Futurism.com has a story on how Perplexity AI browser is not very good with security concerns:
The vulnerability, known as an indirect prompt injection attack, is terrifyingly simple.
“The vulnerability we’re discussing in this post lies in how Comet processes webpage content,” the blog reads. “When users ask it to ‘Summarize this webpage,’ Comet feeds a part of the webpage directly to its [large language model] without distinguishing between the user’s instructions and untrusted content from the webpage.”
More news in the world that will change cybersecurity – 3rd party failures: Winstechnet Groupware failure https://it.chosun.com/news/articleViewAmp.html?idxno=2023092151607
Winstechnet, a South Korean cybersecurity company, said that the data breach reported by IT Chosun on the 20th was caused by a web shell vulnerability in its internal groupware system. Although the company offers more than 20 security products — including intrusion prevention systems (IPS), next-generation firewalls, and APT defense solutions — the incident has renewed concerns over the importance of operational security after a weakness in office software became the entry point for the attack.
This is a major cyber event as it highlights 3rd party risk —
What does the Perplexity AI browser issue and the Winstechnet issue have in common? The problems arise from major IT firms which we depend on them to be secure (AI software and a cybersecurity vendor) have not done the testing or review to make sure these issues do not come into a problem which then makes it overarching and takes over your life as the company needs to fix it.
Here is another article: https://thehackernews.com/2020/11/trojanized-security-software-hits-south.html
A background on Winstechnet: https://wins21.com/eng/company/intro__overview.html
“WINSTECHNET is a cyber security company and is leading the information security industry in Korea with the industry’s leading brand, SNIPER. WINSTECHNET will create a safer information security world through high-performance ‘security solutions’ and ‘security total services’ such as managed security service, consulting, AI and cloud security.”
So just to review – a Cyber security company got hacked due to a 3rd party… this is an issue like Solar Winds was a big issue. Solar Winds was the issue as TechTarget explains at link:
But just as 2020 was about to close, it pulled another fast one on us: the SolarWinds hack, one of the biggest cybersecurity breaches of the 21st century.
The SolarWinds hack was a major event not because a single company was breached, but because it triggered a much larger supply chain incident that affected thousands of organizations, including the U.S. government.
Effectively SolarWinds hack allowed the hackers to infiltrate many other companies by using the “update this software” for SolarWinds software an IT performance monitoring system called Orion.
Since Orion was monitoring all networks within many privileged areas this was a great coup for the hackers.
It is obvious to anyone that cares about cybersecurity (true cybersecurity) – We are still not close to being able to state the cyber security capabilities with certitude. This is why the industry is moving to “resilience” not being more secure or pushing security. Since resilience just states we want to be better able to keep going – which is true even if hacked.
We should focus on Resilient and secure or a term that pushes more security than keep on going.