We’re receiving calls from our cybersecurity customers when the IT Team discovers that ordinary users have given third-party applications access to all their organization’s files, email messages, calendar events, Teams chats and channels, and other data.

How can ordinary users have that much power?

By default.

Situation: This configuration affects most companies. While the default settings for your Microsoft 365 system allow your users to approve third-party access, Microsoft recommends the following more restrictive settings to increase security.

The Risk: Without this setting, workers may override protections without oversight and allow any application to access your company data, create and delete files in SharePoint and OneDrive, read and send email messages, edit calendar events, access and modify Teams chats and channels, update user profile information, and perform other tasks. While some applications might need this level of access, it must be granted only after the appropriate authorities, including your IT Team, thoroughly consider it.

Reality Check: This setting catches many IT Teams by surprise. Microsoft is updating its security controls quickly, and it is nearly impossible for IT Teams to keep up with the changes. And when defaults promote ease-of-use over security, like this one, your systems can become at risk quickly without the team realizing it. Know that your IT Team’s level of expertise can be excellent, and situations like this sneak up on them anyway.

Urgent Quick Verification: Your IT Team can quickly access the Microsoft Entra admin center > Enterprise applications > Consent and permissions > User consent settings. There are three options:

• “Do not allow user consent.”
• “Allow user consent for apps from verified publishers, for selected permissions.”
• “Allow user consent for all apps” (the current risky default value)

Update If Necessary: Microsoft recommends you select “Allow user consent for apps from verified publishers, for selected permissions.” Different organizations have different data access needs. Your IT and compliance teams must determine the appropriate level for your situation. Smaller organizations might choose the first option if they don’t want users to expose data to third-party applications without checking with the IT team. Larger organizations with more complex needs often prefer the middle option with careful permission management to take some of the workload off busy IT professionals while providing protection.

Next Step: Your Administrators will also need to specify which permissions are low-impact, as detailed in Microsoft’s article “Overview of user and admin consent.”

Facilitate the Approval Process: Your team can optionally set up an admin consent workflow that users must follow when they want to provide permissions.

Forward this to your friends who are executives at other organizations so they can give their teams this heads-up, too.

The post Executives – Any User Can Accidentally Expose All Your Data Unless IT Changes This Default Setting appeared first on Foster Institute.

AI models are trained to align with human values and never tell people how to cause harm. This is called “AI Alignment” training. New research reveals advanced AI models can give answers that demonstrate harmlessness during training and testing, only to drop the “harmless” act while operating in the real world. This doesn’t mean AI will hurt us all soon, but it raises serious concerns about whether the models are actually aligned with human interests.

To score well on your exams, did you ever choose answers you knew the professor wanted, even if you disagreed? Surprisingly, advanced AI systems seem to have developed a similar capability, giving fake answers to match what trainers want during AI alignment training. Scientists at Anthropic, an AI company valued at $18 billion and backed by Amazon and Google, explored this phenomenon in their paper “Alignment Faking in Large Language Models” in December 2024.

But hold on; those two paragraphs are written from the perspective that AI is like a human. It is essential to remember that AI models don’t have intentions or motivations like humans do. The observed behavior is not a conscious decision to deceive humans but results from the training process. Rest assured that scores of people are working on solving this problem and keeping AI results “safe” for humanity. When alarmist people predict AI will get out of control, it is more that our programming is flawed; most of us do not believe AI is making conscious decisions.

For businesses using AI tools, this means, from now on, to use AI responsibly, you must evaluate AI answers in two ways:

1. As always, check if the AI is hallucinating and giving wrong information accidentally
2. And now, pay attention to whether the AI’s responses align with your values and safety guidelines

The research published in the aforementioned article suggests that in regular conversations when AI doesn’t “think” it is being trained or tested, it’s more likely to give straightforward responses based on its core training.

Unfortunately, the discovery that advanced AI has evolved to give fake answers gives skeptics another reason not to trust AI.

As AI becomes more powerful, business leaders must be cautious and aware of risks as well as benefits.

My speeches about AI have focused primarily on its benefits. I’m creating new presentations about managing the emerging AI security risks that responsible business leaders must consider.

As AI becomes more powerful, business leaders must be cautious and aware of risks and benefits. At least I know my dog isn’t lying to me… I hope.

The post Your Advanced AI Models Are Now Learning to Give Fake Answers appeared first on Foster Institute.

To combat this, Apple’s iOS 17.3 introduces “Stolen Device Protection”. Here’s why activating it is crucial:

1. Face ID/Touch ID Requirement: Your iPhone will require your Face ID or Touch ID to turn off lost mode or erase the phone.
2. Time-Delay Security: Changes to your Apple ID password, iPhone passcode, and key settings now have a one-hour delay.

Settings for Theft Protection:

• Quick Tip to find specific settings: Open Settings, swipe down slightly, and use the search box that appears at the top. You will find all of the settings in bold text by searching in Settings:
• Software Update: iOS 17.3 enables Stolen Device Protection.*
• Backup: Check your backup status by searching for Backup in Settings.
• Use Face ID or Touch ID so potential thieves won’t see you enter your passcode.
• Activate Stolen Device Protection:This is the new setting that spurred me to write this blog for you
  
• Ensure “Find My” is enabled on Apple devices. Use iCloud.com/find or the Find My app to be sure tracking works.

Other Essential Steps:

• Have alternate login methods for resetting passwords for apps and websites that use multi-factor and two-step logins.
• If you use authentication apps, ensure you configure ways to generate codes or recover keys if you lose or erase your phone.

If Your Phone is Stolen:

• Act Fast: Use iCloud.com/find or the Find My app to enable “lost mode” and track your phone.
• Consider Carrier Notification: They can disable phone calls and cellular data but might limit Find My functionality.
• Device Erasure: If you have backups, and ways to recover keys in authentication apps, use Find My to erase your device to help prevent data access.
• Password Resets: If not erasing your phone, consider resetting passwords for critical accounts if passwords are stored on the phone or if apps login automatically.

As always, threat actors will seek ways to bypass this protection. As of now, this feature is a huge leap forward to protect an iPhone and iPad from thieves who see the passcode. Congratulations, and thank you, Apple!

*If your phone or tablet is too old to update to iOS version 17.3 or newer, see https://fosterinstitute.com/be-prepared-know-the-impact-of-iphone-theft-and-what-to-do-right-now/. for recommendations.

Note: Testing the Stolen Device Protection feature at home may not work, as Apple devices might waive the strict requirements in familiar locations like home or work. You can read all of the details about Apple Stolen Device Protection for iPhone here: https://support.apple.com/en-us/HT212510

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.

The post Safeguard Your Apple iPhones and iPads: Activate the Latest Theft Protection Setting Now! appeared first on Foster Institute.

–> ONE: Ask your IT team, “Do we still have Microsoft Exchange Server email software installed anywhere?”

If they answer affirmatively, even if they’re already moving to the cloud, you must continue:

–> TWO: Ask them, “What can I take off your plate or postpone so that you can immediately test and deploy the patches to the Exchange Server right now?”

Essential: Applying security updates to your Exchange server does not resolve the issue if your organization is already compromised. There might be a small program on your system quietly waiting for an attacker’s commands.

To help determine if you are already compromised: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log

If your team cannot update immediately, send them here: https://github.com/microsoft/CSS-Exchange/tree/main/Security

–> THREE: Say, “The emergency is too great to postpone. Later, let’s discuss the pros and cons of moving email to the cloud.”

Pros include eliminating one server and associated headaches. Often, online email is better for remote workers too. But you could lose some integration features you have now, for example, an on-site phone system tied into Exchange. Because saving money and streamlining is essential, online Exchange is often less expensive.

The blog posting https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log has a plethora of other information and guidance for your team related to the updates. Some organizations are experiencing errors after applying the security updates. For example, some learned they must install the updates from an elevated command prompt window. Microsoft provides more guidance:

https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459

The post Three Essential Questions to Ask Your IT Team Today Because of the Massive Exchange Attack appeared first on Foster Institute.

A little background information helps explain what is going on: Every device connected to a network has a serial number, called a MAC address. That address is how the network identifies the device and differentiates it from all the other devices on a network. As you can imagine, networks need to know what devices are connected. Think of what might happen if the network thought your computer was a printer. Printer paper might not come shooting out of your keyboard, knock over your coffee or smoothie, but you get the idea.

Because the MAC address uniquely identifies you for everyone else, think of the MAC address as a fingerprint for your device. Potentially, an advertiser, or someone in a public place, could use your fingerprint, in this case, your device’s MAC address, to track you, your activities, and what networks you use.

Apple, Google, and Microsoft want to help protect your privacy, so they might periodically change the MAC address on your computer to a different address. The new behavior strives to help keep you more anonymous on public networks at hotels and coffee shops. However, randomly changing MAC addresses can break essential security features, including:

1) As my friend did, you might start receiving alarming alerts that another person connected a new device to one of your websites or accounts. The warnings are concerning until you realize it is your computer reconnecting with a new unique index. After a time, you might ignore the alerts. But then you won’t know if a real attacker broke into your account with some other computer, tablet, or phone.

2) Parental controls at home fail if the safety restrictions are unique for each family device. When a youngster disconnects and reconnects to your network, sometimes they are no longer protected.

3) Your company keeps an inventory of your computers, tablets, and phones. It is challenging to keep the list current when your IT team must track three times as many devices as you have.

How do you solve this? It is possible to disable the randomization feature, but it takes time to reconfigure. Time is a precious commodity for you and your IT team too. An example of how to disable the behavior on iPhones, iPads, and Apple Watches: support.apple.com/en-us/HT211227

However, your employees or kids could change the feature back again to help them hide on your networks.

The answer to my friend’s question is that if the website tells you a date, time, and location of that person’s login, and you know you weren’t logging in from there at that time, yes, you need to be concerned. Otherwise, your experience may be because your device is disguising itself from the website. Disable the randomization feature, and the problem might go away.

Please forward this to your friends so that if they, or their IT team, cannot figure out why some of your security features are breaking, they will know to suspect their devices are rotating through MAC addresses.

If you want more technical details, a network identifies your device with an index number called a MAC address when you connect. There are more than 280 trillion possibilities for a MAC address; the odds are that nobody you know has the same number as your device. The first half of the number identifies the manufacturer; that makes it easier to find unidentified devices on a network.

Other problems you’ll notice because of rotating MAC addresses include:

4) Security tools at the office fail to work if the security tools rely on associating users with their computers, tablets, or phones. This problem affects both BYOD and company-issued devices.

5) IT Professionals can configure necessary reservations for computers, tablets, and phones. Those reservations are based on index numbers. When the index changes, the reservation stops working, and systems can fail or lose security.

6) Your websites will forget you. Some sites have a feature to Remember This Computer, so you do not need to go through as many steps each time you log in. The sites identify your devices by their index numbers. Your device will need to be re-remembered when your index changes.

MAC addresses look like FF:FF:FF:FF:FF:FF:FF:FF where each value I listed as F can be a hexadecimal digit 0,1,2,3,4,5,6,7,8,9, A, B, C, D, E, or F. If you know where to look, your phone, tablet, and computer can tell you the MAC addresses of each network interface.

The new behavior is causing lots of frustration in the cybersecurity world. This battle isn’t over yet.

The post Your Phone, Tablet, and Computer Started Hiding You – and How to Overcome the Associated Problems appeared first on Foster Institute.