close
close

CrowdStrike receives “Epic Fail” award

CrowdStrike receives “Epic Fail” award
Posted on | Posted on Theodore

Black Hat and DEF CON are two of the most important security conferences in the US, attracting large crowds of cyber and AI decision makers to Las Vegas. Black Hat USA 2024 took place August 3-8, with most briefings taking place on August 7 and 8; DEF CON 32 took place August 8-11. We round up the enterprise business tech news from Black Hat and DEF CON that is most relevant to IT and technology decision makers.

CrowdStrike receives “Epic Fail” award

One of DEF CON’s traditions is the Pwnie Awards, an irreverent evening where trophies are awarded for both exceptional successes and exceptional failures. CrowdStrike’s global outage earned them the latter. The Pwnie Awards chose CrowdStrike early, about a week after the July outage, and presented the trophy at DEF CON on August 10. CrowdStrike President Michael Sentonas accepted the trophy in person.

How to hold generative AI accountable

A key topic of discussion and research at Black Hat was how generative AI can be held accountable in the event of hallucinations, misinformation, or knock-on effects from generated content.

At the one-day AI Summit (with a separate ticket to the rest of Black Hat), experts discussed how AI models and applications can be secured for use in companies and how AI can be used in cyber attacks.

AI Village at DEF CON has tasked a team of hackers with researching how to identify and report AI vulnerabilities. This event is notable because it examines both the vulnerabilities and the methods used to report those vulnerabilities. Ideally, the insights gained from this event will help AI vendors create a framework for more thorough and accurate reporting.

DARPA and other government organizations had a strong presence at DEF CON, presenting information on securing generative AI, and the AI ​​Cyber ​​​​Challenge (AIxCC) semifinal competition tested hackers’ skills in securing critical infrastructure in a hypothetical, futuristic city.

Researchers at cloud security firm Wiz put generative AI infrastructure to the test in their study of AI-as-a-service platforms. The team hacked Hugging Face and Replicate, leading generative AI hosting services, and used “malicious models” to move laterally within the platform. This gave them a backdoor into private AI models, allowing them to obtain information about proprietary weights, user prompts, and data sets. From there, they were able to launch supply chain attacks from the AI-as-a-service platform.

Identified patches and vulnerabilities

Many organizations at Black Hat and DEF CON announced patches and notable vulnerabilities in their briefings. See the full list of DEF CON speakers for more information.

Sonos speakers could be tampered with so attackers can listen in, two researchers from NCC Group revealed on August 8. The exploit is enabled by the WPA2 handshake encryption protocol, which can give an attacker remote access to the kernel. The researchers demonstrated how they turned a Sonos device into a “listening device” and jailbroke a Sonos Era-100 smart speaker.

Researchers Dennis Giese and Braelynn, a security consultant at Leviathan Security Group, have detailed their work in discovering physical and side-channel attacks on Digilock and SAG smart lockers. This investigation is a reminder not to reuse secret PINs for all important devices like safes and phones.

Aqua Security announced on August 7 that it had discovered a vulnerability in six AWS cloud services that could allow attackers to remotely execute code or take over accounts. Amazon has since fixed the flaw. The problem was that the S3 buckets for these six services – CloudFormation, Glue, EMR, SageMaker, ServiceCatalog and CodeStar – had names with similar patterns. Because of this, attackers could guess names to place malicious code in legitimate S3 buckets.

Michael Bargury, CTO of Zenity, demonstrated how attackers can hijack Microsoft Copilot through indirect prompt injection and by poisoning RAG – a popular method for improving the accuracy of AI models.

In his briefing, Bargury highlighted the challenges generative AI poses for security teams, including remote code execution and “promptware.” He also recommended methods to lock down copilot access from malicious actors, including people already inside the target organization.

The security world is still working on standardized protection for AI

Cybersecurity service HackerOne has identified some trends at the intersection of generative AI and security:

  • Generative AI helps threat actors attack on a larger scale than before.
  • Generative AI needs to be defined in a way that allows for greater standardization in terms of security and governance.
  • Open source models are trending.

“The first step we need to take is to create and agree on a set of common definitions,” wrote HackerOne co-founder Michiel Prins in an email to TechRepublic. “We need to ask: What is AI? Is it GenAI or LLMs? What about the ML solutions that have been around for decades? The field is full of unclear definitions, making it increasingly difficult for people to understand each other.”

Improving security intelligence

X-Ops, the security team of IT-as-a-service provider Sophos, released a report on Tuesday detailing new tactics that ransomware attackers are using to pressure their victims. These tactics can include:

  • Encouraging customers to take legal action against victim organizations.
  • They initiate legal proceedings themselves.
  • Search for financial information about target companies, especially information that could reveal inaccuracies or deception.
  • Detecting criminal activities that may occur on company devices.
  • They portray the organizations they attack as negligent or morally deficient.

Notable product releases

Flashpoint released new features and capabilities in Flashpoint Ignite and Echosec on August 6. Flashpoint Ignite, the flagship platform, will now include investigation management and intelligence requirement mapping, which matches Flashpoint collections to priority intelligence requirements. Echosec will include site protection starting August 6.

AI security company CalypsoAI has expanded its product line to include out-of-the-box scanners for specific business use cases and industries, as well as real-time threat updates.

Keynotes bring national and corporate stakeholders together

Black Hat 2024 keynote speakers included Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, Ellen Cram Kowalczyk, security engineering manager at Google, and Sherrod DeGrippo, director of threat intelligence strategy at Microsoft.

TechRepublic reported remotely on Black Hat and DEF CON.

Leave a Reply

Your email address will not be published. Required fields are marked *