Defeating Deepfakes

wonderful wonderful don't

like president for well thank you very much I appreciate it I did take the time and Liberty to have President Trump introduce me today uh just to summarize what he was going to say uh he said this presentation would huge beautiful thing uh to say I know a lot about this topic not as much as he does because the Deep fakes are used you know to impersonate people and it leads to a lot of fake news which we don't like um and man I I was recording that at like midnight last night in my closet because I was trying not to wake people up uh so after all that work we we couldn't get it to work up here on the

screen but that's all right um you know technology is uh is always susceptible to failure and that'll be a central piece of uh what I'm going to talk about today so we we'll just Advance through this if we can this doesn't even work so would you you know thank you doesn't work yeah well there we go all right here we go there we go all right so this this is me we got a little bit of an introduction before and uh so I I did work for 10 years at the Central Intelligence Agency I was an operations officer uh not bad for the Kansas City kit right um it was my job to go overseas rep spy steal secrets and

uh after 10 years I decided to come back here to home to Kansas City where I grew up um I was William juel graduate and now I've after 20 years in my career working in the private sector government have come back to William jwel as the Chief Information Security Officer and a professor of practicing our new cyber security degree which we're starting in the fall uh so this is this is me uh and because we are uh we're apolitical here we decided to pick on both for presidents so let's take a look at this if it [Music] works you fall down again oh what are you GNA do so okay I would urge you to uh to Google

uh yeah what if you slow down the the YouTube scen they might be on just like times 30 it could be and I appreciate that uh and and it's uh and thank you thank you I'm going to now triage this after the presentation so if I ever present this again uh I'll know how to do it better again next time but you know this is why we test so um I would urge you to Google President Biden and the magic pistachio it's 28 seconds of of pure joint so um that's fine we can move

on so the thing about deep fakes and I presume most people know at this point a little bit about what deep fakes are and how they're used um can be both audio and video deep fakes I was going to give you an example of both of those the first one was an audio deep fake of President Trump the second was a video deep fake of the uh of of President Bing so yeah great and they are a lot of fun thank you appreciate that they are a lot of fun uh particularly when you can you know put other faces on other characters and there's a lot of fun videos out there on YouTube and uh I personally

enjoy the Sylvester Stallone in Home Alone which is a great one if you have you have time uh because it's both his face and his voice uh for that and uh it they can be a lot of fun unfortunately in the business World um they've now entered into a realm where they are a new form of business email compromise and scammers threat actors Bad actors whatever you want to call it are now using this technology and have been for a few years to extract millions of dollars from companies or extract sensitive information sensitive IP credentials using that as a way to uh to get in inside a company and extract other items of value and that's really scary uh

considering it's exceptionally hard for us to know at times when the person we're talking to or even seeing on a video call is real in the case of the $25 million that was a finance officer at a multinational company who joined a zoom call and saw several of his colleagues on the call and none of them were really that's pretty scary stuff and while that's not going to happen to most people every single day the solution to defeat these things is something that everyone should know know not only because it's going to be helpful in defeating this type of attack but it's also really good Security in business practices just to make sure we get things right so we're

going to talk about that today and I'm going to inject a little bit of my experience coming from uh 10 years as an intelligence officer using some of the skills and strategies we used and how to apply it to this particular challenge because the two things match up exceptionally well so we're now seeing deep f as part of multiple scams or crimes and it's only going to get more prevalence uh particularly when you think about disinformation uh with an election coming up experts are predicting that this election uh and the content that will be available to any anyone who has access to a computer is going to be uh more influenced potentially more influenced by disinformation in any other single

event in our history so we have to we have to prepare ourselves why do these things seem so real why is it that you get on a phone call and you think that whomever you're talking to they sound like the person maybe their intonation uh the the words that they use sounds like the person but in actuality they're not because I don't know about you all I've played around with some of the deep fake applications that are free online and some of them suck I mean they just they're terrible um I I originally thought May so I used to work for Elon Musk when I was a Tesla I thought well I kind of know how he

talks I spent a lot of time with him I'm going to use Elon for this one and it sounded like sort of like Elon if he was helium out of a balloon and while that may have personally given me a lot of joy to hear that it wasn't going to necessarily portray the authenticity and accuracy of what I was going for so I'm I'm bummed about the president Trump piece because it was pretty it was pretty good so how is it that technology like that that we see where they just can't seem to get it right is actually effective in extracting millions of dollars out of the company the reason is before anyone picks up the phone and

runs a deep fake impersonation want I'm Target they do a lot of homework they have a tremendous amount of data not only data that authenticates the person that they're impersonating but they have data and information about the person they're targeted and all of that is available because of the pervasiveness of our pii of Our Lives of our information on social media thanks to uh breaches and all the information that's available it's not hard these days to research a Target to know them extremely well and also to research and gather multiple clips of audio and uh and and also U habits uh lifestyle habits about the the individual they in pania so that's that's the one the one problem the first

problem right the second is there are specific AI algorithms used in these particular types of taxs that are specifically designed to authenticate quickly and that's not what you see when you log into some of these programs online you have to record your voice you have to upload it you wait in a queue it processes it and then it gives you your file and that was perfect for my use case I thought this morning but it's not how these things work when it on the phone you sound it has to sound like you're talking to a real person in real time and the technology exists to do that the third problem is that these phone calls are targeting

individuals with someone at a very senior level who implores this person to act quickly because they're in a tight spot they need help we got to blow through we got to blow past protocols because I'm I'm out here in the field right now I'm taking grenades in the trenches John and I need you to uh I need you to get this money out here so that that was a wedding trashes reference by the way but okay and so the uh he got it thank you um the uh the urgency creates stress when we're under stress we don't stop and think about what we're doing and so this is kind of The Perfect Storm for these scenarios in

which they authentically will create um you know the situations or conditions for this fraud to occur there's also something just about human nature and really this should be coming more from Dr Stacy theer and our cyber psychologist than it is for me but I I borrowed a little bit of research which still it stood the test of time uh from Dr morav in the 1960 analyed how people interpret information when they communicate and fundamentally 93% of communication is nonverbal so when you get someone on a video call and they look and act authentically to the you believe you're talking to your brain is telling you to trust and even if it's an audio call your brain is still telling you to trust

because you're hearing the voice it sounds authentic they're using the words they're telling stories they can answer questions and it all sounds like what we would expect and that's also part of the problem so I can consulted the expert on these topics I talk about fighting fire with fire and chat GPT tells us if we want to defeat audio deep FES we need to use a voice biometric authentication system um the way those work is you take the audio sample you run it through the algorithm it runs a check on its databases it tells you if it's authentic or good based on the sample set that it has which is ought to be predetermined and unfortunately it doesn't work on a

phone call because phone calls are in real time so there are some great Technology Solutions out there a lot of these are being used now in place of multifactor authentication you're using your voice to authenticate that scares me a little bit because I think anytime you rely on a technological solution to defeat technology you're opening yourself up for the possibility of the opposition's technology evolving faster than yours does and so the again I'm going to talk about how we strip that away and look for a solution that gets us past this Challenge and it is horribly simple when we really think about it so um I think those who are not technologically sort of inclined and I

know several people I work with that you know would still be using a flip phone if they possibly could um maybe even some of them are and you know I like to I like to rib them a little bit for that but they may actually have the advantage here over those of us who are incredibly technologically inclined and look for technological solutions to lean on uh in this case we have to go old school and so I'm going to talk about thinking like a Spire uh it was not to my advantage when I was out in the field running an intelligence collection operation and be walking around with a smartphone in my pocket why is

that what could you possibly uh be able to glean if you're a foreign intelligence service trying to track location sure mainly it's location but for a lady who you're meeting with with their signatures yeah absolutely so smartphones were the enemy for me and back when I was doing this not everybody still had them so you can kind of get away with that this day and AG if you don't have a smartphone you probably are a spy right and so even the agency has to evolve through these types of challenges to be able to uh think about how to defeat technology when you have to have technology with you to be authentic but the real value in a solution like this is

that uh removing Tech out of the equation isn't going to has no implication for at least uh unless any of you are engaged in some type of activity that we should talk about later but um the the way that we use authentication when logging in to systems we use multiactor authentication right we have a a token we have a an app we get a text message email whatever you want to call it and the same principle applies to what we are talking about here whenever that communication occurs where the threat actor is trying to impersonate a uh an individual and lure a victim into uh sharing some type of information the victim in that case the

potential victim can never move a transaction forward on that call so we have to help them understand by creating policies in our organizations and also training on the fact that it's never okay to do this and our leadership also has to know that it's never okay to call an employee and expect them to provide this type of information in a phone call without some type of verification or authentication so I skipped down a little bit to number four but every time one of these types of calls occurs if the employee would just say got it hangs up the phone Waits 5 Seconds calls the person who just called them not from the number they called

them from but for the number that they are known to have that's the first opportunity to authenticate now that's not going to defeat a scenario where you've got s swapping involved and they're just going to answer the phone and expect that so if you are really concerned about level of risk and and problems uh face Toof face authenication is always the best uh if that's not possible then looking for alternative opportunities by contacting a boss getting somebody else to try and find other ways to verify just so you have a you have a multi-person solution and not just putting that pressure on the employee to be the one to have to make that decision getting somebody else to say yep this is

authentic we should we should do this and again I'm going to emphasize this because it's the most important piece of all of this like most Security Solutions it's not the technology it's the person and we have to train people to recognize potential situations that could create this type of risk and help them feel comfortable making that correct decision in the moment even when someone is impressing upon them the sense of urgency it's much more important to get this right than it is to get that cash transaction wherever it's got to go in 5 minutes so what does this look like this is right out of the pages of spy trade craft person gets a phone call they get

the ask they in the phone call and you know call the person back the known number they called them from or not they called them from but the known number that they have for them and this is where implementing a very simple set of we call them oral paroles but it's a code it's a code that you have already predetermined that people know and you got to change it just like an authentication token has to change every 30 seconds or so you have to do it with these things too but it's a simple code exchange hey boss I know you need this money but I just wanted you to know that I'd love going to the movies after

work and the boss should know well I don't have time because I'm always bicycling now if the boss truly is always bicycling bicycling is not a good codo the thing is exchanges like this make sense only if the person doesn't really do those things because you don't want the threat actor to have researched their target and and then is able to provide something authentic so this may sound like it's kind of out of left field on a phone call where they're talking about exchanging funds or they need credentials or something and it's really time sensitive and that's the point it shouldn't make a lot of sense it needs to be something that would catch them off guard because while they

can answer questions or may be able to answer Circ of questions I don't like the idea of saying well if if you're really my boss you would know what you gave me for my birthday on whatever whatever right cuz maybe maybe there's Facebook photos of that here's me receiving this gift from my boss because I'm so happy and proud and they would be able to answer that question I also don't like asking them questions you know they wouldn't know the answer to because a broken clocks right twice a day right so having established keywords with phraseology or something is kind of out of left Feld but gives you the opportunity to exchange two known keywords the keywords are movies and

bicycling I don't care if you get that sentence perfectly right I love going to the movies after work you might say I'm really tired I'm going to the movies now because you can't remember that sentence doesn't matter what you say the point is you use the word movies and the point is the response could say I can't go on B it doesn't matter what matters is as you hear those two words and that code is exchanged technology free also free which is nice to find Security Solutions these days that don't cost us any money but ultimately going old school injecting a bit of spy trade craft that can make you feel cool that's fine if you want but it's the way to go

and it's the way to get past these threats it's not going to change the fact that they are going to continue to proliferate to increase but they will continue to Target victims they will continue to ramp up and act up amp up their activities if they continue to be successful so if we want to divert away from this type of a threat we have to demonstrate that we're able to stop it we used to think about protecting ourselves in the agency sort of this way we know that we're never going to be an impenetrable taret there's always going to be some vulnerability somewhere some piece of technology that will evolve but the goal is to make ourselves a hard enough

Target that it's not worth the time of that adversary and they go after somebody else who's a softer Target it's kind of like how do you avoid being eaten by a bear other gu just run faster being the slowest guy that's sort of the mentality and the principle around protecting ourselves from keep f happy to discuss more happy to talk offline um here's my contact information my LinkedIn information please connect we love it would love to talk uh also if you want more information on what we're doing around cyber uh and William juel please check out our website um we proudly launched Hilltop Technologies yesterday which is a cybertech startup located on campus William Jewel for students to have

opportunities to work in a real cyber startup to part of their education I'm really excited about that also I want to thank sponsors who allowed this talk today and the opportunity for us all to be here um thank you for having me and happy to answer any questions we have two two or three questions questions questions all right yes so we're actually something very similar to deep but we're making a word of the day that we have them asked like if the CTO calls me and tells me shut down a customer instance I go what's the word of the day and from what you've described uh it feels it would be much more difficult to

get our employees to agree to two cost raises um and I just what is the reasoning behind them versus being upfront to say what's the word of the day well it's it's a really good question and fundamentally it kind of depends on the level of risk and how much you willing to invest in security measures to protect what you have to protect and what the threat level is too right how do you communicate the word of the day to your employees uh we have SL uh General chnal everyday so the the problem I would see and by the way I not mean to critic this because you're you're stepping up the game more than most others which is

awesome so you're in the right direction I think you have to think about anything that is password related that's communicated digitally within your company is susceptible to to being acquired if anyone is compromised right so I could easily authenticate with that word of the day but if I have trained my team on a passphrase that's not communicated in IC channels then it's really uh it's it's a little more safe it's a kind of a step up because what you're looking for is a handshake one word is only authenticated on one side so you want each side to have their own word because that creates the handshake for trust so that's the difference that's why it's a little yeah it is more

you're right and what's beyond security the more security we have the more inconvenient it is um we just kind of know that but you have to Avid the risk and decide and so again the lowest Tech is to when you have your team meeting once a month for whenever you have it hey just reiterating this is our handshake and keeping it off of your email or your digital channels great question good work that's awesome you guys are thinking about that sir so I recognize what's done with the challenge response you know hanging up the phone calling them back that maybe is the fact that potential vulnerability another is you know the challenge response with the phrase but

when you're talking about doing that outside of the organization say a service provider with their own customers do you have any ideas about how might go about 7 something like that well so you know a lot of service providers have the security questions right and so those are sort of those that's you know my goto in that situation would be your service provider that you ensure you're ask you've got security questions with your with your customers right if your if that system is compromised obviously that's going to be a problem if that's compromised you also have bigger problems right and that's the issue is a lot

ofice yeah yeah understood so the security questions can be a little bit more creative than just uh what's your favorite pizza right so I would be stepping up our game in that respect so that we think about things that you see the person we know that they're not necessarily going to be broadcasting as a hobby as an interest as a you know a month of significance when did you meet your spouse there's only 12 possibilities right that that trained by organ yeah so the question is how were you doing that from a intelligence capability you were authenticating with outside organizations and you have to remember that those organizations have extremely secure channels of communication where those things are

exchanged and they they have the ability to authenticate so when you get in the field and you exchange something for validation and authentic authentication um the chances that that would have been electronically compromised are extremely low because of the level of security that those entities rely on it's not impossible but it's also fairly trusted so this do you have any thoughts with your experience being government um and a reflection here on regulation of deep thingss really social media like a lot of us meting both work at the level of um Insider threat and the types of r but we do see a lot of AI generated imagery both video andil on my Instagram Etc Tik Tok yeah um

anything that we want to share your thoughts or opinion on on that a regulation one TR marus wow it so super important question and really easy for me to say we need more well we need regulation period um so the governments are always behind technology on these things the private sector's always faster and the bad guys are going to do it no matter what anyway um I think the regulation is really important and also um you know the the service providers the platforms that are hosting these things have the ability to implement technologies that can validate the authenticity I think that's where regulation can occur so YouTube right if they're going to post a video needs to

run that content through AI authentication system and if there's Flags or problems needs to go back to that poster and ask some more questions first before they allow to post that content that's just going to get into other forums and other places right um but most people don't go to dark web forums to get their Insight or tell well most people outside of this room right okay know your audience first thing about presenting um but most people are getting their information from social media and those those entities absolutely have the technology the engineering Force Power and the intellectual Capital to create those types of solutions and so I think one it would be great if they just all sort of

did the right thing um but but the the government could lean in there to mandate some of those Technologies be used because at least it would keep it out of the majority of the Public's view which is the obviously the targets and who's more susceptible as the f you can't say you have to go through mandatory training and learn how to do these things so that's my that's my thought but it's I would love to think more about that and probably talk little more thoughtfully so thank you for the question