In a write-up shared this month via Microsoft’s GitHub, Benjamin Flesch, a security researcher in Germany, explains how a single HTTP request to the ChatGPT API can be used to flood a targeted website with network requests from the ChatGPT crawler, specifically ChatGPT-User. This flood of connections may or may not be enough to knock Read more about ChatGPT crawler flaw opens door to DDoS, prompt injection[…]
Text-generation large language models (LLMs) have safety measures designed to prevent them from responding to requests with harmful and malicious responses. Research into methods that can bypass these guardrails, such as Bad Likert Judge, can help defenders prepare for potential attacks. The technique asks the target LLM to act as a judge scoring the harmfulness Read more about Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability[…]
New research from Anthropic, one of the leading AI companies and the developer of the Claude family of Large Language Models (LLMs), has released research showing that the process for getting LLMs to do what they’re not supposed to is still pretty easy and can be automated. SomETIMeS alL it tAKeS Is typing prOMptS Like Read more about JailBreaking AI still easy, can be done with StRanGe CaSINg[…]
Chinese tech company employees and government workers are siphoning off user data and selling it online – and even high-ranking Chinese Communist Party officials and FBI-wanted hackers’ sensitive information is being peddled by the Middle Kingdom’s thriving illegal data ecosystem. “While Western cybercrime research focuses heavily on criminals in the English- and Russian-speaking worlds, there Read more about Chinese scammers, criminals and businesses are exploiting its surveillance state[…]
America’s top cybersecurity and law enforcement officials made a coordinated push Tuesday to raise awareness about cyber threats from foreign actors in the wake of an intrusion of U.S. telecom equipment dubbed Salt Typhoon. The hackers are linked to the Chinese government and they still have a presence in U.S. systems, spying on American communications, Read more about In massive U-turn, FBI Warns Americans to Start Using Encrypted Messaging Apps, after discovering the problem with backdoors[…]
More than 600,000 sensitive files containing thousands of people’s criminal histories, background checks, vehicle and property records were exposed to the internet in a non-password protected database belonging to data brokerage SL Data Services, according to a security researcher. We don’t know how long the personal information was openly accessible. Infosec specialist Jeremiah Fowler says Read more about Data broker SL leaves 600K+ sensitive files exposed online, doesn’t fix it despite warnings[…]
Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password-protected database that contained more than 1.1 million records belonging to Conduitor Limited (trading as Forces Penpals) — a service that offers dating services, and social networking for military members and their supporters. The publicly exposed database was not password-protected or encrypted. It contained Read more about US and UK Armed Forces Dating & Social Networking Service Exposed Over 1 Million Records Online through coding error[…]
There are two major reasons that the U.S. doesn’t pass an internet-era privacy law or regulate data brokers despite a parade of dangerous scandals. One, lobbied by a vast web of interconnected industries with unlimited budgets, Congress is too corrupt to do its job. Two, the U.S. government is disincentivized to do anything because it exploits this Read more about Oh Look, It Was Trivial To Buy Troop And Intelligence Officer Location Data From Dodgy, Unregulated Data Brokers[…]
Large language models (LLMs) are increasingly being harnessed to automate cyberattacks, making sophisticated exploits more accessible and scalable. In response, we propose a new defense strategy tailored to counter LLM-driven cyberattacks. We introduce Mantis, a defensive framework that exploits LLMs’ susceptibility to adversarial inputs to undermine malicious operations. Upon detecting an automated cyberattack, Mantis plants Read more about Hacking Back the AI-Hacker: Prompt Injection by your LLM as a Defense Against LLM-driven Cyberattacks[…]
[…] small Spanish technology company, Myruns, and telecommunications operator Telefónica SA about the possible application of a system based on an anti-theft alarm product so thin it’s imperceptible to the naked eye […] The technology from Myruns, in San Sebastian, Spain, may be just one of the efforts to curb thefts that have been studied Read more about Retailers Eye Radio emitting ink on fibres to Stop Shoplifting[…]
S Synology, a Taiwanese network-attached storage (NAS) appliance maker, patched two critical zero-days exploited during last week’s Pwn2Own hacking competition within days. Midnight Blue security researcher Rick de Jager found the critical zero-click vulnerabilities (tracked together as CVE-2024-10443 and dubbed RISK:STATION) in the company’s Synology Photos and BeePhotos for BeeStation software. As Synology explains in security Read more about Synology and QNAP hurry out patches for zero-days exploited at Pwn2Own[…]
Some of the world’s most prominent leaders’ movements were tracked online through a fitness app used by their bodyguards, an investigation has suggested A report by French newspaper Le Monde said several US Secret Service agents use the Strava fitness app, which has revealed highly confidential movements of US president Joe Biden, presidential rivals Donald Read more about Fitness apps (Strava) still giving away locations of world leaders including Trump, Putin and Macron[…]
[…] The non-password protected, non encrypted/clear text database contained financial reports and audits (including bank account information), staff documents, email addresses, contracts, certifications, registration documents, and much more. In total, the database held 115,141 files in.PDF,.xml,.jpg,,png, or other formats, amounting to 228 GB. Many of the documents I saw were marked as confidential and should Read more about Over 115,000 United Nations Documents Associated to Gender Equality Exposed Online[…]
A nasty bug in Samsung’s mobile chips is being exploited by miscreants as part of an exploit chain to escalate privileges and then remotely execute arbitrary code, according to Google security researchers. The use-after-free vulnerability is tracked as CVE-2024-44068, and it affects Samsung Exynos mobile processors versions 9820, 9825, 980, 990, 850, and W920. It Read more about Samsung phones being attacked by flaw. Use the Oct 7 update![…]
The FIDO Alliance has published a working draft of a new set of specifications for secure credential exchange that, when standardized and implemented by credential providers, will enable users to securely move passkeys and all other credentials across providers. The specifications are the result of commitment and collaboration amongst members of the FIDO Alliance’s Credential Read more about FIDO Alliance Publishes Draft Working Specifications for Passkeys, invites feedback[…]
Walled Culture has been writing about Italy’s Piracy Shield system for a year now. It was clear from early on that its approach of blocking Internet addresses (IP addresses) to fight alleged copyright infringement – particularly the streaming of football matches – was flawed, and risked turning into another fiasco like France’s failed Hadopi law. Read more about Italy is losing its mind because of copyright: it just made its awful Piracy Shield even worse[…]
It was revealed this weekend that Chinese hackers managed to access systems run by three of the largest internet service providers (ISPs) in the US. What’s notable about the attack is that it compromised security backdoors deliberately created to allow for wiretaps by US law enforcement … […] Apple famously refused the FBI’s request to Read more about Chinese 3x ISP hack shows why world is right about security backdoors and politicians and security people who want them are idiots[…]
In this week’s Patch Tuesday Microsoft alerted users to, among other vulnerabilities, a flaw in Windows Installer that can be exploited by malware or a rogue user to gain SYSTEM-level privileges to hijack a PC. The vulnerability, CVE-2024-38014, was spotted and privately disclosed by security shop SEC Consult, which has now shared the full details Read more about More details on that Windows Installer ‘make me admin’ hole[…]
SolarWinds left hardcoded credentials in its Web Help Desk product that can be used by remote, unauthenticated attackers to log into vulnerable instances, access internal functionality, and modify sensitive data The software maker has now issued an update to address that critical oversight; its users are encouraged to install the fix, which presumably removes the Read more about SolarWinds left hardcoded credentials in helpdesk product[…]
Security flaws in your computer’s firmware, the deep-seated code that loads first when you turn the machine on and controls even how its operating system boots up, have long been a target for hackers looking for a stealthy foothold. But only rarely does that kind of vulnerability appear not in the firmware of any particular Read more about ‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections[…]
[…] For those who rely on Microsoft Authenticator, the experience can go beyond momentary frustration to full-blown panic as they become locked out of their accounts. That’s because, due to an issue involving which fields it uses, Microsoft Authenticator often overwrites accounts when a user adds a new account via QR scan — the most Read more about Design flaw has Microsoft Authenticator overwriting MFA accounts, locking users out[…]
Last week, the world reacted as 8.5 million computers crashed to bluescreen, grounding flights, crippling hospitals, and bringing down 911 services. This week, the world is reacting to the company responsible—Crowdstrike—offering its staff and the companies it works with a $10 Uber Eats voucher as way of apology for all their extra work over the Read more about Crowdstrike apologises for breaking the world to own IT Workers With $10 Uber Eats Coupons that are flagged by Uber as Fraudulent[…]
Did the EU force Microsoft to let third parties like CrowdStrike run riot in the Windows kernel as a result of a 2009 undertaking? This is the implication being peddled by the Redmond-based cloud and software titan. As the tech industry deals with the fallout from the CrowdStrike incident, Microsoft is facing questions. Why is Read more about MS tries to blame EU for Crowdstrike Fail[…]
Businesses worldwide grappled with an ongoing major IT outage Friday, as financial services and doctors’ offices were disrupted, while some TV broadcasters went offline. Air travel has been hit particularly hard, with planes grounded, services delayed and airports issuing advice to passengers. The outage came as cybersecurity giant CrowdStrike experienced a major disruption early Friday Read more about So that Global Microsoft IT outage – turns out a Crowdstrike update borked your PC. Here’s some memes to make you feel better.[…]
Cisco just dropped a patch for a maximum-severity vulnerability that allows attackers to change the password of any user, including admins. Tracked as CVE-2024-20419, the bug carries a maximum 10/10 CVSS 3.1 rating and affects the authentication system of Cisco Smart Software Manager (SSM) On-Prem. Cisco hasn’t disclosed too many details about this, which is Read more about Critical Cisco bug allows anyone to change all (including admin) passwords[…]