Black Hat and DEF CON are two of the key safety conferences within the U.S., drawing massive crowds of cyber and AI decision-makers to Las Vegas. Black Hat USA 2024 ran from Aug. 3-8, with many of the briefings occurring on Aug. 7 and eight; DEF CON 32 runs from Aug. 8-11.
We’re rounding up the enterprise enterprise tech information from Black Hat and DEF CON that’s most related for IT and tech decision-makers. Notably, safety researchers discovered a vulnerability that opens up six AWS companies to assaults, which has since been patched.
This text can be up to date all through Black Hat and DEF CON with extra information highlights.
Find out how to maintain generative AI accountable
A significant matter of dialog and analysis at Black Hat this week can be find out how to maintain generative AI accountable within the case of hallucinations, misinformation, or follow-on results from generated content material.
On the one-day AI Summit (ticketed individually from the remainder of Black Hat), specialists mentioned find out how to safe AI fashions and functions for enterprise use, in addition to using AI in cyberattacks.
AI Village at DEF CON tasked a group of hackers with exploring find out how to detect and report AI flaws. This occasion was notable as a result of each the vulnerabilities and the strategies of reporting these vulnerabilities come beneath scrutiny. Ideally, this occasion will assist AI distributors construct frameworks for extra thorough and correct reporting.
DARPA and different authorities organizations labored on securing generative AI at DEF CON as properly. The AI Cyber Problem (AIxCC) Semifinal Competitors examined hackers’ abilities in securing vital infrastructure in a hypothetical, futuristic metropolis.
Patches and vulnerabilities recognized
Many organizations at Black Hat and DEF CON will announce patches and noteworthy vulnerabilities. We are going to cowl these as they come up. For individuals attending the convention, there are numerous briefings to select from.
Aqua Safety introduced on Aug. 7 that it had pinpointed a vulnerability in six AWS cloud companies that might let attackers execute code remotely or take over accounts. Amazon has since shut that door. The issue was that S3 buckets for these six companies — CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar — had names with comparable patterns. Due to this, attackers may guess names to plant malicious code in respectable S3 buckets.
Zenity CTO Michael Bargury demonstrated how attackers can hijack Microsoft Copilot utilizing oblique immediate injection and by poisoning RAG — a common methodology for bettering the accuracy of AI fashions.
In his briefing, Bangury highlighted the challenges generative AI presents to safety groups, together with distant code execution and “promptware.” He additionally really helpful strategies for locking down Copilot entry in opposition to malicious actors, together with individuals already contained in the goal firm.
The safety world continues to be engaged on standardized safety for AI
Cybersecurity service HackerOne recognized just a few tendencies within the intersection between generative AI and safety:
- Generative AI helps menace actors assault at larger scales than earlier than.
- Generative AI must be outlined in ways in which permit for larger standardization in safety and governance.
- Open-source fashions are on-trend.
“Step one we have to take is creating and agreeing upon a set of widespread definitions,” Michiel Prins, cofounder of HackerOne, wrote in an e mail to TechRepublic. “We should ask: What’s AI? Is it GenAI or LLMs? What in regards to the ML options which were round for many years? The area is riddled with unclear definitions, which makes it more and more troublesome for individuals to grasp one another.”
Enhancing safety intelligence
X-Ops, the safety response group of IT-as-a-service supplier Sophos, launched a report on Tuesday about new ways ransomware attackers use to place stress on their victims. These ways can embrace:
- Encouraging prospects to open authorized instances in opposition to sufferer organizations.
- Opening authorized instances themselves.
- Looking for monetary details about goal corporations, notably data that may reveal inaccuracies or subterfuge.
- Exposing prison exercise that will happen on firm gadgets.
- Portray the organizations they aim as negligent or morally poor.
Notable product releases
Flashpoint launched new options and capabilities in Flashpoint Ignite and Echosec on Aug. 6. Flashpoint Ignite, the flagship platform, will now embrace investigations administration and intelligence necessities mapping, which matches Flashpoint collections with Precedence Intelligence Necessities. Echosec will embrace location safety beginning Aug. 6.
The AI safety firm CalypsoAI boosted its product line with out-of-the-box scanners for particular business-use instances and verticals and real-time menace updates
Keynotes carry nationwide and company gamers
Keynote audio system for Black Hat 2024 embrace Cybersecurity and Infrastructure Safety Company Director Jen Easterly, Google Safety Engineering Supervisor Ellen Cram Kowalczyk, and Microsoft Risk Intelligence Technique Director Sherrod DeGrippo.
DeGrippo spoke to TechRepublic earlier this month about retaining companies safe through the Paris Olympics.
TechRepublic is masking Black Hat and DEF CON remotely. This text can be up to date all through Black Hat and DEF CON with extra information highlights.