Tag Archive for: Technique

Novel technique bolsters Remcos RAT stealth | SC Media – SC Media



Novel technique bolsters Remcos RAT stealth | SC Media  SC Media

Source…

Simple Hacking Technique Can Extract ChatGPT Training Data


Can getting ChatGPT to repeat the same word over and over again cause it to regurgitate large amounts of its training data, including personally identifiable information and other data scraped from the Web?

The answer is an emphatic yes, according to a team of researchers at Google DeepMind, Cornell University, and four other universities who tested the hugely popular generative AI chatbot’s susceptibility to leaking data when prompted in a specific way.

‘Poem’ as a Trigger Word

In a report this week, the researchers described how they got ChatGPT to spew out memorized portions of its training data merely by prompting it to repeat words like “poem,” “company,” “send,” “make,” and “part” forever.

For example, when the researchers prompted ChatGPT to repeat the word “poem” forever, the chatbot initially responded by repeating the word as instructed. But after a few hundred times, ChatGPT began generating “often nonsensical” output, a small fraction of which included memorized training data such as an individual’s email signature and personal contact information.

The researchers discovered that some words were better at getting the generative AI model to spill memorized data than others. For instance, prompting the chatbot to repeat the word “company” caused it to emit training data 164 times more often than other words, such as “know.”

Data that the researchers were able to extract from ChatGPT in this manner included personally identifiable information on dozens of individuals; explicit content (when the researchers used an NSFW word as a prompt); verbatim paragraphs from books and poems (when the prompts contained the word “book” or “poem”); and URLs, unique user identifiers, bitcoin addresses, and programming code.

A Potentially Big Privacy Issue?

“Using only $200 USD worth of queries to ChatGPT (gpt-3.5-turbo), we are able to extract over 10,000 unique verbatim memorized training examples,” the researchers wrote in their paper titled “Scalable Extraction of Training Data from (Production) Language Models.”

“Our extrapolation to larger budgets suggests that dedicated adversaries could extract far more data,” they wrote. The researchers estimated an adversary could extract 10 times more…

Source…

New Cybersecurity Technique Could Trick Hackers


Sandia National Laboratories research team members Christy Sturgill, Jacob Hazelbaker, Eric Vugrin and Nicholas Troutman, from left to right, onboard a C-130 transport aircraft at Kirtland Air Force Base. (Credit: Craig Fritz, Sandia National Laboratories)

An international team of researchers led by Purdue University examine how a new cybersecurity technique could help keep aircrafts such as a military jet, a commercial airliner, and even a spacecraft technologically safe from cyberattacks. This study holds the potential to address the potential pitfalls of living in a world that is becoming more and more reliant on computers for everything we do.

“When we talk about protecting our computer systems, frequently there are two main pieces we rely on,” said Dr. Eric Vugrin, who is a Sandia National Laboratories cybersecurity senior scientist and a co-author on the study. “The first approach is just keeping the bad guy out and never permitting access to the system. The physical analogue is to build a big wall and don’t let him in in the first place. And the backup plan is, if the wall doesn’t work, we rely on detection. Both of those approaches are imperfect. And so, what moving target defense offers as a complementary strategy is, even if those two approaches fail, moving target confuses the attacker and makes it more difficult to do damage.”

Many aircraft systems use an onboard computer network called the military standard 1553, also known as MIL-DTS-1553 or simply 1553, which is a very efficient system that allows the various aircraft systems to talk to each other. Because of the importance of this system in controlling aircraft, it also makes it very vulnerable to cyberattacks.

For the study, the researchers pitted moving target defenses (MTDs) algorithms against machine learning (ML) and deep learning (DL) models to examine the algorithm’s effectiveness against the models trying to attack it in real-time systems. They put emphasis on examining one such algorithm that randomizes address assignments to see if the models could overcome the defenses. Essentially, it…

Source…

UID smuggling: A new technique for tracking users online


Advertisers and web trackers have been able to aggregate users’ information across all of the websites they visit for decades, primarily by placing third-party cookies in users’ browsers. Two years ago, several browsers that prioritize user privacy began to block third-party cookies for all users by default. This presents a significant issue for businesses that place ads on the web on behalf of other companies and rely on cookies to track click-through rates to determine how much they need to get paid.

Advertisers have responded by pioneering a new method for tracking users across the Web, known as user ID (or UID) smuggling, which does not require third-party cookies. But no one knew exactly how often this method was used to track people on the Internet.

Researchers at UC San Diego have for the first time sought to quantify the frequency of UID smuggling in the wild, by developing a measurement tool called CrumbCruncher. CrumbCruncher navigates the Web like an ordinary user, but along the way, it keeps track of how many times it has been tracked using UID smuggling. The researchers found that UID smuggling was present in about 8 percent of the navigations that CrumbCruncher made. The team is also releasing both their complete dataset and their measurement pipeline for use by browser developers.

The team’s main goal is to raise awareness of the issue with browser developers, said first author Audrey Randall, a computer science Ph.D. student at UC San Diego. “UID smuggling is more widely used than we anticipated,” she said. “But we don’t know how much of it is a threat to user privacy.”

UID smuggling

How user ID smuggling works

UID smuggling can have legitimate uses, the researchers say. For example, embedding user IDs in URLs can allow a website to realize a user is already logged in, which means they can skip the login page and navigate directly to content.

It’s also a tool that a company that owns websites with different domains can use to track user traffic. It’s also, of course, a tool for affiliate advertisers to track traffic and get paid. For example, a blogger who advertises a product using affiliate links might be paid a commission if anyone clicks…

Source…