Tag Archive for: read

Sinister AI ‘eavesdropping’ trick lets ‘anybody read private chats’ on your Android or iPhone, security experts reveal

/in


CYBERCRIMINALS can spy on users’ conversations with artificial intelligence-powered chatbots, experts have warned.

Ever since ChatGPT came out in November 2022, cybersecurity experts have been concerned with the technology.

Criminals can spy on users’ conversations with AI chatbotsCredit: Getty

ChatGPT is an advanced chatbot that can seamlessly complete tasks like writing essays and generating code in seconds.

Today, several chatbots function like ChatGPT, including Google’s Gemini and Microsoft’s Copilot within Bing.

The chatbots are easy to use, and many users quickly get captivated into conversations with the natural-language companions.

However, experts have expressed concerns over users sharing personal information with AI chatbots.

ChatGPT can collect highly sensitive details users share via prompts and responses.

It can then associate this information with a user’s email address and phone number, and store it.

That’s because to use the platform, users need to provide both an email address and mobile phone number.

Users cannot bypass this by using disposable or masked email addresses and phone numbers.

Most read in Phones & Gadgets

As a result, ChatGPT is firmly tied to your online identity as it records everything you input.

What’s more, this private data can also be obtained by cybercriminals if they are keen enough.

ChatGPT creator reveals more creepy videos after announcing major change & fans are shocked by ‘cyborg’ German Shepherd

“Currently, anybody can read private chats sent from ChatGPT and other services,” Yisroel Mirsky, the head of the Offensive AI Research Lab at Israel’s Ben-Gurion University, told Ars Technica in an email.

“This includes malicious actors on the same Wi-Fi or LAN as a client (e.g., same coffee shop), or even a malicious actor on the internet — anyone who can observe the traffic.”

This is known as a “side-channel attack,” and it can be very dangerous for victims.

“The attack is passive and can happen without OpenAI or their client’s knowledge,” Mirsky revealed.

“OpenAI encrypts their traffic to prevent these kinds of eavesdropping attacks, but our research shows that the way OpenAI is using encryption is flawed, and thus the content of the…

Source…

Hackers can read private AI-assistant chats even though they’re encrypted

/in


Hackers can read private AI-assistant chats even though they’re encrypted

Aurich Lawson | Getty Images

AI assistants have been widely available for a little more than a year, and they already have access to our most private thoughts and business secrets. People ask them about becoming pregnant or terminating or preventing pregnancy, consult them when considering a divorce, seek information about drug addiction, or ask for edits in emails containing proprietary trade secrets. The providers of these AI-powered chat services are keenly aware of the sensitivity of these discussions and take active steps—mainly in the form of encrypting them—to prevent potential snoops from reading other people’s interactions.

But now, researchers have devised an attack that deciphers AI assistant responses with surprising accuracy. The technique exploits a side channel present in all of the major AI assistants, with the exception of Google Gemini. It then refines the fairly raw results through large language models specially trained for the task. The result: Someone with a passive adversary-in-the-middle position—meaning an adversary who can monitor the data packets passing between an AI assistant and the user—can infer the specific topic of 55 percent of all captured responses, usually with high word accuracy. The attack can deduce responses with perfect word accuracy 29 percent of the time.

Token privacy

“Currently, anybody can read private chats sent from ChatGPT and other services,” Yisroel Mirsky, head of the Offensive AI Research Lab at Ben-Gurion University in Israel, wrote in an email. “This includes malicious actors on the same Wi-Fi or LAN as a client (e.g., same coffee shop), or even a malicious actor on the Internet—anyone who can observe the traffic. The attack is passive and can happen without OpenAI or their client’s knowledge. OpenAI encrypts their traffic to prevent these kinds of eavesdropping attacks, but our research shows that the way OpenAI is using encryption is flawed, and thus the content of the messages are exposed.”

Source…

Week in review: 7 cybersecurity audiobooks to read, Patch Tuesday forecast

/in


Week in review

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:

MS Exchange zero-days: The calm before the storm?
CVE-2022-41040 and CVE-2022-41082, the two exploited MS Exchange zero-days that still have no official fix, have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

October 2022 Patch Tuesday forecast: Looking for treats, not more tricks
We’ve entered the final quarter of 2022 with a favorite holiday for many – Halloween, at the end of the month. Unfortunately, Microsoft has continued to play a few tricks on us. Several Microsoft Exchange Server vulnerabilities have been reported and exploited, and the Windows 11 rollout and updates have been a little ‘rocky’.

7 cybersecurity audiobooks you should listen to this year
Audiobooks have gained enormous popularity among book lovers for a variety of factors, including their convenience, which enables listeners to learn while running errands or traveling. Here’s a list of cybersecurity audiobooks that are worthy of your time.

How to start and grow a cybersecurity consultancy
A cybersecurity industry veteran, Praveen Singh is the co-founder and Chief Information Security Advisor at CyberPWN Technologies, a digital defense consulting firm. In this interview with Help Net Security, he offers insight for anyone interested in building their own cybersecurity consultancy.

Many IT pros don’t think a ransomware attack can impact Microsoft 365 data
Nearly a quarter of businesses have suffered a ransomware attack, with a fifth occurring in the past 12 months, according to Hornetsecurity.

CISA orders federal agencies to regularly perform IT asset discovery, vulnerability enumeration
A new directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) is ordering US federal civilian agencies to perform regular asset discovery and vulnerability enumeration, to better account for and protect the devices that reside on their networks.

To avoid insider threats, try empathy
In this interview with Help Net Security, Nathan Hunstad, Deputy CISO at Code42, explains the importance of addressing insider threats, how to make sure your employees are aware of the…

Source…

North Korea-backed hackers have a clever way to read your Gmail

/in


North Korea-backed hackers have a clever way to read your Gmail

Getty Images

Researchers have unearthed never-before-seen malware that hackers from North Korea have been using to surreptitiously read and download email and attachments from infected users’ Gmail and AOL accounts.

The malware, dubbed SHARPEXT by researchers from security firm Volexity, uses clever means to install a browser extension for the Chrome and Edge browsers, Volexity reported in a blog post. The extension can’t be detected by the email services, and since the browser has already been authenticated using any multifactor authentication protections in place, this increasingly popular security measure plays no role in reining in the account compromise.

The malware has been in use for “well over a year,” Volexity said, and is the work of a hacking group the company tracks as SharpTongue. The group is sponsored by North Korea’s government and overlaps with a group tracked as Kimsuky by other researchers. SHARPEXT is targeting organizations in the US, Europe, and South Korea that work on nuclear weapons and other issues North Korea deems important to its national security.

Volexity President Steven Adair said in an email that the extension gets installed “by way of spear phishing and social engineering where the victim is fooled into opening a malicious document. Previously we have seen DPRK threat actors launch spear phishing attacks where the entire objective was to get the victim to install a browser extension vs it being a post exploitation mechanism for persistence and data theft.” In its current incarnation, the malware works only on Windows, but Adair said there’s no reason it couldn’t be broadened to infect browsers running on macOS or Linux, too.

The blog post added: “Volexity’s own visibility shows the extension has been quite successful, as logs obtained by Volexity show the attacker was able to successfully steal thousands of emails from multiple victims through the malware’s deployment.”

Installing a browser extension during a phishing operation without the end-user noticing isn’t easy. SHARPEXT developers have clearly paid attention to…

Source…