Tag Archive for: study

GPT-4 can exploit zero-day security vulnerabilities all by itself, a new study finds

/in


A hot potato: GPT-4 stands as the newest multimodal large language model (LLM) crafted by OpenAI. This foundational model, currently accessible to customers as part of the paid ChatGPT Plus line, exhibits notable prowess in identifying security vulnerabilities without requiring external human assistance.

Researchers recently demonstrated the ability to manipulate (LLMs) and chatbot technology for highly malicious purposes, such as propagating a self-replicating computer worm. A new study now sheds light on how GPT-4, the most advanced chatbot currently available on the market, can exploit extremely dangerous security vulnerabilities simply by examining the details of a flaw.

According to the study, LLMs have become increasingly powerful, yet they lack ethical principles to guide their actions. The researchers tested various models, including OpenAI’s commercial offerings, open-source LLMs, and vulnerability scanners like ZAP and Metasploit. They found that advanced AI agents can “autonomously exploit” zero-day vulnerabilities in real-world systems, provided they have access to detailed descriptions of such flaws.

In the study, LLMs were pitted against a database of 15 zero-day vulnerabilities related to website bugs, container flaws, and vulnerable Python packages. The researchers noted that more than half of these vulnerabilities were classified as “high” or “critical” severity in their respective CVE descriptions. Moreover, there were no available bug fixes or patches at the time of testing.

The study, authored by four computer scientists from the University of Illinois Urbana-Champaign (UIUC), aimed to build on previous research into chatbots’ potential to automate computer attacks. Their findings revealed that GPT-4 was able to exploit 87 percent of the tested vulnerabilities, whereas other models, including GPT-3.5, had a success rate of zero percent.

UIUC assistant professor Daniel Kang highlighted GPT-4’s capability to autonomously exploit 0-day flaws, even when open-source scanners fail to detect them. With OpenAI already working on GPT-5, Kang foresees “LLM agents” becoming potent tools for democratizing vulnerability exploitation and cybercrime among script-kiddies…

Source…

FIU study: Ransomware can hide in the websites you upload files to

/in


FIU cybersecurity researchers warn websites that request access to your files might be able to bypass antivirus software and carry out major ransomware attacks.

Free photo editors, tax document assistants and other online apps that ask for permission to access your media can encrypt files and effectively take control of them, an FIU College of Engineering and Computing study shows. These attackers could then demand ransom in exchange for the files’ safe return.

The researchers say that the hack works on all three major PC operating systems: Windows, Linux and Mac OS. Some cloud services such as Apple Cloud, Box, Google Drive, OneDrive and Dropbox are also susceptible, as well as external drives.

Just two things are needed for a malicious website to conduct the attack.

  1. A person needs to say, ‘yes’ to a pop-up that asks them to share their files, such as ‘Allow this website to access your photos?’
  2. Someone must click, ‘yes,’ on a second pop-up, which is the attack. The pop-up will be disguised as a benign message, such as an advertisement or a request like, ‘May we close the rest of your tabs for you?’

Clicking ‘yes’ on these two pop-ups is all too easy, says Selcuk Uluagac, principal investigator of the research and Knight Foundation School of Computing and Information Sciences professor.

“Antivirus software systems allow these attacks because it is normal for them to give browsers access to files,” Uluagac said. “They don’t detect that anything is wrong.”

The research was conducted in collaboration with Google senior research scientist Güliz Seray Tuncay and published in the proceedings of the 32nd USENIX Security Symposium, which is a top-tier cybersecurity conference according to Google Scholar.

“Everybody knows not to download a suspicious file. Now we are finding that it can be just as dangerous to upload a file,” said Harun Oz, a Ph.D. student on the research team.

These hacks are possible due to the increasing power of web browsers, researchers say.

“Browsers have become much more powerful over time,” said Abbas Acar, a postdoctoral researcher on the…

Source…

Jet stream will get faster as climate change continues, study finds

/in


Jet stream will get faster as climate change continues, study finds
Jet streams circulate around the world. A new study finds fast jet stream winds (those in dark red) will get even faster over time as climate change accelerates. Credit: NASA Goddard Space Flight Center

A new study in Nature Climate Change takes one of the first deep dives into how climate change will affect the fastest jet streams—the powerful, narrow winds in the upper atmosphere that steer much of the Earth’s weather systems and are connected to outbreaks of severe weather.

The research, by UChicago Prof. Tiffany Shaw and National Center for Atmospheric Research scientist Osamu Miyawaki, suggests that as the world warms, the fastest upper-level jet stream winds will get faster and faster—by about 2% for every degree Celsius the world warms. Furthermore, the fastest winds will speed up 2.5 times faster than the average wind.

“Based on these results and our current understanding, we expect record-breaking winds,” said Shaw, “and it’s likely that they will feed into decreased flight times, increased clear-air turbulence and a potential increase in severe weather occurrence.”

Wind, weather and warming

Partly prompted by recent news reports of speed-record-breaking flights over the Atlantic, Shaw and Miyawaki began to investigate and realized there had been very little exploration of how the very fastest jet stream winds would respond to climate change.

To fill this gap, they combined climate change models with what we know about the physics of jet streams.

Jet streams usually move from west to east around the globe in the upper atmosphere, about six miles (10 kilometers) above us. We know that jet streams strongly influence the weather we experience on the ground—especially air temperature, winds and weather patterns, and storms. They also influence the occurrence of severe storms, tornadoes, hail and severe wind.

Jet streams form because of the contrast between the cold, dense air at the poles and the warm, light air in the tropics, in combination with the rotation of the Earth. (This was first shown in…

Source…

New Security Study Reveals AutoSpill Vulnerabilities in Android Password Managers

/in


A recent security study conductedresearchers at the International Institute of Information Technology (IIIT) has unveiled a new attack called AutoSpill, which targets Android password managers and can potentially lead to the theft of account credentials. The researchers discovered that most password managers for Android are vulnerable to this attack, even without the use of JavaScript injection.

The attack worksexploiting weaknesses in Android’s WebView framework, which is commonly usedAndroid apps to render web content. Password managers on Android rely on this framework to automatically fill in a user’s account credentials when logging into services like Apple, Facebook, Microsoft, or Google.

The AutoSpill attack is particularly concerning because it allows rogue apps to capture a user’s login credentials without leaving any trace of the compromise. This can lead to unauthorized access to sensitive accounts.

The researchers tested AutoSpill against several password managers on various Android versions and found that 1Password, LastPass, Enpass, Keeper, and Keepass2Android are all susceptible to the attack. However, Google Smart Lock and DashLane follow a different technical approach and are safe from AutoSpill unless JavaScript injection is used.

The AutoSpill vulnerability stems from Android’s failure to clearly define the responsibility for securely handling auto-filled data. This loophole can result in the leakage or capture of sensitive informationthe host app.

The researchers have reported their findings to the affected software vendors and Android’s security team. While the validity of the report has been acknowledged, no details regarding plans for fixing the issue have been shared yet.

In response to the disclosure, password management providers impactedAutoSpill, such as 1Password and LastPass, have assured their users that they are working on fixes to address the vulnerability. They emphasize the importance of user vigilance and explicit actions required for autofill functions.

Users are advised to exercise caution while installing apps and only download from trusted app stores like Google Play. Android developers are also encouraged to implement WebView best…

Source…