” to the necessary servers “unless you have some existing contract with [major cloud providers] or you’re pre-paying for it,” Yasyf Mohamedali, Root Ventures engineer in residence, told The Information. Naveen Rao, CEO of AI software firm MosaicML, told the site that wait times for servers from the major cloud providers are now measured in months.

With capacity at the big players restricted or unavailable, some companies have turned to startups specializing in renting GPU server time. Representatives for three of those firms—Lambda Labs, RunPod, and Crusoe—told The Information they were all close to capacity, with Lambda Labs CEO Stephen Balaban saying the company plans to spend the entirety of the $44 million it raised in recent funding rounds on GPU purchases.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.

Hacker groups from Iran and the DPRK are believed to be behind a recent spate of job offer hacking attempts, according to two new reports from Mandiant and Secureworks.

The hack attempts, which were both reported on March 9, appear to be aimed at either targeting dissidents and their allies, in the case of the suspected Iran attacks, or at general espionage, in the case of the suspected DPRK attacks.

Suspected Iran attack. A threat actor or actors posing as an Atlantic Council worker named Sara Shokouhi targeted Middle East analysts in late February, asking them to help with a report. No one named Shokouhi appears to work with the Council, however, and the photos used in the profile belong to a tarot reader based in Russia.

Analysts from Secureworks believe the Shokouhi account is part of Iranian threat group COBALT ILLUSION. The group’s tactics include using messaging platforms and sending links and documents to build trust before sending malicious phishing code that allows them to access email, social media, and other online systems.

Suspected DPRK attacks. Unlike the suspected COBALT ILLUSION attacks, which target dissidents and political enemies, attacks from the DPRK-based UNC2970 group have recently targeted media organizations in the US and Europe and at least one US-based technology company.

According to Mandiant researchers, the attackers used LinkedIn to establish contact with prospective job-seekers. Once they made contact, threat actors sent job postings embedded with malicious code.

Solutions. As always, preventing such attacks starts with the basics of security hygiene. Multi-factor authentication and a baseline of reasonable doubt when interacting with third parties are a good starting point. IT teams should review security procedures and ensure that staff understand the dangers of unsolicited contact.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Today’s top IT reads.

Stat: 58%. That’s how much cybersecurity venture funding has dropped between Q1 2022 and 2023. (Crunchbase)

Quote: “We want them to just show up and grab stuff.”—Danish Kurani, who teamed up with Google to design a STEM lab for teens (Fast Company)

Read: Swatting-as-a-service adds a troubling challenge for law enforcement and 911 responders. (Vice)