Connect with us

Technology

Microsoft AI Has the Potential to Become an Automated Phishing Scheme

Published

on

Microsoft sped up to integrate generative AI into its core systems. The company’s Copilot AI technology can retrieve responses from your emails, Teams chats, and files when you ask questions regarding an upcoming meeting, which might be quite helpful in terms of efficiency. However, hackers may also take advantage of these very procedures.

Researcher Michael Bargury is showcasing five proof-of-concept ways that Copilot, which runs on its Microsoft 365 apps, like Word, can be manipulated by malicious attackers today at the Black Hat security conference in Las Vegas. These ways include using it to provide false references to files, exfiltrate some private data, and evade Microsoft’s security measures.

Arguably, one of the most concerning demonstrations is Bargury’s capacity to transform the AI into an autonomous spear-phishing apparatus. Known as LOLCopilot, the red-teaming code that Bargury developed can, crucially, be used by hackers to see who you regularly email, draft a message that mimics your writing style (including the use of emojis), and send a customized blast that may contain malware or a malicious link once they have access to a target’s work email.

Cofounder and CTO of security firm Zenity Bargury says, “I can do this with everyone you have ever spoken to, and I can send hundreds of emails on your behalf.” Bargury released his research along with videos demonstrating how Copilot may be misused. “A hacker would spend days crafting the right email to get you to click on it, but they can generate hundreds of these emails in a few minutes.”

This example, like other assaults developed by Bargury, primarily operates by utilizing the large language model (LLM) as intended: inputting written queries to obtain information that the AI can acquire. Nevertheless, if it contains extra information or commands to carry out certain tasks, it may have harmful effects. A few of the difficulties in integrating AI systems with corporate data are brought to light by the research, along with the potential consequences of incorporating “untrusted” external data, especially when the AI produces results that appear legitimate.

Among the other assaults that Bargury designed is an example of how a hacker might obtain sensitive data, like people’s salaries, without inadvertently triggering Microsoft’s defenses for sensitive files. This hacker, of course, must first have gained control of an email account. Bargury’s prompt requests that the system not give references to the files from which the data is extracted. Bullying occasionally does assist, according to Bargury.

In other cases, he demonstrates how an attacker can modify responses regarding banking information to reveal their own bank details. This attacker doesn’t have access to email accounts, but instead taints the AI’s database by sending it a malicious email. According to Bargury, “Every time you give AI access to data, that is a way for an attacker to get in,” 

Another example demonstrates how an outside hacker could obtain certain restricted knowledge regarding the potential success or failure of an impending corporate earnings call. The last example, according to Bargury, transforms Copilot into a “malicious insider” by sending users to phishing websites.

Microsoft’s head of AI incident detection and response, Phillip Misner, said the company has been collaborating with Bargury to evaluate the findings and is grateful that he discovered the issue. According to Misner,  “The risks of post-compromise abuse of AI are similar to other post-compromise techniques,” “Security prevention and monitoring across environments and identities help mitigate or stop such behaviors.”

In the last two years, generative AI systems have advanced to the point where, like Google’s Gemini, Microsoft’s Copilot, and OpenAI’s ChatGPT, they may ultimately perform human-like jobs like making reservations for events or making online purchases. But as security experts have shown time and time again, letting outside data into AI systems—for example, by email or by reading content from websites—raises the possibility of indirect trigger injection and poisoning attacks.

As a security researcher and red team director who has widely shown security flaws in AI systems, Johann Rehberger adds, “I think it’s not that well understood how much more effective an attacker can actually become now.” “What we have to be worried [about] now is actually what is the LLM producing and sending out to the user.”

Rehberger cautions in general that a number of data problems may be traced back to the long-standing issue of businesses permitting an excessive number of employees to view files and failing to properly arrange access permissions throughout their enterprises. Rehberger continues, “Now imagine you put Copilot on top of that problem.” He claims to have employed AI systems to look up popular passwords like Password123, and that the algorithms have produced findings from within businesses.

Rehberger and Bargury agree that monitoring the output that an AI generates and transmits to a user needs to be given greater attention. According to Bargury, “The risk is about how AI interacts with your environment, how it interacts with your data, how it performs operations on your behalf,” “You need to figure out what the AI agent does on a user’s behalf. And does that make sense with what the user actually asked for.”

Technology

Threads uses a more sophisticated search to compete with Bluesky

Published

on

Instagram Threads, a rival to Meta’s X, will have an enhanced search experience, the firm said Monday. The app, which is based on Instagram’s social graph and provides a Meta-run substitute for Elon Musk’s X, is introducing a new feature that lets users search for certain posts by date ranges and user profiles.

Compared to X’s advanced search, which now allows users to refine queries by language, keywords, exact phrases, excluded terms, hashtags, and more, this is less thorough. However, it does make it simpler for users of Threads to find particular messages. Additionally, it will make Threads’ search more comparable to Bluesky’s, which also lets users use sophisticated queries to restrict searches by user profiles, date ranges, and other criteria. However, not all of the filtering options are yet visible in the Bluesky app’s user interface.

In order to counter the danger posed by social networking startup Bluesky, which has quickly gained traction as another X competitor, Meta has started launching new features in quick succession in recent days. Bluesky had more than 9 million users in September, but in the weeks after the U.S. elections, users left X due to Elon Musk’s political views and other policy changes, including plans to alter the way blocks operate and let AI companies train on X user data. According to Bluesky, there are currently around 24 million users.

Meta’s Threads introduced new features to counter Bluesky’s potential, such as an improved algorithm, a design modification that makes switching between feeds easier, and the option for users to select their own default feed. Additionally, it was observed creating Starter Packs, its own version of Bluesky’s user-curated recommendation lists.

Continue Reading

Technology

Apple’s own 5G modem-equipped iPhone SE 4 is “confirmed” to launch in March

Published

on

Tom O’Malley, an analyst at Barclays, recently visited Asia with his colleagues to speak with suppliers and makers of electronics. The analysts said they had “confirmed” that a fourth-generation iPhone SE with an Apple-designed 5G modem is scheduled to launch near the end of the first quarter next year in a research note they released this week that outlines the main conclusions from the trip. That timeline implies that the next iPhone SE will be unveiled in March, similar to when the present model was unveiled in 2022, in keeping with earlier rumors.

The rumored features of the fourth-generation iPhone SE include a 6.1-inch OLED display, Face ID, a newer A-series chip, a USB-C port, a single 48-megapixel rear camera, 8GB of RAM to enable Apple Intelligence support, and the previously mentioned Apple-designed 5G modem. The SE is anticipated to have a similar design to the base iPhone 14.

Since 2018, Apple is said to have been developing its own 5G modem for iPhones, a move that will let it lessen and eventually do away with its reliance on Qualcomm. With Qualcomm’s 5G modem supply arrangement for iPhone launches extended through 2026 earlier this year, Apple still has plenty of time to finish switching to its own modem. In addition to the fourth-generation iPhone SE, Apple analyst Ming-Chi Kuo earlier stated that the so-called “iPhone 17 Air” would come with a 5G modem that was created by Apple.

Whether Apple’s initial 5G modem would offer any advantages to consumers over Qualcomm’s modems, such quicker speeds, is uncertain.

Qualcomm was sued by Apple in 2017 for anticompetitive behavior and $1 billion in unpaid royalties. In 2019, Apple purchased the majority of Intel’s smartphone modem business after the two firms reached a settlement in the dispute. Apple was able to support its development by acquiring a portfolio of patents relating to cellular technology. It appears that we will eventually be able to enjoy the results of our effort in four more months.

On March 8, 2022, Apple made the announcement of the third-generation iPhone SE online. With antiquated features like a Touch ID button, a Lightning port, and large bezels surrounding the screen, the handset resembles the iPhone 8. The iPhone SE presently retails for $429 in the United States, but the new model may see a price increase of at least a little.

Continue Reading

Technology

Google is said to be discontinuing the Pixel Tablet 2 and may be leaving the market once more

Published

on

Google terminated the development of the Pixel Tablet 3 yesterday, according to Android Headlines, even before a second-generation model was announced. The second-generation Pixel Tablet has actually been canceled, according to the report. This means that the gadget that was released last year will likely be a one-off, and Google is abandoning the tablet market for the second time in just over five years.

If accurate, the report indicates that Google has determined that it is not worth investing more money in a follow-up because of the dismal sales of the Pixel Tablet. Rumors of a keyboard accessory and more functionality for the now-defunct project surfaced as recently as last week.

It’s important to keep in mind that Google’s Nest subsidiary may abandon its plans for large-screen products in favor of developing technologies like the Nest Hub and Hub Max rather than standalone tablets.

Google has always had difficulty making a significant impact in the tablet market and creating a competitor that can match Apple’s iPad in terms of sales and general performance, not helped in the least by its inconsistent approach. Even though the hardware was good, it never really fought back after getting off to a promising start with the Nexus 7 eons ago. Another problem that has hampered Google’s efforts is that Android significantly trails iPadOS in terms of the quantity of third-party apps that are tablet-optimized.

After the Pixel Slate received tremendously unfavorable reviews, the firm first declared that it was finished producing tablets in 2019. Two tablets that were still in development at the time were discarded.

By 2022, however, Google had altered its mind and declared that a tablet was being developed by its Pixel hardware team. The $499 Pixel Tablet was the final version of the gadget, which came with a speaker dock that the tablet could magnetically connect to. (Google would subsequently charge $399 for the tablet alone.)

Continue Reading

Trending

error: Content is protected !!