19.5 C
London
Friday, September 20, 2024
HomeTechnologyCrowdStrike Accepts ‘Epic Fail’ Award

CrowdStrike Accepts ‘Epic Fail’ Award

Date:

Related stories

Black Hat and DEF CON are two of the foremost safety meetings within the U.S., drawing huge crowds of cyber and AI decision-makers to Las Vegas. Black Hat USA 2024 ran from Aug. 3-8, with many of the briefings going on on Aug. 7 and eight; DEF CON 32 ran from Aug. 8-11. We’re rounding up the undertaking enterprise tech information from Black Hat and DEF CON this is maximum related for IT and tech decision-makers.

CrowdStrike given ‘Epic Fail’ award

Some of the traditions of DEF CON is the Pwnie Awards, an irreverent evening the place trophies are given out for each bizarre successes and bizarre screw ups. CrowdStrike’s world outage earned them the latter. The Pwnie Awards selected CrowdStrike early, a few week after the outage in July, and offered the trophy at DEF CON on Aug. 10. CrowdStrike President Michael Sentonas accredited the trophy in particular person.

How you can dangle generative AI responsible

A big subject of dialog and analysis at Black Hat was once how one can dangle generative AI responsible in terms of hallucinations, incorrect information, or follow-on results from generated content material.

On the one-day AI Summit (ticketed one at a time from the remainder of Black Hat), mavens mentioned how one can safe AI fashions and programs for undertaking use, in addition to using AI in cyberattacks.

AI Village at DEF CON tasked a group of hackers with exploring how one can discover and record AI flaws. This match is notable as a result of each the vulnerabilities and the strategies of reporting the ones vulnerabilities will likely be below scrutiny. Preferably, the teachings discovered at this match will lend a hand AI distributors construct frameworks for extra thorough and correct reporting.

DARPA and different govt organizations had an important presence at DEF CON, as they offered data on securing generative AI. The AI Cyber Problem (AIxCC) Semifinal Pageant examined hackers’ talents in securing essential infrastructure in a hypothetical, futuristic town.

Researchers from cloud safety corporate Wiz put generative AI infrastructure to the take a look at in their find out about of AI-as-a-service platforms. The group hacked Hugging Face and Reflect, main generative AI website hosting services and products, the use of “malicious fashions” to transport laterally throughout the platform. That gave them a backdoor into personal AI fashions, at which level they may achieve data on proprietary weights, consumer activates, and datasets. From there, they may release provide chain assaults from the AI-as-a-service platform.

Patches and vulnerabilities recognized

Many organizations at Black Hat and DEF CON introduced patches and memorable vulnerabilities at their briefings. See the whole record of DEF CON audio system for extra.

Sonos audio system might be compromised, permitting attackers to concentrate in, two researchers from NCC Workforce published on Aug. 8. The exploit is made conceivable throughout the WPA2 Handshake encryption protocol, which may give an attacker faraway get admission to to the kernel. The researchers demonstrated turning a Sonos software right into a “wiretap” and jailbreaking a Sonos Technology-100 sensible speaker.

Researchers Dennis Giese and Braelynn, a safety guide at Leviathan Safety Workforce, detailed their paintings in finding bodily and side-channel assaults on Digilock and SAG sensible lockers. This analysis is a reminder to not reuse secret PINs throughout essential units like safes and telephones.

Aqua Safety introduced on Aug. 7 that it had pinpointed a vulnerability in six AWS cloud services and products that would let attackers execute code remotely or take over accounts. Amazon has since close that door. The issue was once that S3 buckets for the ones six services and products — CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar — had names with identical patterns. As a result of this, attackers may just bet names to plant malicious code in reputable S3 buckets.

Zenity CTO Michael Bargury demonstrated how attackers can hijack Microsoft Copilot the use of oblique recommended injection and through poisoning RAG — a common manner for bettering the accuracy of AI fashions.

In his briefing, Bargury highlighted the demanding situations generative AI gifts to safety groups, together with faraway code execution and “promptware.” He additionally really helpful strategies for locking down Copilot get admission to in opposition to malicious actors, together with other folks already throughout the goal corporate.

The protection global remains to be operating on standardized coverage for AI

Cybersecurity carrier HackerOne recognized a couple of traits within the intersection between generative AI and safety:

  • Generative AI is helping risk actors assault at larger scales than earlier than.
  • Generative AI must be outlined in ways in which permit for larger standardization in safety and governance.
  • Open-source fashions are on-trend.

“Step one we want to take is growing and agreeing upon a collection of commonplace definitions,” Michiel Prins, cofounder of HackerOne, wrote in an e-mail to TechRepublic. “We will have to ask: What’s AI? Is it GenAI or LLMs? What concerning the ML answers which were round for many years? The gap is riddled with unclear definitions, which makes it more and more tough for other folks to know every different.”

Bettering safety intelligence

X-Ops, the protection reaction group of IT-as-a-service supplier Sophos, launched a record on Tuesday about new techniques ransomware attackers use to place power on their sufferers. Those techniques can come with:

  • Encouraging shoppers to open felony instances in opposition to sufferer organizations.
  • Opening felony instances themselves.
  • Looking for monetary details about goal corporations, in particular data that would possibly disclose inaccuracies or subterfuge.
  • Exposing illegal activity that can happen on corporate units.
  • Portray the organizations they aim as negligent or morally poor.

Notable product releases

Flashpoint launched new options and functions in Flashpoint Ignite and Echosec on Aug. 6. Flashpoint Ignite, the flagship platform, will now come with investigations control and intelligence necessities mapping, which fit Flashpoint collections with Precedence Intelligence Necessities. Echosec will come with location coverage beginning Aug. 6.

The AI safety corporate CalypsoAI boosted its product line with out-of-the-box scanners for particular business-use instances and verticals and real-time risk updates.

Keynotes carry nationwide and company gamers

Keynote audio system for Black Hat 2024 incorporated Cybersecurity and Infrastructure Safety Company Director Jen Easterly, Google Safety Engineering Supervisor Ellen Cram Kowalczyk, and Microsoft Danger Intelligence Technique Director Sherrod DeGrippo.

TechRepublic coated Black Hat and DEF CON remotely.

Subscribe

- Never miss a story with notifications

Latest stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here