Black Hat and DEF CON are two of the foremost safety conferences within the U.S., drawing massive crowds of cyber and AI decision-makers to Las Vegas. Black Hat USA 2024 ran from Aug. 3-8, with many of the briefings occurring on Aug. 7 and eight; DEF CON 32 runs from Aug. 8-11.
We’re rounding up the enterprise enterprise tech information from Black Hat and DEF CON that’s most related for IT and tech decision-makers. Notably, safety researchers discovered a vulnerability that opens up six AWS providers to assaults, which has since been patched.
This text will likely be up to date all through Black Hat and DEF CON with extra information highlights.
The best way to maintain generative AI accountable
A significant matter of dialog and analysis at Black Hat this week will likely be easy methods to maintain generative AI accountable within the case of hallucinations, misinformation, or follow-on results from generated content material.
On the one-day AI Summit (ticketed individually from the remainder of Black Hat), consultants mentioned easy methods to safe AI fashions and purposes for enterprise use, in addition to using AI in cyberattacks.
AI Village at DEF CON tasked a group of hackers with exploring easy methods to detect and report AI flaws. This occasion was notable as a result of each the vulnerabilities and the strategies of reporting these vulnerabilities come beneath scrutiny. Ideally, this occasion will assist AI distributors construct frameworks for extra thorough and correct reporting.
DARPA and different authorities organizations labored on securing generative AI at DEF CON as nicely. The AI Cyber Problem (AIxCC) Semifinal Competitors examined hackers’ expertise in securing crucial infrastructure in a hypothetical, futuristic metropolis.
Patches and vulnerabilities recognized
Many organizations at Black Hat and DEF CON will announce patches and memorable vulnerabilities. We are going to cowl these as they come up. For folks attending the convention, there are numerous briefings to select from.
Aqua Safety introduced on Aug. 7 that it had pinpointed a vulnerability in six AWS cloud providers that might let attackers execute code remotely or take over accounts. Amazon has since shut that door. The issue was that S3 buckets for these six providers — CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar — had names with comparable patterns. Due to this, attackers may guess names to plant malicious code in official S3 buckets.
Zenity CTO Michael Bargury demonstrated how attackers can hijack Microsoft Copilot utilizing oblique immediate injection and by poisoning RAG — a widespread methodology for enhancing the accuracy of AI fashions.
In his briefing, Bangury highlighted the challenges generative AI presents to safety groups, together with distant code execution and “promptware.” He additionally advisable strategies for locking down Copilot entry in opposition to malicious actors, together with folks already contained in the goal firm.
The safety world remains to be engaged on standardized safety for AI
Cybersecurity service HackerOne recognized just a few tendencies within the intersection between generative AI and safety:
- Generative AI helps menace actors assault at larger scales than earlier than.
- Generative AI must be outlined in ways in which enable for larger standardization in safety and governance.
- Open-source fashions are on-trend.
“Step one we have to take is creating and agreeing upon a set of widespread definitions,” Michiel Prins, cofounder of HackerOne, wrote in an e mail to TechRepublic. “We should ask: What’s AI? Is it GenAI or LLMs? What in regards to the ML options which have been round for many years? The house is riddled with unclear definitions, which makes it more and more tough for folks to know one another.”
Enhancing safety intelligence
X-Ops, the safety response group of IT-as-a-service supplier Sophos, launched a report on Tuesday about new techniques ransomware attackers use to place stress on their victims. These techniques can embody:
- Encouraging prospects to open authorized circumstances in opposition to sufferer organizations.
- Opening authorized circumstances themselves.
- In search of monetary details about goal firms, notably info that may reveal inaccuracies or subterfuge.
- Exposing felony exercise that will happen on firm units.
- Portray the organizations they aim as negligent or morally poor.
Notable product releases
Flashpoint launched new options and capabilities in Flashpoint Ignite and Echosec on Aug. 6. Flashpoint Ignite, the flagship platform, will now embody investigations administration and intelligence necessities mapping, which matches Flashpoint collections with Precedence Intelligence Necessities. Echosec will embody location safety beginning Aug. 6.
The AI safety firm CalypsoAI boosted its product line with out-of-the-box scanners for particular business-use circumstances and verticals and real-time menace updates
Keynotes convey nationwide and company gamers
Keynote audio system for Black Hat 2024 embody Cybersecurity and Infrastructure Safety Company Director Jen Easterly, Google Safety Engineering Supervisor Ellen Cram Kowalczyk, and Microsoft Menace Intelligence Technique Director Sherrod DeGrippo.
DeGrippo spoke to TechRepublic earlier this month about holding companies safe throughout the Paris Olympics.
TechRepublic is overlaying Black Hat and DEF CON remotely. This text will likely be up to date all through Black Hat and DEF CON with extra information highlights.