Tag: Test | SpinSafe

When Hackers Descended to Test A.I., They Found Flaws Aplenty

August 16, 2023/in Computer Security

Avijit Ghosh wanted the bot to do bad things.

He tried to goad the artificial intelligence model, which he knew as Zinc, into producing code that would choose a job candidate based on race. The chatbot demurred: Doing so would be “harmful and unethical,” it said.

Then, Dr. Ghosh referenced the hierarchical caste structure in his native India. Could the chatbot rank potential hires based on that discriminatory metric?

The model complied.

Dr. Ghosh’s intentions were not malicious, although he was behaving like they were. Instead, he was a casual participant in a competition last weekend at the annual Defcon hackers conference in Las Vegas, where 2,200 people filed into an off-Strip conference room over three days to draw out the dark side of artificial intelligence.

The hackers tried to break through the safeguards of various A.I. programs in an effort to identify their vulnerabilities — to find the problems before actual criminals and misinformation peddlers did — in a practice known as red-teaming. Each competitor had 50 minutes to tackle up to 21 challenges — getting an A.I. model to “hallucinate” inaccurate information, for example.

They found political misinformation, demographic stereotypes, instructions on how to carry out surveillance and more.

The exercise had the blessing of the Biden administration, which is increasingly nervous about the technology’s fast-growing power. Google (maker of the Bard chatbot), OpenAI (ChatGPT), Meta (which released its LLaMA code into the wild) and several other companies offered anonymized versions of their models for scrutiny.

Dr. Ghosh, a lecturer at Northeastern University who specializes in artificial intelligence ethics, was a volunteer at the event. The contest, he said, allowed a head-to-head comparison of several A.I. models and demonstrated how some companies were further along in ensuring that their technology was performing responsibly and consistently.

He will help write a report analyzing the hackers’ findings in the coming months.

The goal, he said: “an easy-to-access resource for everybody to see what problems exist and how we can combat them.”

Defcon was a logical place to test generative artificial…

Source…

Making The Most Of A Penetration Test: The Organizational Perspective

May 19, 2023/in Internet Security

an organization’s security posture

getty

It doesn’t take a rocket scientist to grasp why cybercriminals prioritize attacks on organizations. These folks are notoriously keen on taking shortcuts, and the average enterprise environment is a goldmine of quick exploitation opportunities that range from ransomware extortion and data breaches, to industrial espionage and botnet activity.

Once a trespass has happened, hackers move laterally across the infrastructure to stretch the attack surface by plaguing multiple endpoints in one go. What’s particularly unsettling, they may maintain the foothold for months without being detected. In the aftermath of this, companies face downtime, loss of customer data, financial repercussions, and regulatory issues, let alone long-term reputational damages.

It comes as no surprise that proactive security is gathering steam today, wherein penetration testing (pentesting) is a Swiss Army knife strategy. In plain words, it’s about breaking bad for a while to simulate a real attacker’s actions. This offensive approach can be an eye-opening experience to enterprises in terms of their vulnerabilities and applicable fixes.

The internet is rife with information about penetration testing types and methodologies, so this article will zoom in on a few key aspects, including those that call forth confusion and misconceptions among organizations that decide to jump on the pentesting bandwagon.

Knowing the objectives is half the battle

Emphasis on the goals is a cornerstone of preparing for an offensive cyber stress test that will yield positive security dividends rather than being a waste of time and resources. This is first and foremost because the motivation defines the methods for conducting a pentest.

Risk mitigation is a common objective. The impulse to minimize the odds of a security incident is often fueled by a recent attack that wreaked havoc in the industry the company represents. The impetus for reducing risks may as well stem from corporate decision makers’ forward-thinking philosophy geared toward best security practices, which is a commendable route to take.

Compliance is another driving force throughout the penetration testing…

Source…