Black Hat and DEF CON are two of the main safety conferences within the U.S., drawing massive crowds of cyber and AI decision-makers to Las Vegas. Black Hat USA 2024 ran from Aug. 3-8, with a lot of the briefings occurring on Aug. 7 and eight; DEF CON 32 ran from Aug. 8-11. We’re rounding up the enterprise enterprise tech information from Black Hat and DEF CON that’s most related for IT and tech decision-makers.
CrowdStrike given ‘Epic Fail’ award
One of many traditions of DEF CON is the Pwnie Awards, an irreverent night time the place trophies are given out for each extraordinary successes and extraordinary failures. CrowdStrike’s international outage earned them the latter. The Pwnie Awards selected CrowdStrike early, a few week after the outage in July, and introduced the trophy at DEF CON on Aug. 10. CrowdStrike President Michael Sentonas accepted the trophy in particular person.
Learn how to maintain generative AI accountable
A serious subject of dialog and analysis at Black Hat was find out how to maintain generative AI accountable within the case of hallucinations, misinformation, or follow-on results from generated content material.
On the one-day AI Summit (ticketed individually from the remainder of Black Hat), consultants mentioned find out how to safe AI fashions and functions for enterprise use, in addition to using AI in cyberattacks.
AI Village at DEF CON tasked a staff of hackers with exploring find out how to detect and report AI flaws. This occasion is notable as a result of each the vulnerabilities and the strategies of reporting these vulnerabilities will likely be below scrutiny. Ideally, the teachings discovered at this occasion will assist AI distributors construct frameworks for extra thorough and correct reporting.
DARPA and different authorities organizations had a big presence at DEF CON, as they introduced data on securing generative AI. The AI Cyber Problem (AIxCC) Semifinal Competitors examined hackers’ abilities in securing crucial infrastructure in a hypothetical, futuristic metropolis.
Researchers from cloud safety firm Wiz put generative AI infrastructure to the take a look at of their examine of AI-as-a-service platforms. The staff hacked Hugging Face and Replicate, main generative AI internet hosting companies, utilizing “malicious fashions” to maneuver laterally throughout the platform. That gave them a backdoor into non-public AI fashions, at which level they may achieve data on proprietary weights, person prompts, and datasets. From there, they may launch provide chain assaults from the AI-as-a-service platform.
Patches and vulnerabilities recognized
Many organizations at Black Hat and DEF CON introduced patches and memorable vulnerabilities at their briefings. See the whole checklist of DEF CON audio system for extra.
Sonos audio system might be compromised, permitting attackers to hear in, two researchers from NCC Group revealed on Aug. 8. The exploit is made potential by way of the WPA2 Handshake encryption protocol, which can provide an attacker distant entry to the kernel. The researchers demonstrated turning a Sonos system right into a “wiretap” and jailbreaking a Sonos Period-100 good speaker.
Researchers Dennis Giese and Braelynn, a safety marketing consultant at Leviathan Safety Group, detailed their work in discovering bodily and side-channel assaults on Digilock and SAG good lockers. This analysis is a reminder to not reuse secret PINs throughout crucial gadgets like safes and telephones.
Aqua Safety introduced on Aug. 7 that it had pinpointed a vulnerability in six AWS cloud companies that might let attackers execute code remotely or take over accounts. Amazon has since shut that door. The issue was that S3 buckets for these six companies — CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar — had names with related patterns. Due to this, attackers may guess names to plant malicious code in authentic S3 buckets.
On Aug. 9, Amazon launched the next unattributed assertion: “AWS is conscious of this analysis. We will affirm that we’ve got mounted this concern, all companies are working as anticipated, and no buyer motion is required.”
Elsewhere at Black Hat, Zenity CTO Michael Bargury demonstrated how attackers can hijack Microsoft Copilot utilizing oblique immediate injection and by poisoning RAG — a well-liked methodology for enhancing the accuracy of AI fashions.
In his briefing, Bargury highlighted the challenges generative AI presents to safety groups, together with distant code execution and “promptware.” He additionally really helpful strategies for locking down Copilot entry in opposition to malicious actors, together with individuals already contained in the goal firm.
The safety world continues to be engaged on standardized safety for AI
Cybersecurity service HackerOne recognized a number of tendencies within the intersection between generative AI and safety:
- Generative AI helps menace actors assault at better scales than earlier than.
- Generative AI must be outlined in ways in which enable for better standardization in safety and governance.
- Open-source fashions are on-trend.
“Step one we have to take is creating and agreeing upon a set of widespread definitions,” Michiel Prins, cofounder of HackerOne, wrote in an electronic mail to TechRepublic. “We should ask: What’s AI? Is it GenAI or LLMs? What concerning the ML options which were round for many years? The house is riddled with unclear definitions, which makes it more and more troublesome for individuals to grasp one another.”
Enhancing safety intelligence
X-Ops, the safety response staff of IT-as-a-service supplier Sophos, launched a report on Tuesday about new techniques ransomware attackers use to place strain on their victims. These techniques can embrace:
- Encouraging clients to open authorized circumstances in opposition to sufferer organizations.
- Opening authorized circumstances themselves.
- Looking for monetary details about goal corporations, significantly data that may reveal inaccuracies or subterfuge.
- Exposing prison exercise which will happen on firm gadgets.
- Portray the organizations they aim as negligent or morally poor.
Notable product releases
Flashpoint launched new options and capabilities in Flashpoint Ignite and Echosec on Aug. 6. Flashpoint Ignite, the flagship platform, will now embrace investigations administration and intelligence necessities mapping, which match Flashpoint collections with Precedence Intelligence Necessities. Echosec will embrace location safety beginning Aug. 6.
The AI safety firm CalypsoAI boosted its product line with out-of-the-box scanners for particular business-use circumstances and verticals and real-time menace updates.
Keynotes deliver nationwide and company gamers
Keynote audio system for Black Hat 2024 included Cybersecurity and Infrastructure Safety Company Director Jen Easterly, Google Safety Engineering Supervisor Ellen Cram Kowalczyk, and Microsoft Menace Intelligence Technique Director Sherrod DeGrippo.
TechRepublic coated Black Hat and DEF CON remotely.
