Categories
Full Text Articles - Audio Posts

How cyber criminals are compromising AI software supply chains

Spread the news

With the adoption of artificial intelligence (AI) soaring across industries and use cases, preventing AI-driven software supply chain attacks has never been more important.

Recent research by SentinelOne exposed a new ransomware actor, dubbed NullBulge, which targets software supply chains by weaponizing code in open-source repositories like Hugging Face and GitHub. The group, claiming to be a hacktivist organization motivated by an anti-AI cause, specifically targets these resources to poison data sets used in AI model training.

No matter whether you use mainstream AI solutions, integrate them into your existing tech stacks via application programming interfaces (APIs) or even develop your own models from open-source foundation models, the entire AI software supply chain is now squarely in the spotlight of cyberattackers.

Poisoning open-source data sets

Open-source components play a critical role in the AI supply chain. Only the largest enterprises have access to the vast amounts of data needed to train a model from scratch, so they have to rely heavily on open-source data sets like LAION 5B or Common Corpus. The sheer size of these data sets also means it’s extremely difficult to maintain data quality and compliance with copyright and privacy laws. By contrast, many mainstream generative AI models like ChatGPT are black boxes in that they use their own curated data sets. This comes with its own set of security challenges.

Verticalized and proprietary models may refine open-source foundation models with additional training using their own data sets. For example, a company developing a next-generation customer service chatbot might use its previous customer communications records to create a model tailored to their specific needs. Such data has long been a target for cyber criminals, but the meteoric rise of generative AI has made it all the more attractive to nefarious actors.

By targeting these data sets, cyber criminals can poison them with misinformation or malicious code and data. Then, once that compromised information enters the AI model training process, we start to see a ripple effect spanning the entire AI software lifecycle. It can take thousands of hours and a vast amount of computing power to train a large language model (LLM). It’s an enormously costly endeavor, both financially and environmentally. However, if the data sets used in the training have been compromised, chances are the whole process has to start from scratch.

Explore AI cybersecurity solutions

Other attack vectors on the rise

Most AI software supply chain attacks take place through backdoor tampering methods like those mentioned above. However, that’s certainly not the only way, especially as cyberattacks targeting AI systems become increasingly widespread and sophisticated. Another method is the flood attack, where attackers send huge amounts of non-malicious information through an AI system in an attempt to cover up something else — such as a piece of malicious code.

We’re also seeing a rise in attacks against APIs, especially those lacking robust authentication procedures. APIs are essential for integrating AI into the myriad functions businesses now use it for, and while it’s often assumed that API security is on the solution vendor, in reality, it’s very much a shared responsibility.

Recent examples of AI API attacks include the ZenML compromise or the Nvidia AI Platform vulnerability. While both have been addressed by their respective vendors, more will follow as cyber criminals expand and diversify attacks against software supply chains.

Safeguarding your AI projects

None of this should be taken as a warning to stay away from AI. After all, you wouldn’t stop using email because of the risk of phishing scams. What these developments do mean is that AI is now the new frontier in cyber crime, and security must be hard-baked into everything you do when developing, deploying, using and maintaining AI-powered technologies — whether they’re your own or provided by a third-party vendor.

To do that, businesses need complete traceability for all components used in AI development. They also need full explainability and verification for every AI-generated output. You can’t do that without keeping humans in the loop and putting security at the forefront of your strategy. If, however, you view AI solely as a way to save time and cut costs by laying off workers, with little regard for the consequences, then it’s just a matter of time before disaster strikes.

AI-powered security solutions also play a critical role in countering the threats. They’re not a replacement for talented security analysts but a powerful augmentation that helps them do what they do best on a scale that would otherwise be impossible to achieve.

The post How cyber criminals are compromising AI software supply chains appeared first on Security Intelligence.


Spread the news
Categories
Newscasts

Donald Trump says Elon Musk would lead a commission to cut federal waste; Hunter Biden pleads guilty to federal tax evasion charges

Spread the news

Donald Trump says Elon Musk would lead a government efficiency commission in a Second Trump Administration, interview with USA Today’s Bart Jansen on federal court hearing in Trump election interference case and presidential immunity (23), Hunter Biden pleads guilty to federal tax evasion charges, President Joe Biden visits Wisconsin to announce $7.3 billion for

clean, rural energy projects, 14-year-old suspect in Georgia high school shooting charged with four counts of murder, Israel Prime Minister Benjamin Netanyahu says reports that negotiators are close to a cease-fire deal with Hamas are ‘exactly inaccurate’.

Learn more about your ad choices. Visit megaphone.fm/adchoices


Spread the news
Categories
Full Text Articles - Audio Posts

The Feds Charged a Pro-Russian Pundit for Evading Sanctions. He Says They’re Trying to Silence Him.

Spread the news

The Justice Department on Thursday charged Dimitri Simes, pro-Russian pundit and former head of a Washington think tank, along with his wife, Anastasia Simes, with violating US sanctions by accepting millions of dollars from a Russian state television network and laundering the proceeds.

Reached by phone in Moscow, where he has a home, Dimitri Simes, who was an adviser to Trump’s 2016 campaign, declined to comment on the allegations against him. But he denounced the charges against his wife as “lies and half-truths” and argued that the Biden administration is targeting the couple to punish him for expressing pro-Russian views.

“If you think this is a law abiding administration [it] would be shocking, but no, I am not terribly surprised,” Simes said, of the charges against his wife.

“I think that Mr. Garland would have to be ashamed of producing something like that,” Simes added. “It is beneath the dignity of the Department of Justice.”

Simes indicated that he does not plan to return the US to face the charges. He said he believes the Justice Department charged him “to stop me from coming to the US.”

“They want to punish me” for criticizing US support for Ukraine, he claimed.

Simes said he “would most certainly welcome an opportunity to come to a trial in Washington as a witness” to testify against Biden administration officials “who betrayed the US…and are trying to start World War III.”

The indictment against the couple alleges that they received $1 million, a personal car and driver, and a stipend for an apartment in Moscow, in exchange for work they did for Russia’s state-owned Channel One after the US sanctioned the network over Russia’s 2022 invasion of Ukraine.

“These defendants allegedly violated sanctions that were put in place in response to Russia’s illegal aggression in Ukraine,” Matthew Graves, the US Attorney for Washington DC, said in a statement announcing the indictments. “Such violations harm our national security interests—a fact that Dimitri Simes, with the deep experience he gained in national affairs after fleeing the Soviet Union and becoming a US citizen, should have uniquely appreciated.”

Simes is the former longtime head of the Center for National Interest, which was founded by Richard Nixon in 1994 and advocates for “strategic realism” in US foreign policy. Simes’ efforts in 2016 to arrange contacts between the Trump campaign and Russia drew scrutiny from special counsel Robert Mueller, but Simes was not accused of wrongdoing.

The charges against the Simes couple are part of a Justice Department crackdown on Russian influence efforts. Federal prosecutors yesterday indicted two employees of Russian state-controlled network Russia Today with violating the Foreign Agents Registration Act by secretly running a right-leaning media company they used to push pro-Kremlin messaging.

The site featured content from pro-Trump pundits including Benny Johnson and Tim Pool. Both Johnson and Pool said they are victims of the scheme.

Deputy Attorney General Lisa Monaco, said the defendants in the Tenet case “used American-based individuals and entities to exploit, frankly, our free society to try to undermine our election,” including by deploying “unwitting influencers to push Russian propaganda and pro-Russian messaging.” 

DOJ alleges that Anastasia Simes received funds from a Russian businessman named Alexander Udodov, whom the Treasury Department sanctioned last year for his support for the Russian government. Prosecutors allege that Anastasia Simes helped Udodov evade sanctions by “purchasing art and antiques for the benefit of Udodov from galleries and auction houses in the United States and Europe, and having the items shipped to her residence in Huntly, Virginia, where they were stored for onward shipment to Russia.”

Anastasia Simes could not be reached, but Dimitri Simes said his those charges against his wife are false. “She started working with [Udodov] before the sanctions and was never aware of any sanctions” against the oligarch, Simes said.

He also said his wife took no steps, such as contacting a shipping company, “to ship goods to Russia.”

“There was no conspiracy, nothing,” Simes said. “She has a legitimate business. I am proud of my wife. I am very supportive of what she is doing.”

Simes’ attorney David Rivkin declined to comment.


Spread the news
Categories
Full Text Articles - Audio Posts

New report shows ongoing gender pay gap in cybersecurity

Spread the news

The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.

The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.

Pay gap between men and women

One of the most concerning disparities revealed by the study is a persistent pay gap. The study found that U.S. male cybersecurity professionals are paid higher on average than females of the same level. The results show an average salary of $148,035 for men and $141,066 for women. A pay gap also exists globally, with the average global salary for women being $109,609 and for men $115,003.

ISC2 also found a gender pay disparity among people of color in the U.S. The study found that men of color earned an average of $143,610, and women of color earned $135,630. However, the study wasn’t able to compare salaries for people of color on a global basis.

Lack of women in cybersecurity

The study also showed a gap between the number of men and the number of women who work in cybersecurity. Based on the results, ISC2 found that only 20% to 25% of people working in the cybersecurity field are women. Because the percentage of women under 30 years of age in cybersecurity was 26% compared to 16% among women between 39 and 44, the report created optimism that more younger women are choosing cybersecurity as a career.

Interestingly, teams with women on them seemed to have a higher proportion of women than of men, illustrating that women likely seek out teams and companies that have other women working in cybersecurity. Women reported a higher number of women team members (30%) compared to men (22%).

However, 11% of security teams were found to have no women at all, with only 4% saying that it was an equal split between men and women. The industries with the highest number of no-women security teams included IT services (19%), financial services (13%) and government (11%). Mid-sized organizations with 100 to 999 employees were most likely to have security teams with no women.

However, the report also found several areas of concern regarding women’s experiences working in the cybersecurity field:

  • 29% of women in cybersecurity reported discrimination at work, with 19% of men reporting discrimination
  • 36% of women felt they could not be authentic at work, with 29% of men reporting this sentiment
  • 78% of women felt it was essential for their security team to succeed, compared to 68% of men
  • 66% of women feel that diversity within the security team contributed to the security team’s success, compared to 51% of men

Using hiring initiatives to increase women on security teams

The gaps in cybersecurity — both pay and gender — won’t be resolved without a focused effort by industry and companies. Many companies are seeing results by adopting specific DEI hiring initiatives, such as skills-based hiring, and using job descriptions that refer to DEI programs/goals.

The ISC2 report found that businesses using skills-based hiring have an average of 25.5% women in their workforces compared with 22.2% for businesses using other methods. By including DEI program goals in job descriptions, companies can also increase the number of women on their security teams, with 26.6% for those using these types of job descriptions vs. 22.3% for women at those that do not.

Lack of perspectives hurts cybersecurity teams

Without women on cybersecurity teams, security teams lack the wide range of experience and perspectives needed to reduce security risks. Organizations can improve their security by focusing on increasing the number of women on their team, which also means eliminating the pay gap.

“Broader than cybersecurity, there’s a body of research that says the more perspectives you bring to the table, the better off you will be at problem-solving,” Clar Rosso, CEO of ISC2, told Dark Reading. “In cybersecurity, which is a very complex, growing threat landscape, the more perspectives that we bring to the table to solve problems, the more likely we will be able to impact our cyber defense.”

The post New report shows ongoing gender pay gap in cybersecurity appeared first on Security Intelligence.


Spread the news
Categories
Newscasts

The Israeli negotiator who talks to Hamas

Spread the news

Gershon Baskin on his experience as a hostage negotiator in the Israel-Palestine conflict. Help support our independent journalism at theguardian.com/infocus

Spread the news
Categories
Newscasts

The Israeli negotiator who talks to Hamas

Spread the news

Gershon Baskin on his experience as a hostage negotiator in the Israel-Palestine conflict. Help support our independent journalism at theguardian.com/infocus

Spread the news
Categories
Newscasts

The Israeli negotiator who talks to Hamas

Spread the news

Gershon Baskin on his experience as a hostage negotiator in the Israel-Palestine conflict. Help support our independent journalism at theguardian.com/infocus

Spread the news
Categories
Newscasts

The Israeli negotiator who talks to Hamas

Spread the news

Gershon Baskin on his experience as a hostage negotiator in the Israel-Palestine conflict. Help support our independent journalism at theguardian.com/infocus

Spread the news
Categories
Newscasts

The Israeli negotiator who talks to Hamas

Spread the news

Gershon Baskin on his experience as a hostage negotiator in the Israel-Palestine conflict. Help support our independent journalism at theguardian.com/infocus

Spread the news
Categories
Newscasts

The Israeli negotiator who talks to Hamas

Spread the news

Gershon Baskin on his experience as a hostage negotiator in the Israel-Palestine conflict. Help support our independent journalism at theguardian.com/infocus

Spread the news