Application Security WeeklySubscribe
Application security, Breach, AI/ML

Extracting Data from ChatGPT, Vulns Around AI, Secure AI Guidance, LogoFAIL, BLUFFS – ASW #265

Repetition extracts data from ChatGPT, more vulns in the software that surrounds AI, guidelines for secure AI, LogoFAIL trips a boot, BLUFFS attack on Bluetooth, CISA's first secure by design alert, Okta's updated breach disclosure, and more!

Full episode and show notes

Hosts

Tech Lead at Block
  1. 1. Extracting Training Data from ChatGPT

    As Duran Duran might say, "Please, please tell me now". Or rather "please, please, please, please" repeated a few dozen times before ChatGPT tells you some of its verbatim training data.

    Check out the research paper, https://arxiv.org/abs/2311.17035 (PDF).

  2. 2. Ray, Versions 2.6.3, 2.8.0 | Bishop Fox
  3. 3. UK and US develop new global guidelines for AI security

    Read the guidelines here.

  4. 4. CISA Releases First Secure by Design Alert
  5. 5. The Far-Reaching Consequences of LogoFAIL | Binarly – AI -Powered Firmware Supply Chain Security Platform
  6. 6. BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses | Daniele Antonioli

    The Bluetooth SIG's recommendations.

  7. 7. October Customer Support Security Incident – Update and Recommended Actions

    Good for transparency, not good for all customers. The practical consequences to customers seems minimal, but the reputational consequences to Okta remain.

    There's also so little transparency elsewhere, that it's hard to put this breach into perspective in terms of how long it took to investigate and how much the disclosure is revised based on ongoing analysis. It doesn't feel like this situation is out of the ordinary.

    Overall, the industry still needs to have less sso.tax and more strong MFA adoption -- including resilience for multi-tenant systems and processes that are resistance to social engineering.

  8. 8. TOOL: Nikto 2.5.0 Released!

    Wow -- Nikto is still under (sort of) active development!

    Less wow -- Nikto is still written in Perl.

Senior Engineering Leader at AWS
  1. 1. RCE in Splunk Enterprise

    Everybody's favorite most expensive web grep has a remote code execution vulnerability where a malicious user can upload a XSLT that results in remote code execution. Nathan digs into the vuln and reverse engineers a POC in his first blog post!

  2. 2. 40 years of Turbo Pascal

    What language did you start with?

  3. 3. IBM announces WatsonX code assistant

    IBM is previewing their "enterprise grade AI code generation" in Watsonx code assistant - looks like a plugin for VSCode.

Related

AI fixes everything, C++ the actual worst, IAM is hard – ASW #308

This week, in the Application Security News, we dismiss magical thinking and discuss what generative AI will actually be able to do for us. We also discuss whether Secure by Design's goals are practical or not. OSC&R releases a report on software supply chain that should be interesting, though neither of us had time to read it yet. Also, Wat...