Notices by Lukasz Olejnik (lukaszolejnik@mastodon.social)

I’m thinking of making a presentation “Malicious use of AI, one year after” (for security and information operations), where I would show the current status quo, and what’s imminent (including based on my own tests/development). Any ideas where to submit it to?

AI vulnerability/bug founds and reports is a huge problem. Curl has banned the use of AI-generated submissions via HackerOne because none of it made any sense, and is a waste of resources and time. "We are effectively being DDoSed. If we could, we would charge them for this waste of our time" https://hackerone.com/reports/3125832

No cyber threat actor has been found to use any public AI/LLM for serious cyberattack/cyberoperation goals. Unless they're trolling, because it is already possible to such tools in completely undetectable ways. Cybersecurity and LLM providers have no visibility here.

@GossiTheDog So what was the question to the security operations? "Tell me if there's at least one Ukrainian IP address involved"?

@GossiTheDog But only a single country is mentioned, why?

Beware of narrative stretches used for PR purposes. Even a single packet sent from a Ukrainian IP in a DDoS attack on X platform doesn’t imply 'Ukraine behind it'. This is an oversimplification, perhaps to to divert attention. Attribution doesn’t work that way—an IP is inconclusive. And much of Ukraine is occupied, with traffic operated by Russian ISPs.

Malicious open source models are being uploaded to popular repository hugging face. This will be a completely new cybersecurity risk. Now it's merely code execution. But expect tainted/poisoned weights impacting outputs. Python reverse shell script enables remote command execution. On Linux, it spawns a `/bin/sh` shell, on Windows, it launches PowerShell and enables bidirectional communication. https://www.reversinglabs.com/blog/rl-identifies-malware-ml-model-hosted-on-hugging-face

Stealing passwords and PINs entered by Apple Vision Pro users. As you can see, you never know when a lecture on double integrals over surfaces might come in handy. https://arxiv.org/abs/2409.08122

My strategic privacy analysis. Is Google undoing a decade of progress on privacy? Their new policy allows invasive device fingerprinting for tracking user activity. Here’s my deep dive into what this means for privacy—and the future of AI. https://blog.lukaszolejnik.com/biggest-privacy-erosion-in-10-years-on-googles-policy-change-towards-fingerprinting/

Russian cyber threat actor Turla hacked 33 infrastructure nodes of Pakistani cyber threat actor to attack other targets, to deploy own cyber tools (malware) for cy-espionage purposes in the Middle East, like India. It delays attribution. What's the most vulnerable sensitive authorization in the world? "nation-state and cybercriminal endpoints and malware especially vulnerable to exploitation since they are unable to use modern security tools for monitoring access" https://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/

Russian cyber threat actor is targeting Ukraine military conscript system, trying to infect conscripts systems (Windows, Android, macOS, iOS) with malware, and spreading narratives and content to undermine support for Ukraine's war mobilization. https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives

Russia issued a monetary fine on Google: 2 undecillion rubles ($2,500,000,000,000,000,000,000,000,000,000,000) after refusing to restore the accounts of pro-Kremlin and state-run media outlets. https://www.themoscowtimes.com/2024/10/29/russia-fines-google-25-decillion-over-youtube-bans-rbc-a86846

Major Russian state media are down following to a cyberattack. "Online broadcasting and internal services are not working, there is no Internet or telephony". Reports of data destruction (including backups) and expectation of long down-time. Rossia 1 and Rossia 24 (TV), in addition to more than 80 regional television and radio stations https://www.gazeta.ru/tech/news/2024/10/07/24092647.shtml

Smart-glasses from Meta with an app to instantly discover identity & information (profession, address, etc...) about the person the wearer sees. On the street, on the metro, anywhere. Such times are coming? Everyone will know everything about everyone :) https://www.404media.co/someone-put-facial-recognition-tech-onto-metas-smart-glasses-to-instantly-dox-strangers/

GREAT change is approaching. NIST will standardise prohibition of requirement of composing passwords from various character styles, and requirement for periodic password changes. These are harmful and obsolete rules. Now they will be treated as a cybersecurity weakness https://pages.nist.gov/800-63-4/sp800-63b.html

A new career path in IT? Amazon AWS is recruiting NUCLEAR ENGINEERS. They are to do analysis of SMR reactor use and nuclear fuel. What's next, auctions of uranium, plutonium, others? It's changing. No longer talking exclusively about “renewable energy”. Checkout: up to $252,900.

Cyber security is a very broad field and industry today.

After four years of attempts, Google is backtracking from plans to phase out third-party cookies? https://privacysandbox.com/intl/en_us/news/privacy-sandbox-update/

My comment at WIRED about the global Windows outage. Our civilization depends on software, and that in turn depends on many other software components, of various vendors, suppliers. Something goes accidentally wrong, and a large part of the economy is affected or goes down. https://www.wired.com/story/microsoft-windows-outage-crowdstrike-global-it-probems/

#cybersecurity

Critical vulnerability in RADIUS protocol (=everybody vulnerable) allows forging authentication messages and unauthorized network access. This flaw is due to the use of an obsolete MD5 hash function, and a novel chosen-prefix collision attack.
"If you are an end user, there is nothing that you can or should do" https://www.blastradius.fail/pdf/radius.pdf