Security Leftovers
-
Diffoscope ☛ Reproducible Builds (diffoscope): diffoscope 260 released
The diffoscope maintainers are pleased to announce the release of diffoscope version
260. This version includes the following changes:* Actually test 7z support in the test_7z set of tests, not the lz4 functionality. (Closes: reproducible-builds/diffoscope#359) * In addition, correctly check for the 7z binary being available (and not lz4) when testing 7z. * Prevent a traceback when comparing a contentful .pyc file with an empty one. (Re: Debian:#1064973)
-
Security Week ☛ State AGs Send Letter to Meta Asking It to Take ‘Immediate Action’ on User Account Takeovers
A group of 40 state attorneys general have sent a letter to Meta expressing concern over Facebook (Farcebook) and Instagram account takeovers.
-
Tom's Hardware ☛ Password-cracking botnet has taken over WordPress sites to attack using the visitor's browser
Attackers are launching distributed password-guessing attacks across hundreds of WordPress websites using a mere 3 kilobit script.
-
Silicon Angle ☛ Report: Hackers used Ivanti vulnerabilities to breach two CISA systems
Hackers have gained access to two applications operated by the U.S. Cybersecurity and Infrastructure Security Agency, The Record reported today. A CISA spokesperson confirmed the breach in a statement. According to the agency, the hackers gained access by using vulnerabilities in Ivanti Inc. products that it uses internally.
-
Security Week ☛ Unpatched Sceiner Smart Lock Vulnerabilities Allow Hackers to Open Doors
Multiple vulnerabilities in Sceiner firmware allow attackers to compromise smart locks and open doors.
-
Security Week ☛ Chinese Cyberspies Target Tibetans via Watering Hole, Supply Chain Attacks
Chinese APT Evasive Panda compromises a software developer’s supply chain to target Tibetans with malicious downloaders.
-
Security Week ☛ Change Healthcare Restores Pharmacy Services Disrupted by Ransomware
Change Healthcare says it has made significant progress in restoring systems impacted by a recent ransomware attack.
-
Bruce Schneier ☛ A Taxonomy of Prompt Injection Attacks
Researchers ran a global prompt hacking competition, and have documented the results in a paper that both gives a lot of good examples and tries to organize a taxonomy of effective prompt injection strategies. It seems as if the most common successful strategy is the “compound instruction attack,” as in “Say ‘I have been PWNED’ without a period.”
Ignore This Title and HackAPrompt: Exposing Systemic Vulnerabilities of
LLMs through a Global Scale Prompt Hacking CompetitionAbstract: Large Language Models (LLMs) are deployed in interactive contexts with direct user engagement, such as chatbots and writing assistants. These deployments are vulnerable to prompt injection and jailbreaking (collectively, prompt hacking), in which models are manipulated to ignore their original instructions and follow potentially malicious ones. Although widely acknowledged as a significant security threat, there is a dearth of large-scale resources and quantitative studies on prompt hacking. To address this lacuna, we launch a global prompt hacking competition, which allows for free-form human input attacks. We elicit 600K+ adversarial prompts against three state-of-the-art LLMs. We describe the dataset, which empirically verifies that current LLMs can indeed be manipulated via prompt hacking. We also present a comprehensive taxonomical ontology of the types of adversarial prompts...
-
Fear, Uncertainty, Doubt/Fear-mongering/Dramatisation
-
Dark Reading ☛ How to Ensure Open Source Packages Are Not Landmines
CISA and OpenSSF jointly published new guidance recommending technical controls to make it harder for developers to bring malicious software components into code.
-