Security

AI-powered IT security seems cool – until you clock miscreants wielding it too

Field both embraced, feared by enterprise


Comment We're hearing more about AI or machine learning being used in security, monitoring, and intrusion-detection systems. But what happens when AI turns bad?

Two interesting themes emerged from separate recent studies: the growth of artificial intelligence coupled with concerns about their potential impact on security.

A survey of 5,000 IT professionals released late last month revealed three major threats techies believe they will face over the next five years: malicious AI attacks in the form of social engineering, computer-manipulated media content, and data poisoning. Just four in 10 pro quizzed believed their organizations understood how to accurately assess the security of artificially intelligent systems.

That was according to the Information Systems Audit and Control Association's (ISACA) second annual Digital Transformation Barometer, which named AI and machine learning among the top three technologies likely to be deployed in the next year.

They were also listed in the top five technologies likely to face resistance.

Interestingly, ISACA highlighted the different perceptions of AI risk between the digitally informed and business leaders who are technically illiterate.

"For AI, having digitally literate leaders correlates to lower perceived risks, which can be key when making the case for deploying technologies," ISACA noted. "33 per cent of companies whose leaders do not possess technological expertise perceive AI to be high-risk, while just 25 per cent of companies with digitally literate leaders perceive AI to be high-risk. Organisations led by digitally literate leaders were almost twice as likely to deploy AI than other organizations (33 per cent compared to 18 per cent)."

When it came to emerging technologies, a decision on whether or not to deploy was found to be largely affected by familiarity. Using AI as an example, 76 per cent of enterprises testing it said that it was worth the risk, with just nine per cent saying it was not. In enterprises that were not testing AI, the confidence in it being worth the risk dropped by a third, while the proportion of respondents who said it is not worth the risk more than doubled.

Rise of the Machines

Are the ISACA members right to be concerned about AI security risks, or does simply understanding a tech make you fear it less?

A paper published earlier this year, titled The New Frontiers of Cybersecurity, backed by the National Natural Science Foundation of China, sided with the former statement.

AI quickly cooks malware that AV software can't spot

READ MORE

It asserted that machine-learning is capable of transforming security by mining information and learning from various types of data – such as spam emails, messages and videos – and then evolving an autonomous detection or defense system. Continuous self-training will continue to promote the performance of AI-powered systems, including their stability, accuracy, efficiency, and scalability. But this also works the other way round.

"AI is pushing the boundaries of the abilities of hackers," the paper noted. "Autonomous hacking machines powered by AI can craft sensitive information and find vulnerabilities in computer systems, thus making it much more difficult to fight hackers. Worse yet, AI is able to learn sensitive information, such as personal preferences, from a vast amount of seemingly insensitive data.

"These facts lead us to believe that hackers weaponized by AI will create more sophisticated and increasingly stealthy automated attacks that will demand effective detection and mitigation techniques."

Knowing AI and not fearing it has its place; understanding it as an tool in the hands of the enemy, however, is also worthwhile. Luckily, so far, miscreants prefer to run relatively simple attacks, usually involving phishing or automated exploitation of known vulnerabilities, than training and developing sophisticated machine-learning cyber-weapons. ®

We'll be examining machine learning, artificial intelligence, and data analytics, and what they mean for you, at Minds Mastering Machines in London, between October 15 and 17. Head to the website for the full agenda and ticket information.

Send us news
20 Comments
Get our Security newsletter

Who knew Uncle Sam had strike teams for SolarWinds, Exchange flaws? Well, anyway, they are disbanded

Lessons learned and mission accomplished, apparently

The US government's response groups for dealing with recent SolarWinds and Microsoft Exchange vulnerabilities have reached the end of the road.

In a statement on Monday, US Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said the two Unified Coordination Groups (UCGs) formed in January and March respectively will be disbanded.

"Due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures," said Neuberger.

Continue reading

'There was no one driving that vehicle': Texas cops suspect Autopilot involved after two men killed in Tesla crash

Model S took corner at high speed, left road, and smashed into a tree

Authorities are investigating a Tesla crash in Texas in which two men were killed this weekend. The authorities are probing whether the vehicle was operating in its "Autopilot" mode, with neither occupant in control.

According to reports, the collision happened at 23:25 local time on 17 April in the Houston suburb of The Woodlands.

Neither of the two unnamed victims – born in 1962 and 1951 – were in the driver's seat at the time of the accident, according to Sgt Cynthia Umanzor of the Harris County Constable Precinct 4, who spoke to local TV station Khou-TV (geo-restricted).

Continue reading

WordPress core contributor proposes treating Google FLoC as a security vulnerability

Let's opt every WordPress site out of FLoC. Nice idea, but security update? Really?

A proposal by a WordPress core contributor to treat Google's FLoC ad tech as a security vulnerability, and therefore backport an automatic opt-out to previous WordPress versions, shows the depth of community opposition to the technology.

FLoC (Federated Learning of Cohorts) is Google’s scheme to replace third-party cookies with an ad personalisation system based on groups of users. It has run into wide opposition from privacy advocates and browser makers, but Google has nonetheless pressed ahead with trials in the current version of Chrome.

Now a WordPress Core contributor has proposed treating “FLoC as a security concern.”

Continue reading

Brit Salesforce exec Gavin Patterson becomes transfer target for controversial European Super League

Ex-BT boss is familiar with the football lifestyle – being paid millions for doing very little

Gavin Patterson, former boss of BT, is in the frame to lead a proposed European football league at the centre of a storm of criticism.

According to Sky News, Patterson was approached informally several weeks ago about the role.

Proposals for the European Super League – which UK football clubs Arsenal, Chelsea, Liverpool, Manchester City, Manchester United and Tottenham Hotspur have agreed to join – include a "new midweek competition" with teams continuing to "compete in their respective national leagues". AC Milan, Atletico Madrid, Barcelona, Inter Milan, Juventus and Real Madrid have also agreed to join the controversial league, which plans say will have 20 teams: the 12 founding members plus the three unnamed clubs they expect to join soon, and five teams who qualify annually according to their domestic achievements.

Continue reading

Won't somebody please think of the children!!! UK to mount fresh assault on end-to-end encryption in Facebook

Change the record, nobody's fooled by this now

UK Home Secretary Priti Patel will badmouth Facebook's use of end-to-end encryption on Monday evening as she links the security technology with paedophilia, terrorism, organised crime, and so on.

The ever-popular politician will say at the National Society for the Prevention of Cruelty to Children (NSPCC) event: "Sadly, at a time when we need to be taking more action, Facebook are pursuing end-to-end encryption plans that place the good work and progress achieved so far [on fighting the issue of child abuse] in jeopardy."

Patel's speech is intended to kickstart a fresh round of government campaigning against end-to-end encryption, as previewed by Wired a few weeks ago.

Continue reading

UK digital secretary Oliver Dowden starts national security probe into proposed Arm-Nvidia merger

Share price immediately dips for GPU-maker

The proposed sale of Arm to NVIDIA looks a bit more tenuous today after UK digital secretary Oliver Dowden issued a Public Interest Intervention Notice (PIIN) indicating he may intervene in the sale on national security grounds.

The disptach of the PIIN has kicked-off a further degree of scrutiny, with the Competition and Markets Authority (CMA) instructed to include any potential national security concerns in its upcoming report on the merger. These would be obtained via consultation with relevant third parties, and come as an addition to its existing focus on jurisdictional and competition issues.

Depending on the outcome of the review, Dowden can choose to clear the transaction, impose certain conditions, or refer the it to a more intensive “phase two” investigation.

Continue reading

Microsoft bows to the inevitable and takes Visual Studio 64-bit for 2022 version

When 4GB is just not quite enough

Microsoft is to drag veteran code wrangler Visual Studio kicking and screaming into the modern world with a 64-bit version.

It has been a while coming. Visual Studio dates back to the last century and started out life as Visual Studio 97 (replete with the likes of J++) before version 6.0 turned up to round out the 1990s. Microsoft stuck with naming by year thereafter (aside from a brief dalliance with slapping everything with the .NET moniker at the start of this century).

Which brings us to Visual Studio 2022 and one of the larger overhauls for the suite, not least of which is the long-awaited move to a 64-bit application.

Continue reading

Codecov dev tool warns of stolen credentials from compromised script, undiscovered for two months

Environment variables full of secrets uploaded to attacker server

Codecov, makers of a code coverage tool used by over 29,000 customers, has warned that a compromised script may have stolen credentials over a period of two months, before it was discovered a few weeks ago.

Code coverage measures how much of an application’s code is the subject of unit tests, the idea being that the higher the percentage, the more reliable the application is likely to be. It is a useful but imperfect metric, since it does not take into account the quality of the tests.

Codecov is a cloud-based tool which integrates with GitHub, GitLab, Atlassian Bitbucket, or any Git-based repository. Developers run tests using their own CI (Continuous Integration) tool and then upload the results to Codecov using a tool called Bash Uploader. Codecov then generates a report which is accessed on its site. Source code itself is not stored on Codecov’s site, but the tool does require read access to a repository in order to display code alongside reports on demand.

Continue reading

More Linux love for Windows Insiders with a kernel update

Rounded corners are nice, but what you really want is Linux 5.10, right?

Windows Insiders have been given a bit of Linux love with the arrival of a freshly updated kernel and an all-important clock fix.

Having yanked the Windows Subsystem for Linux (WSL) 2 out of the usual Windows servicing cadence, Microsoft's engineers have been able to update WSL 2 without requiring a full-on OS patch.

The original 4.19 branch was updated to 5.4.72 in February. The kernel has now been brought considerably more up to date with the 5.10.16.3 version.

Continue reading

Sysadmin for FIN7 criminal cracking group gets 10 years in US prison for managing card slurping malware scam

Plus Pwn2Own faces fire and update Chrome immediately

In Brief The former systems administrator for the FIN7 card-slurping gang has been sentenced to 10 years in a US prison.

Fedir Hladyr, 35, pled guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking last year, and on Friday was sentenced for his role in the theft and resale of over than 20 million customer card records from over 6,500 point-of-sale terminals across the US using the malware dubbed Carbanak.

Hladyr set up a front company, Combi Security, to cover his actions as he funneled the purloined data around the criminal underworld. He managed the encrypted comms network the gang used, ran the server farms used to spread and exploit malware, and coordinated individual attacks.

Continue reading

Japanese auto chipmaker Renesas expects to resume full production next month following fab blaze

Glimmer of hope on the semiconductor front – for the car industry anyway

Japanese chipmaker Renesas has said it will restore full production capacity at its N3 Naka plant by the middle of next month following a blaze in March that destroyed equipment and contaminated the clean room.

Renesas, which accounts for a third of all automotive semiconductor sales globally, said it expects to be at half-capacity by the end of April. CEO Hidetoshi Shibata confirmed in a press conference the company plans to install new fire suppression equipment to prevent any future fires.

Operations at the Naka N3 clean room resumed on 9 April. According to a notice from Renesas, the company had to rely on over 1,600 workers each day (both internal and from third parties) to rebuild and decontaminate the clean room, illustrating both the scale of destruction and difficulty in restoration.

Continue reading