AI Risk, Inc. December 2024 Newsletter

Top AI News

• Nvidia's AI Audio Model: Nvidia introduced Fugatto, an AI model capable of modifying voices and generating novel sounds, targeting creators in music, film, and gaming. The company is deliberating on its public release due to potential misuse concerns. Their stock reached an all-time high in November before retreating.

• Development of Llama 4 AI Model: Meta is training its forthcoming Llama 4 AI model using a “record-breaking” cluster of 100,000 Nvidia H100 GPUs. While OpenAI has not publicly revealed their training cluster size, it is likely similar to the Meta announcement.

• OWASP on Gen AI Cybersecurity: On November 19, 2024, the Open Worldwide Application Security Project (OWASP) updated its Top 10 Risks for Large Language Model (LLM) Applications, reaffirming prompt injection as the foremost security concern. This update reflects the evolving challenges in securing LLM applications.

• Chinese Hackers' Telecom Breach: A Chinese hacking group, Salt Typhoon, infiltrated the US phone network, accessing mobile phone conversations nationwide, including unencrypted texts and calls.

• Andrew Tate's Platform Hacked: Hacktivists breached Andrew Tate's educational platform, The Real World (TRW), leaking user data and disrupting a livestream. TRW operates on its independent platform with proprietary servers, payment processors, and apps, emphasizing self-reliance and resilience.

• Canadian Publishers Sue OpenAI: A coalition of Canadian news publishers filed a lawsuit against OpenAI, alleging unauthorized use of their content to train ChatGPT without permission or compensation.

Upcoming Event

Join us on December 5 at 2 PM ET for the "Onboarding Artificial Intelligence" webinar presented by GraVoc. 

• Founder and CEO of Artificial Intelligence Risk, Inc. Alec Crawford speaks on essential AI risk management, governance, and compliance strategies to accelerate safe AI adoption. 

To learn more and register, click here. 

Feature: Zoom Potential Privacy Pitfalls

For those that do not remember, in March 2024, Zoom tried to change their policy so they would be able to use your content. Of course, an outcry and broad rebellion of users forced them to backtrack on this quickly, but this was an instructive event. This brings us to our next question, what are the current privacy and cybersecurity pitfalls we as users, technologists, and cybersecurity professionals need to be aware of? My disclaimer is that I have garnered these facts from Zoom’s own website and other sources I believe to be reliable. They (or we) could be wrong and of course some of what we discuss here is opinion around risk management. Here are the key themes: 

• Encryption: You need to ask Zoom to encrypt your data. It is not automatic. 

• Privacy: There are other Zoom privacy issues, including Zoom employee access. 

• Data: Transfer of data to other apps, including AI apps, may not be encrypted. 

• Governance: Access to Zoom recordings, transcripts, summaries, etc. may default to a pretty broad group of users. Cautionary tale. 

• Better: Video meetings on Teams hosted in your Azure private cloud. We discuss. 

Be Aware: Zoom Encryption Is Not Automatic 

To wiretap your phone, the US government needs a warrant for you or the other person you are speaking to. Yet, software service providers can use your data simply by changing their Terms of Service (or an employee checking the wrong box)! 

Zoom updated their Terms of Service to grant themselves rights to use certain customer data for purposes like AI training on March 31, 2023. This change sparked concerns that Zoom could use user-generated content, such as meeting audio and video, without explicit consent. In August 2023, Zoom clarified that it would not use such content for AI training without user approval. The company emphasized that explicit customer consent would always be required for such purposes. 

Zoom may not be encrypting your content at rest or in motion. Zoom offers an option to encrypt your data on their storage using a Customer Managed Key. To do that, you must sign up for it and provide said key. I cannot tell you this is perfect, but it is certainly a step in the right direction. See our 4 easy steps below. 

4 Easy Steps to Encrypt Zoom Stored Data 

1. Ensure Prerequisites: Verify that your organization has a Zoom Enterprise account and that you possess account owner or admin privileges. Additionally, you'll need access to a supported Key Management Service (KMS) provider, such as Amazon Web Services (AWS) KMS, Azure Key Vault, or Oracle OCI Vault. 

2. Set Up Your KMS: Within your chosen KMS provider, create a symmetric encryption key designated for encrypting data stored in the Zoom Cloud. Ensure that the key is configured correctly and that Zoom's Key Broker service has the necessary permissions to access it. 

3. Enroll the Key with Zoom: Log in to the Zoom web portal and navigate to the "Advanced" section, then select "Security." Under the Customer Managed Key section, click "Add Key" and provide the required information about your encryption key, including its Amazon Resource Name (ARN) or equivalent identifier. 

4. Assign CMK Licenses: After enrolling the key, assign CMK licenses to the users whose data you want to encrypt. This can be done through the "User Management" section in the Zoom web portal by selecting the appropriate users and assigning them the CMK feature.

Oops: Zoom Employees Can Access Your Data? 

While Zoom employees are not supposed to access user data without permission, they apparently can access the data, which opens the door to illicit access: “Zoom employees do not access or use Customer Content without the authorization of the hosting account owner, or as required for legal, safety, or security reasons.” What does that process look like? Is there an immutable record of employee access to customer data? Is it possible for Zoom employees to sample live videos for “quality control” or other purposes (where encryption may not work)? 

If sensitive data is accessed and used by a third-party to “tip” or make illicit stock trades, that would be a huge potential scandal (e.g. revealing material non-public information at a company or investment bank). Large organizations that traffic in confidential information should be engaging Zoom and their other communication providers to answer these questions to their satisfaction. 

Cautionary Tale: Zoom Recording and Transcript Governance 

So, we heard a story earlier this year about a Board meeting recorded on Zoom. While many people were on the call the entire time, others were on for only brief portions of the video meeting. For those people in a Zoom meeting where a transcript is being made, they can copy it at will during the meeting. After the meeting, the owner typically needs to permission people to get the transcript. Nevertheless, in this case, apparently everyone who even briefly appeared on the call was apparently able to access the entire transcript. The (possibly apocryphal) story is that an executive who appeared earlier in the meeting received the entire transcript and was able to read about the Board’s discussion (after he left the meeting) about a plan to fire him in the near future. 

Clearly, governance around transcripts and recordings is important. For example, one tactic we recommend is that the “owner” of the meeting gets access to the recording and transcript and then can decide who needs it. 

More Secure: Teams Video Meetings in Your Azure Private Cloud 

Keeping as much as possible inside your firewall and encrypting it reduces risk, especially versus third-party application storage and transfer of unencrypted data. Here are our recommendations to get the most security out of Teams video meetings hosted in your Azure private cloud: 

• Enable End-to-End Encryption (E2EE): Protect meeting content by ensuring video streams are encrypted and accessible only to authorized participants. 

• Use Meeting Access Controls: Require authentication for attendees, enable lobby settings, and generate unique links for each meeting. 

• Limit Recording Access: Restrict recording permissions to essential participants. 

• Update Regularly and Monitor Systems: Apply security patches to Teams and Azure components while using Azure Monitor to detect vulnerabilities or suspicious activity. 

• Restrict File Sharing During Meetings: Limit file sharing capabilities to trusted users and scan all files with security tools. 

Nothing is perfect. Nevertheless, one of the most secure video meeting options easily accessible to businesses today is hosting Microsoft Teams in an Azure Private Cloud. Teams benefits from Azure’s comprehensive security framework, including data encryption, identity management, as well as DDoS protection. Nevertheless, the onus is on the user to understand and mitigate communication, recording, transcription, and data storage risks via choice of software, location, configurations, policies and other risk detection and mitigation strategies and tactics. 

Copyright © 2024 Artificial Intelligence Risk, Inc.