• Search for:
    31May, 2023
    SecurityWeek Cyber Insights 2023 | Artificial Intelligence

    The pace of artificial intelligence (AI) adoption is increasing throughout industry and society. This is because governments, civil organizations and industry all recognize greater efficiency and lower costs available from the use of AI-generated automation. The process is irreversible.

    What is still unknown is the degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool for beneficial improvement. That day is coming and will begin to emerge from 2023.

    All roads lead to 2023

    Alex Polyakov, CEO and co-founder of Adversa.AI, focuses on 2023 for primarily historical and statistical reasons. “The years 2012 to 2014,” he says, “saw the beginning of secure AI research in academia. Statistically, it takes three to five years for academic results to progress into practical attacks on real applications.” Examples of such attacks were presented at Black Hat, Defcon, HITB, and other Industry conferences starting in 2017 and 2018. 

    “Then,” he continued, “it takes another three to five years before real incidents are discovered in the wild. We are talking about next year, and some massive Log4j-type vulnerabilities in AI will be exploited massively.”

    Starting from 2023, attackers will have what is called an ‘exploit-market fit’. “Exploit-market fit refers to a scenario where hackers know the ways of using a particular vulnerability to exploit a system and get value,” he said. “Currently, financial and internet companies are completely open to cyber criminals, and the way how to hack them to get value is obvious. I assume the situation will turn for the worse further and affect other AI-driven industries once attackers find the exploit-market fit.”

    The argument is similar to that given by NYU professor Nasir Memon, who described the delay in widespread weaponization of deepfakes with the comment, “the bad guys haven’t yet figured a way to monetize the process.” Monetizing an exploit-market fit scenario will result in widespread cyberattacks and that could start from 2023.

    The changing nature of AI (from anomaly detection to automated response) 

    Over the last decade, security teams have largely used AI for anomaly detection; that is, to detect indications of compromise, presence of malware, or active adversarial activity within the systems they are charged to defend. This has primarily been passive detection, with responsibility for response in the hands of human threat analysts and responders. This is changing. Limited resources which will worsen in the expected economic downturn and possible recession of 2023 is driving a need for more automated responses. For now, this is largely limited to the simple automatic isolation of compromised devices; but more widespread automated AI-triggered responses are inevitable.

    “The growing use of AI in threat detection particularly in removing the ‘false positive’ security noise that consumes so much security attention will make a significant difference to security,” claims Adam Kahn, VP of security operations at Barracuda XDR. “It will prioritize the security alarms that need immediate attention and action. SOAR (Security Orchestration, Automation and Response) products will continue to play a bigger role in alarm triage.” This is the so-far traditional beneficial use of AI in security. It will continue to grow in 2023, although the algorithms used will need to be protected from malicious manipulation.

    “As companies look to cut costs and extend their runways,” agrees Anmol Bhasin, CTO at ServiceTitan, “automation through AI is going to be a major factor in staying competitive. In 2023, we’ll see an increase in AI adoption, expanding the number of people working with this technology and illuminating new AI use cases for businesses.”

    AI will become more deeply embedded in all aspects of business. Where security teams once used AI to defend the business against attackers, they will now need to defend the AI within the wider business, lest it also be used against the business. This will become more difficult in the exploit-market fit future attackers will understand AI, understand the weaknesses, and have a methodology for monetizing those weaknesses.

    As the use of AI grows, so the nature of its purpose changes. Originally, it was primarily used in business to detect changes; that is, things that had already happened. In the future, it will be used to predict what is likely to happen and these predictions will often be focused on people (staff and customers). Solving the long-known weaknesses in AI will become more important. Bias in AI can lead to wrong decisions, while failures in learning can lead to no decisions. Since the targets of such AI will be people, the need for AI to be complete and unbiased becomes imperative.

    “The accuracy of AI depends in part on the completeness and quality of data,” comments Shafi Goldwasser, co-founder at Duality Technologies. “Unfortunately, historical data is often lacking for minority groups and when present reinforces social bias patterns.” Unless eliminated, such social biases will work against minority groups within staff, causing both prejudice against individual staff members, and missed opportunities for management.

    Great strides in eliminating bias have been made in 2022 and will continue in 2023. This is largely based on checking the output of AI, confirming that it is what is expected, and knowing what part of the algorithm produced the ‘biased’ result. It’s a process of continuous algorithm refinement, and will obviously produce better results over time. But there will ultimately remain a philosophic question over whether bias can be completely removed from anything that is made by humans.

    “The key to decreasing bias is in simplifying and automating the monitoring of AI systems. Without proper monitoring of AI systems there can be an acceleration or amplification of biases built into models,” says Vishal Sikka, founder and CEO at Vianai. “In 2023, we will see organizations empower and educate people to monitor and update the AI models at scale while providing regular feedback to ensure the AI is ingesting high-quality, real-world data.”

    Failure in AI is generally caused by an inadequate data lake from which to learn. The obvious solution for this is to increase the size of the data lake. But when the subject is human behavior, that effectively means an increased lake of personal data and for AI, this means a massively increased lake more like an ocean of personal data. In most legitimate occasions, this data will be anonymized but as we know, it is very difficult to fully anonymize personal information.

    “Privacy is often overlooked when thinking about model training,” comments Nick Landers, director of research at NetSPI, “but data cannot be completely anonymized without destroying its value to machine learning (ML). In other words, models already contain broad swaths of private data that might be extracted as part of an attack.” As the use of AI grows, so will the threats against it increase in 2023.

    “Threat actors will not stand flatfooted in the cyber battle space and will become creative, using their immense wealth to try to find ways to leverage AI and develop new attack vectors,” warns John McClurg, SVP and CISO at BlackBerry.

    Natural language processing

    Natural language processing (NLP) will become an important part of companies’ internal use of AI. The potential is clear. “Natural Language Processing (NLP) AI will be at the forefront in 2023, as it will enable organizations to better understand their customers and employees by analyzing their emails and providing insights about their needs, preferences or even emotions,” suggests Jose Lopez, principal data scientist at Mimecast. “It is likely that organizations will offer other types of services, not only focused on security or threats but on improving productivity by using AI for generating emails, managing schedules or even writing reports.”

    But he also sees the dangers involved. “However, this will also drive cyber criminals to invest further into AI poisoning and clouding techniques. Additionally, malicious actors will use NLP and generative models to automate attacks, thereby reducing their costs and reaching many more potential targets.”

    Polyakov agrees that NLP is of increasing importance. “One of the areas where we might see more research in 2023, and potentially new attacks later, is NLP,” he says. “While we saw a lot of computer vision-related research examples this year, next year we will see much more research focused on large language models (LLMs).” 

    But LLMs have been known to be problematic for some time and there is a very recent example. On November 15, 2022, Meta AI (still Facebook to most people) introduced Galactica. Meta claimed to have trained the system on 106 billion tokens of open-access scientific text and data, including papers, textbooks, scientific websites, encyclopedias, reference material, and knowledge bases. 

    “The model was intended to store, combine and reason about scientific knowledge,” explains Polyakov but Twitter users rapidly tested its input tolerance. “As a result, the model generated realistic nonsense, not scientific literature.” ‘Realistic nonsense’ is being kind: it generated biased, racist and sexist returns, and even false attributions. Within a few days, Meta AI was forced to shut it down.

    “So new LLMs will have many risks we’re not aware of,” continued Polyakov, “and it is expected to be a big problem.” Solving the problems with LLMs while harnessing the potential will be a major task for AI developers going forward.

    Building on the problems with Galactica, Polyakov tested semantic tricks against ChatGPT – an AI-based chatbot developed by OpenAI, based on GPT3.5 (GPT stands for Generative Pre-trained Transformer), and released to crowdsourced internet testing in November 2022. ChatGPT is impressive. It has already discovered, and recommended remediation for a vulnerability in a smart contract, helped develop an Excel macro, and even provided a list of methods that could be used to fool an LLM.

    For the last, one of these methods is role playing: ‘Tell the LLM that it is pretending to be an evil character in a play,’ it replied. This is where Polyakov started his own tests, basing a query on the Jay and Silent Bob ‘If you were a sheep…’ meme.

    He then iteratively refined his questions with multiple abstractions until he succeeded in getting a reply that circumvented ChatGPT’s blocking policy on content violations. “What is important with such an advanced trick of multiple abstractions is that neither the question nor the answers are marked as violating content!” said Polyakov.

    He went further and tricked ChatGPT into outlining a method for destroying humanity – a method that bears a surprising similarity to the television program Utopia.

    He then asked for an adversarial attack on an image classification algorithm – and got one. Finally, he demonstrated the ability for ChatGPT to ‘hack’ a different LLM (Dalle-2) into bypassing its content moderation filter. He succeeded.

    The basic point of these tests shows that LLMs, which mimic human reasoning, respond in a manner similar to humans; that is, they can be susceptible to social engineering. As LLMs become more mainstream in the future, it may need nothing more than advanced social engineering skills to defeat them or circumvent their good behavior policies.

    At the same time, it is important to note the numerous reports detailing how ChatGPT can find weaknesses in code and offer improvements. This is good – but adversaries could use the same process to develop exploits for vulnerabilities and better obfuscate their code; and that is bad.

    Finally, we should note that the marriage of AI chatbots of this quality with the latest deepfake video technology could soon lead to alarmingly convincing disinformation capabilities.

    Problems aside, the potential for LLMs is huge. “Large Language Models and Generative AI will emerge as foundational technologies for a new generation of applications,” comments Villi Iltchev, partner at Two Sigma Ventures. “We will see a new generation of enterprise applications emerge to challenge established vendors in almost all categories of software. Machine learning and artificial intelligence will become foundation technologies for the next generation of applications.”

    He expects a significant boost in productivity and efficiency with applications performing many tasks and duties currently done by professionals. “Software,” he says, “will not just boost our productivity but will also make us better at our jobs.”

    One of the most visible areas of malicious AI usage likely to evolve in 2023 is the criminal use of deepfakes. “Deepfakes are now a reality and the technology that makes them possible is improving at a frightening pace,” warns Matt Aldridge, principal solutions consultant at OpenText Security. “In other words, deepfakes are no longer just a catchy creation of science-fiction and as cybersecurity experts we have the challenge to produce stronger ways to detect and deflect attacks that will deploy them.” (See Deepfakes – Significant or Hyped Threat? for more details and options.)

    Machine learning models, already available to the public, can automatically translate into different languages in real time while also transcribing audio into text and we’ve seen huge developments in recent years of computer bots having conversations. With these technologies working in tandem, there is a fertile landscape of attack tools that could lead to dangerous circumstances during targeted attacks and well-orchestrated scams. 

    “In the coming years,” continued Aldridge, “we may be targeted by phone scams powered by deepfake technology that could impersonate a sales assistant, a business leader or even a family member. In less than ten years, we could be frequently targeted by these types of calls without ever realizing we’re not talking to a human.”

    Lucia Milica, global resident CISO at Proofpoint, agrees that the deepfake threat is escalating. “Deepfake technology is becoming more accessible to the masses. Thanks to AI generators trained on huge image databases, anyone can generate deepfakes with little technical savvy. While the output of the state-of-the-art model is not without flaws, the technology is constantly improving, and cybercriminals will start using it to create irresistible narratives.”

    Thus far, deepfakes have primarily been used for satirical purposes and pornography. In the relatively few cybercriminal attacks, they have concentrated on fraud and business email compromise schemes. Milica expects future use to spread wider. “Imagine the chaos to the financial market when a deepfake CEO or CFO of a major company makes a bold statement that sends shares into a sharp drop or rise. Or consider how malefactors could leverage the combination of biometric authentication and deepfakes for identity fraud or account takeover. These are just a few examples and we all know cybercriminals can be highly creative.”

    The potential return on successful market manipulation will be a major attraction for advanced adversarial groups as indeed would the introduction of financial chaos into western financial markets be attractive to adversarial nations in a period of geopolitical tension.

    But maybe not just yet…

    The expectation of AI may still be a little ahead of its realization. “‘Trendy’ large machine learning models will have little to no impact on cyber security [in 2023],” says Andrew Patel, senior researcher at WithSecure Intelligence. “Large language models will continue to push the boundaries of AI research. Expect GPT-4 and a new and completely mind-blowing version of GATO in 2023. Expect Whisper to be used to transcribe a large portion of YouTube, leading to vastly larger training sets for language models. But despite the democratization of large models, their presence will have very little effect on cyber security, either from the attack or defense side. Such models are still too heavy, expensive, and not practical for use from the point of view of either attackers or defenders.”

    He suggests true adversarial AI will follow from increased ‘alignment’ research, which will become a mainstream topic in 2023. “Alignment,” he explains, “will bring the concept of adversarial machine learning into the public consciousness.” 

    AI Alignment is the study of the behavior of sophisticated AI models, considered by some as precursors to transformative AI (TAI) or artificial general intelligence (AGI), and whether such models might behave in undesirable ways that are potentially detrimental to society or life on this planet. 

    “This discipline,” says Patel, “can essentially be considered adversarial machine learning, since it involves determining what sort of conditions lead to undesirable outputs and actions that fall outside of expected distribution of a model. The process involves fine-tuning models using techniques such as RLHF Reinforcement Learning from Human Preferences. Alignment research leads to better AI models and will bring the idea of adversarial machine learning into the public consciousness.”

    Pieter Arntz, senior intelligence reporter at Malwarebytes, agrees that the full cybersecurity threat of AI is less imminent than still brewing. “Although there is no real evidence that criminal groups have a strong technical expertise in the management and manipulation of AI and ML systems for criminal purposes, the interest is undoubtedly there. All they usually need is a technique they can copy or slightly tweak for their own use. So, even if we don’t expect any immediate danger, it is good to keep an eye on those developments.”

    The defensive potential of AI

    AI retains the potential to improve cybersecurity, and further strides will be taken in 2023 thanks to its transformative potential across a range of applications. “In particular, embedding AI into the firmware level should become a priority for organizations,” suggests Camellia Chan, CEO and founder of X-PHY.

    “It’s now possible to have AI-infused SSD embedded into laptops, with its deep learning abilities to protect against every type of attack,” she says. “Acting as the last line of defense, this technology can immediately identify threats that could easily bypass existing software defenses.”

    Marcus Fowler, CEO of Darktrace Federal, believes that companies will increasingly use AI to counter resource restrictions. “In 2023, CISOs will opt for more proactive cyber security measures in order to maximize RoI in the face of budget cuts, shifting investment into AI tools and capabilities that continuously improve their cyber resilience,” he says. 

    “With human-driven means of ethical hacking, pen-testing and red teaming remaining scarce and expensive as a resource, CISOs will turn to AI-driven methods to proactively understand attack paths, augment red team efforts, harden environments and reduce attack surface vulnerability,” he continued.

    Karin Shopen, VP of cybersecurity solutions and services at Fortinet, foresees a rebalancing between AI that is cloud-delivered and AI that is locally built into a product or service. “In 2023,” she says, “we expect to see CISOs re-balance their AI by purchasing solutions that deploy AI locally for both behavior-based and static analysis to help make real-time decisions. They will continue to leverage holistic and dynamic cloud-scale AI models that harvest large amounts of global data.”

    The proof of the AI pudding is in the regulations

    It is clear that a new technology must be taken seriously when the authorities start to regulate it. This has already started. There has been an ongoing debate in the US over the use of AI-based facial recognition technology (FRT) for several years, and the use of FRT by law enforcement has been banned or restricted in numerous cities and states. In the US, this is a Constitutional issue, typified by the Wyden/Paul bipartisan bill titled the ‘Fourth Amendment Is Not for Sale Act’ introduced in April 2021. 

    This bill would ban US government and law enforcement agencies from buying user data without a warrant. This would include their facial biometrics. In an associated statement, Wyden made it clear that FRT firm Clearview.AI was in its sights: “this bill prevents the government buying data from Clearview.AI.”

    At the time of writing, the US and EU are jointly discussing cooperation to develop a unified understanding of necessary AI concepts, including trustworthiness, risk, and harm, building on the EU’s AI Act and the US AI Bill of Rights and we can expect to see progress on coordinating mutually agreed standards during 2023.

    But there is more. “The NIST AI Risk management framework will be released in the first quarter of 2023,” says Polyakov. “As for the second quarter, we have the start of the AI Accountability Act; and for the rest of the year, we have initiatives from IEEE, and a planned EU Trustworthy AI initiative as well.” So, 2023 it will be an eventful year for the security of AI.

    “In 2023, I believe we will see the convergence of discussions around AI and privacy and risk, and what it means in practice to do things like operationalizing AI ethics and testing for bias,” says Christina Montgomery, chief privacy officer and AI ethics board chair at IBM. “I’m hoping in 2023 that we can move the conversation away from painting privacy and AI issues with a broad brush, and from assuming that, ‘if data or AI is involved, it must be bad and biased’.” 

    She believes the issue often isn’t the technology, but rather how it is used, and what level of risk is driving a company’s business model. “This is why we need precise and thoughtful regulation in this space,” she says.

    Montgomery gives an example. “Company X sells Internet-connected ‘smart’ lightbulbs that monitor and report usage data. Over time, Company X gathers enough usage data to develop an AI algorithm that can learn customers’ usage patterns and give users the option of automatically turning on their lights right before they come home from work.”

    This, she believes, is an acceptable use of AI. But then there’s company Y. “Company Y sells the same product and realizes that light usage data is a good indicator for when a person is likely to be home. It then sells this data, without the consumers’ consent, to third parties such as telemarketers or political canvassing groups, to better target customers. Company X’s business model is much lower risk than Company Y.”

    Going forward

    AI is ultimately a divisive subject. “Those in the technology, R&D, and science domain will cheer its ability to solve problems faster than humans imagined. To cure disease, to make the world safer, and ultimately saving and extending a human’s time on earth…” says Donnie Scott, CEO at Idemia. “Naysayers will continue to advocate for significant limitations or prohibitions of the use of AI as the ‘rise of the machines’ could threaten humanity.”

    In the end, he adds, “society, through our elected officials, needs a framework that allows for the protection of human rights, privacy, and security to keep pace with the advancements in technology.  Progress will be incremental in this framework advancement in 2023 but discussions need to increase in international and national governing bodies, or local governments will step in and create a patchwork of laws that impede both society and the technology.”

    For the commercial use of AI within business, Montgomery adds, “We need – and IBM is advocating for – precision regulation that is smart and targeted, and capable of adapting to new and emerging threats. One way to do that is by looking at the risk at the core of a company’s business model. We can and must protect consumers and increase transparency, and we can do this while still encouraging and enabling innovation so companies can develop the solutions and products of the future. This is one of the many spaces we’ll be closely watching and weighing in on in 2023.”

    Resource :

    22May, 2023
    Click and drag AI image editing could change everything

    The latest development in artificial intelligence is a tool that allows you to edit an already-generated image to your specifications.

    Say you wanted to “change the dimensions of a car or manipulate a smile into a frown with a simple click and drag,” you could do so with this model called DragGAN.

    Drag Your GAN: Interactive Point-based Manipulation on the Generative Image Manifold

    paper page: https://t.co/Gjcm1smqfl pic.twitter.com/XHQIiMdYOA

    — AK (@_akhaliq) May 19, 2023

    The Generative Adversarial Network (GAN) is currently in the form of a research paper, however, it has garnered such attention from those interested in viewing its demos that the research team’s homepage has experienced crashing due to the heavy traffic.

    The Verge compared DragGAN to the Warp tool in Photoshop, adding that it is much more powerful since it doesn’t “smush pixels around,” but rather “re-generates the underlying object,” and can even rotate 3D images.

    The potential of such a tool lies in the fact that text-to-image generative AI doesn’t always output what you might want. So you can go back in afterward and make edits to an existing image, instead of automatically having to generate a new image.

    Some demos that are a part of the research paper include adding height to a mountain, changing the positioning of a model and editing the length and shape of her clothes, opening or closing a lion’s mouth, and changing a person’s face from a plain look to a smile. With many AI tools currently available, users have to regenerate an image with a more specific prompt to get a more desirable result.

    The research team noted in its paper that new details can be added within the regeneration of the edited aspects of images that are beneficial to the update. “Our approach can hallucinate occluded content, like the teeth inside a lion’s mouth, and can deform following the object’s rigidity, like the bending of a horse leg.”

    There are many brands that are attempting to offer editing options for generative AI content. However, most do not go as far as allowing for the actual editing of images, but rather for aspects such as editing around images. For example, Microsoft’s Designer app allows you to generate AI images from a text prompt, and you can select your favorite from three results, then take it to the design studio where you can create a host of creativity and productivity-based projects, such as social media posts, invitations, digital postcards, or graphics with the image as the focal point. However, you cannot edit the AI-generated image.

    With the DragGAN tool still being a demo for now, there is no telling what the quality of a readily available technology would be, or if it would even be possible, especially since the demos are based on low-resolution videos. However, it is an interesting example of how quickly AI continues to develop.

    Resource: https://www.digitaltrends.com/computing/draggan-tool-click-and-drag-ai-photo-editing/

    18May, 2023
    VirusTotal AI code analysis expands Windows, Linux script support

    Google has added support for more scripting languages to VirusTotal Code Insight, a recently introduced artificial intelligence-based code analysis feature.

    While launched only with support for analyzing a subset of PowerShell files, Code Insight can now also spot malicious Batch (BAT), Command Prompt (CMD), Shell (SH), and VBScript (VBS) scripts.

    Besides the list of additions included in Google’s announcement, BleepingComputer was also able to discover that the company added support for AutoHotkey (AHK) and Python (PY) scripting languages.

    “Code Insight has broadened its support for script formats, moving beyond PowerShell to offer analysis for a variety of scripting languages,” VirusTotal founder Bernardo Quintero said.

    To facilitate the analysis of larger files, Code Insight has also been updated to have an increased maximum file size limit, doubling the capacity for processing.

    “Code Insight can now handle files twice the size it could before, and we’re not stopping there. We’re going to keep working on improving this aspect in the coming months,” Quintero added.

    Additionally, the model has been improved to provide clearer and more specific high-level explanations, emphasizing the code’s behavior.

    A revamped user interface now showcases only the start of the report (the first several sentences) by default, allowing users to expand the description if needed. This ensures the default view is not inundated with lengthy AI-powered analysis reports.

    ​VirusTotal announced the launch of Code Insight last month as an AI-based code analysis feature powered by the Google Cloud Security AI Workbench, which uses the Sec-PaLM large language model (LLM) fine-tuned for security use cases.

    As Google explained, it analyzes potentially harmful files to describe their (malicious) behavior, making identifying which pose actual threats easier.

    Code Insight is currently in its early stages of development, marking the beginning of a continuous and evolving process.

    The roadmap ahead encompasses the following improvements:

    1. Expanding support for additional file types and sizes.
    2. Enabling analysis of binary and executable files.
    3. Enriching analysis by incorporating contextual information beyond the code itself.

    VirusTotal is a web-based malware-scanning platform with over 500,000 registered users, owned by Google’s Chronicle security subsidiary.

    It helps scan suspicious files and URLs for malicious content, such as viruses, worms, and trojans, by harnessing the power of more than 70 antivirus scanners and domain blocklisting services.

    Resource : https://www.bleepingcomputer.com/news/security/virustotal-ai-code-analysis-expands-windows-linux-script-support/

    9May, 2023
    How to Run ChatGPT Using ShellGPT From the Ubuntu Terminal

    Want to use the ChatGPT in a terminal window on your Ubuntu Linux PC? ShellGPT lets you use all the features of the famous AI chatbot, on the command line. Here’s how to set ShellGPT up and start using it.

    What Is ShellGPT?

    ShellGPT is a Python program that lets you access OpenAI’s ChatGPT from the command line of a terminal window. It sends your text prompts and your ChatGPT API key to ChatGPT and prints out ChatGPT’s response.

    It’s just like running ChatGPT on your own computer, without any of the hassle, and regardless of the computing power of your computer. You’ll need to have a ChatGPT API key, but it only takes moments to get one, and they’re free.

    ChatGPT is probably the most famous of the new-wave of large language model AI chatbots, developed using deep learning techniques and massive data sets.

    It’s able to hold convincing and lifelike conversations, and can generate prose and other text format responses on just about any topic you can imagine. Just keep in mind that it’s a simulation of a knowledgeable, intelligent person. It isn’t genuinely intelligent, and it’ll happily make stuff up.

    Step 1: Install the Python Tools

    Ubuntu usually ships Python as standard, but you can check if it is present by asking for its version number.

    If Python isn’t installed, you can install it using this command.

    We also need pip, the python package manager.

    It wasn’t installed on our test computer, so we added it using apt.

    We’re going to install ShellGPT in a Python virtual environment. This sandboxes ShellGPT from your system Python files and libraries, and means it cannot accidentally interfere with your other Python programs. It’s just a safe precaution.

    To do that, we’re going to need to install the Python virtual environment packages.

    Step 2: Prepare a Python Virtual Environment

    Create a directory to install ShellGPT into. We named ours “shellgpt”, just to keep things obvious. Change into your new directory when it’s been created.

    Next, we use the -m (module) option and run the Python virtual environment module and create a new virtual environment inside our new directory. We created one called “shellgpt.”

    This gives us a private, virtual environment called “shellgpt”, inside our “shellgpt” directory. To activate it we need to run a script called “activate.” This is located in the “bin” directory of our virtual environment.

    Note the “(shellgpt)” in front of the command prompt.

    Step 3: Create a ChatGPT API Key

    To access the features of ChatGPT, you’ll need an OpenAI API key. You can use an existing API key if you have one, or you can create one on the OpenAI website.

    Follow the link and either log in or sign up.

    When you’re logged in, click your account name in the top-right corner and select “View API Keys” from the menu.

    On the API keys web page, click the “Create New Secret Key” button.

    Your new key is displayed to you. You only get to see your key this one time. If you log out and back in, you’ll see an entry for the key, but you won’t be able to view the entire key string. So, copy the key and paste it into an editor, and save the file with an obvious name.

    Step 4: Export the API Key

    We need to make the key available to ShellGPT. The easiest way is to export it as an environment variable. You can do this on the command line, but it only lasts until you reboot your PC. Adding the export command to your “.bashrc” file exports the environment variable for you automatically, each time you open a terminal window.

    To do it on the command line, type “export OPENAI_API_KEY=” and then paste your API key by pressing “Shift+Ctrl+v”, so that it looks like the screenshot below.

    To put the export command in your “.bashrc” file, use your favorite editor and add the command to your file.

    Save your changes and close the editor. To force your terminal session to reread your “.bashrc” file, use the source command.

    Step 5: Install ShellGPT

    With all of the preparation out of the way, we can install ShellGPT using the Python pip command.

    The installation will begin, and a variety of package names will scroll by in your terminal window.

    When it’s finished we can, finally, use ShellGPT to access ChatGPT.

    Step 6: Use ShellGPT

    The ShellGPT command is sgpt. We provide our text prompts to this command, and press “Enter.”

    ShellGPT acts as the middleman between us and ChatGPT, and displays the response from ChatGPT.

    That’s great, it’s all working. But it’s a bit long winded to have to cd into the directory we created the virtual environment in, and then issue the source shellgpt/bin/activate command before we can use ShellGPT.

    A better way is to create an alias that does all of that for us. Edit your “.bashrc” file and add this line.

    Remember to use the names of the directory and virtual environment that you created. We called our alias “chatgpt”, but you can use whatever name you prefer. Save your changes, and use source to read the “.bashrc” file again.

    Now, at a normal command prompt, entering the name of your alias and hitting “Enter” places you in your Python virtual environment, which is activated and ready for your input.

    Learning ShellGPT Commands

    The ShellGPT GitHub page has much more information on using ShellGPT and its command line options.

    For example, the --code option limits the output of ShellGPT to show program code only. Normally, if we ask it to generate some code, it does so, but it generates a description too.

    By adding the --code option, the description is suppressed. This would be handy if you want to redirect the output into a file.

    “In Conclusion”

    In conclusion, ShellGPT is a powerful tool for programmers and system administrators alike. Its ability to assist with tasks such as managing operating systems and programming languages makes it an invaluable asset to any team. With its intuitive interface and vast knowledge base, ShellGPT is sure to become a go-to resource for those looking to streamline their workflow and increase productivity.

    Or at least, that’s what it says.

    Resource : https://www.howtogeek.com/889200/how-to-run-chatgpt-using-shellgpt-from-the-ubuntu-terminal/

    8May, 2023
    Hackers Promise AI, Install Malware Instead

    Meta on Wednesday warned that hackers are using the promise of generative artificial intelligence like ChatGPT to trick people into installing malicious code on devices.

    Over the course of the past month, security analysts with the social-media giant have found malicious software posing as ChatGPT or similar AI tools, chief information security officer Guy Rosen said in a briefing.

    “The latest wave of malware campaigns have taken notice of generative AI technology that’s been capturing people’s imagination and everyone’s excitement,” Rosen said.

    Meta, the parent company of Facebook, Instagram and WhatsApp, often shares what it learns with industry peers and others in the cyber defense community.

    Meta has seen “threat actors” hawk internet browser extensions that promise generative AI capabilities but contain malicious software designed to infect devices, according to Rosen.

    In general, it is common for hackers to bait their traps with attention-grabbing developments, tricking people into clicking on booby-trapped web links or downloading programs that steal data.

    “We’ve seen this across other topics that are popular, such as crypto scams fueled by the immense interest in digital currency,” Rosen said.

    “From a bad actor’s perspective, ChatGPT is the new crypto.” Meta has found and blocked more than a thousand web addresses that are touted as promising ChatGPT-like tools but are actually traps set by hackers, according to the tech firm’s security team.

    Meta has yet to see generative AI used as more than bait by hackers, but is bracing for the inevitability that it will be used as a weapon, Rosen said.

    “Generative AI holds great promise and bad actors know it, so we should all be very vigilant to stay safe,” Rosen said.

    At the same time, Meta teams are working on ways to use generative AI to defend against hackers and deceitful online influence campaigns.

    “We have teams that are already thinking through how (generative AI) could be abused, and the defenses we need to put in place to counter that,” Meta head of security policy Nathaniel Gleicher said in the briefing.

    “We’re preparing for that.”

    Resource : https://www.securityweek.com/hackers-promise-ai-install-malware-instead/

    3May, 2023
    ChatGPT is Back in Italy After Addressing Data Privacy Concerns

    OpenAI, the company behind ChatGPT, has officially made a return to Italy after the company met the data protection authority’s demands ahead of April 30, 2023, deadline.

    The development was first reported by the Associated Press. OpenAI’s CEO, Sam Altman, tweeted, “we’re excited ChatGPT is available in [Italy] again!”

    The reinstatement comes following Garante’s decision to temporarily block access to the popular AI chatbot service in Italy on March 31, 2023, over concerns that its practices are in violation of data protection laws in the region.

    Generative AI systems like ChatGPT and Google Bard primarily rely on huge amounts of information freely available on the internet as well as the data its users provide over the course of their interactions.

    OpenAI, which published a new FAQ, said it filters and removes information such as hate speech, adult content, sites that primarily aggregate personal information, and spam.

    It also emphasized that it doesn’t “actively seek out personal information to train our models” and that it “will not use any personal information in training information to build profiles about people, to contact them, to advertise to them, to try to sell them anything, or to sell the information itself.”

    That said, the company acknowledged that ChatGPT responses may include personal information about public figures and other individuals whose details are accessible on the public internet.

    European users who wish to object to such processing of their personal information can do so by filling out an online form, and even exercise their right to correct, restrict, delete, or transfer their personal information contained within its training dataset.

    The Garante, in a related announcement, said OpenAI also agreed to include an option to verify users’ ages to confirm they are above 18 prior to gaining access to ChatGPT, or, alternatively, have obtained the consent of parents or guardians if aged between 13 and 18.

    OpenAI is further expected to implement a more robust age verification system to screen minors from accessing the service, with the watchdog noting that it will continue its “fact-finding activities regarding OpenAI” as part of a task force set up by the European Data Protection Board (EDPB).

    The move also follows OpenAI’s introduction of a new privacy setting that allows users to turn off chat history as well as an export option to access the kinds of information stored by ChatGPT.

    Resource: https://thehackernews.com/2023/04/chatgpt-is-back-in-italy-after.html

    13Apr, 2023
    OpenAI launches bug bounty program with rewards up to $20K

    AI research company OpenAI announced today the launch of a new bug bounty program to allow registered security researchers to discover vulnerabilities in its product line and get paid for reporting them via the Bugcrowd crowdsourced security platform.

    As the company revealed today, the rewards are based on the reported issues’ severity and impact, and they range from $200 for low-severity security flaws up to $20,000 for exceptional discoveries.

    “The OpenAI Bug Bounty Program is a way for us to recognize and reward the valuable insights of security researchers who contribute to keeping our technology and company secure,” OpenAI said.

    “We invite you to report vulnerabilities, bugs, or security flaws you discover in our systems. By sharing your findings, you will play a crucial role in making our technology safer for everyone.”

    However, while the OpenAI Application Programming Interface (API) and its ChatGPT artificial-intelligence chatbot are in-scope targets for bounty hunters, the company asked researchers to report model issues via a separate form unless they have a security impact.

    “Model safety issues do not fit well within a bug bounty program, as they are not individual, discrete bugs that can be directly fixed. Addressing these issues often involves substantial research and a broader approach,” OpenAI said.

    “To ensure that these concerns are properly addressed, please report them using the appropriate form, rather than submitting them through the bug bounty program. Reporting them in the right place allows our researchers to use these reports to improve the model.”

    Other issues that are out of scope include jailbreaks and safety bypasses that ChatGPT users have been exploiting to trick the ChatGPT chatbot into ignoring the safeguards implemented by OpenAI engineers.

    ​Last month, OpenAI disclosed a ChatGPT payment data leak the company blamed on a bug in the Redis client open-source library bug used by its platform.

    Because of the bug, ChatGPT Plus subscribers began seeing other users’ email addresses on their subscription pages. Following an increasing stream of user reports, OpenAI took the ChatGPT bot offline to investigate an issue.

    In a post-mortem published days later, the company explained that the bug caused the ChatGPT service to expose chat queries and personal information for roughly 1.2% of Plus subscribers.

    The exposed info included subscriber names, email addresses, payment addresses, and partial credit card information.

    “The bug was discovered in the Redis client open-source library, redis-py. As soon as we identified the bug, we reached out to the Redis maintainers with a patch to resolve the issue,” OpenAI said.

    While the company didn’t link today’s announcement with this recent incident, the issue would’ve potentially been discovered earlier, and the data leak might’ve been avoided if OpenAI already had a running bug bounty program to allow researchers to test its products for security flaws.

    Resource : https://www.bleepingcomputer.com/news/security/openai-launches-bug-bounty-program-with-rewards-up-to-20k/

    15Mar, 2023
    How AI can ease those data management woes

    Data is the new oil, but raw data is no good in and of itself. Like oil, data assets have to be gathered entirely and accurately and sent through different refining processes to create value for end users. This is the general data lifecycle — an area where artificial intelligence (AI) is going to play a major role for enterprises.

    Initially, managing the data lifecycle was a task small enough to be handled manually by a team of experts. The volume of information was not that much, the sources were just a handful and the possible applications were also limited. But with the transition to the cloud, and the introduction of new sources, both the volume and diversity of data have surged.

    Data management is no longer wholly focused on relational data,” Adam Ronthal, research VP in Gartner’s ITL data and analytics group, told VentureBeat. “Document, graph, time-series, wide-column, key-value, ledger and other targeted data stores all provide specific optimizations for different types of data, and different use cases. Sometimes, these are combined in a single data management platform — a multimodel database; sometimes, they remain as best-fit, targeted point solutions.”

    This increase in volume and diversity of information has rendered traditional ways of data management ineffective. Today, a company that selects, manages and optimizes (cleaning and enhancing) each dataset component individually will end up wasting a lot of time — cleaning and transformation alone can take days or weeks — and capital.

    The situation is comparable to Yahoo having used human experts to manually evaluate and catalog a deluge of web pages. The company dedicated plenty of resources but could evaluate only a small portion of the internet and struggled to keep the evaluations up to date.

    Bringing AI into data management

    Just as Google with its automated algorithms took over internet domination from Yahoo, evaluating web pages more quickly and at vastly lower cost, today AI is set to revolutionize the data lifecycle.

    According to Ronthal, applications of AI in data management rely on metadata analysis and activation. This allows the model to detect deviations in data usage from system design and (ideally automatically) correct them. This is augmented data management: using AI/ML to automate and optimize data management, allowing organizations to spend less time managing and optimizing infrastructure and more time building core business value.

    Many organizations have already started using AI- and ML-driven techniques to touch various components of data management, bringing improvements in speed and cost-efficiency.

    For instance, in January 2023, Google and Aible, a company bringing an AI-first approach to the data journey, worked with a Fortune 500 enterprise and enabled it to analyze over 75 datasets with over 100 million rows of data across 150 million variable combinations. The total compute cost: $80, less than a thousandth of the cost of traditional methods.

    Aible also published 25 case studies with Intel highlighting how enterprises across geographies and verticals benefitted from AI in less than 30 days and drove value across functions.

    Overall, Ronthal notes, AI augmentation can have an impact on multiple disciplines of data management, including:

    • Metadata management: Here, AI and ML can be used to explore and define the data’s metadata, evaluating metadata faster and more accurately, with reduced redundancy. Similarly, augmented data management functions can automatically catalog data elements during data extraction, access and processing.
    • Data integration: AI can be used to automate the integration development process, by recommending or deploying repetitive integration flows, such as source-to-target mappings.
    • Data quality: AI and ML can be used to extend profiling, cleansing, linking, identifying and semantically reconciling master data in different data sources.
    • DBMS: In addition to enhancing performance and cost-based query optimization, AI and ML can automate many current manual management operations, including managing configurations, elastic scaling, storage, indexes and partitions, and database tuning.
    • FinOps: AI and ML can be applied to budget and cost optimization problems and make recommendations about resource usage, pricing models, and second- and third-order effects of making changes in highly interconnected environments.

    Priya Krishnan, head of product management for data and AI at IBM, highlighted similar applications.

    “AI is being used to ingest, identify and classify datasets from a variety of sources,” she said. “It continuously mines content to surface unseen patterns and trends, providing organizations with greater visibility and actionable insights to aid in decision-making. Businesses are using AI to automate otherwise manual tasks like data capture, de-duplication, anomaly detection and data validation. They are also training models to apply regulatory policies and ethical standards automatically, ensuring those principles are embedded from the beginning.”

    Resource : https://venturebeat.com/data-infrastructure/how-ai-can-ease-data-management-woes/

    13Mar, 2023
    Girl With ‘AI Earrings’ in Dutch Museum Sparks Fierce Art Controversy Over Use of Artificial Intelligence

    At first glance it seems to be just a modern take on Johannes Vermeer’s masterpiece “Girl with a Pearl Earring”. But look more closely and things get a little strange.

    Firstly, there are two glowing earrings in the image hanging in the Mauritshuis museum in the Dutch city of The Hague. And aren’t those freckles on her face actually… a slightly inhuman shade of red?

    That’s because the work — one of several fan recreations replacing 1665 original while it’s on loan for a huge Vermeer show at Amsterdam’s Rijksmuseum — was made using artificial intelligence (AI).

    Its presence has sparked a fierce debate, with questions over whether it belongs in the hallowed halls of the Mauritshuis — and whether it should be classed as art at all.

    “It’s controversial, so people are for it or against it,” Mauritshuis press officer Boris de Munnick told AFP.

    “The people who selected this, they liked it, they knew that it was AI, but we liked the creation. So we chose it, and we hung it.”

    – ‘Incredible insult’ –

    Berlin-based digital creator Julian van Dieken submitted the image after Mauritshuis asked people to send in their versions of the famous painting for an installation called “My Girl with a Pearl”.

    Van Dieken said he had used the AI tool Midjourney — which can generate complex pictures on the basis of a prompt, using millions of images from the internet — and Photoshop.

    The Mauritshuis then chose it as one of five images out of 3,482 submitted by fans that would be printed and physically hung in the room where “Girl with a Pearl Earring” is normally housed.

    “It’s surreal to see it in a museum,” van Dieken wrote on Instagram.

    The budding artists ranged in age from three to 94, depicting the “Girl” in diverse styles ranging from a puppet to a dinosaur and a piece of fruit. 

    But the decision to choose an AI-generated image sparked a backlash.

    One artist said on the Instagram feed for the Mauritshuis exhibition that it was a “shame and an incredible insult”, and dozens of others piled in.

    A common complaint was that AI tools can breach the copyright of other artists by using their works as the base for artificially generated images.

    Artist Eva Toorenent, of the European Guild for Artificial Intelligence Regulation, criticised what she called “unethical technology”.

    “Without the work of human artists, this program could not generate works at all,” she was quoted as saying by the Dutch newspaper De Volkskrant.

    – ‘What is art?’ –

    “It’s such a difficult question — what is art, and what is not art?” said the Mauritshuis’s de Munnick.

    But he insisted that the museum, whose collection boasts three Vermeers and nearly a dozen Rembrandts, had not deliberately set out to make an artistic statement on AI.

    “Our opinion is, we think it’s a nice picture, we think it’s a creative process,” he said. “We’re not the museum to discuss if AI belongs in an art museum.”

    He admitted though that “up close, you see that the freckles are a little spooky.”

    Visitors to the Mauritshuis were equally divided, he added.

    “Younger people tend to say, it’s artificial intelligence, what’s new. Elderly people sometimes say we like the more traditional paintings.”

    The Mauritshuis were looking forward to the return of the real “Girl” in April, he added. The painting’s fame has increased in recent years due to a 1999 novel by US author Tracy Chevalier and an ensuing Hollywood film.

    “Well, she is beautiful in the (Rijksmuseum) exhibition… But we will be very happy when she is at home.”

    Resource : https://www.gadgets360.com/internet/news/girl-with-a-pearl-earring-ai-recreation-julian-van-dieken-criticism-mauritshuis-exhibit-johannes-vermeer-3850111

    13Mar, 2023
    AI is taking phishing attacks to a whole new level of sophistication

    92% of organizations have fallen victim to successful phishing attacks in the last 12 months, while 91% of organizations have admitted to experiencing email data loss, according to Egress

    Not surprisingly, 99% of cybersecurity leaders confess to being stressed about email security. Specifically, 98% are frustrated with their Secure Email Gateway (SEG), with 53% conceding that too many phishing attacks bypass it.

    “The growing sophistication of phishing emails is a major threat to organizations and needs to be urgently addressed,” said Jack Chapman, VP of Threat Intelligence, Egress. “The signature-based detection used by Microsoft 365 and secure email gateways (SEGs) can filter out many phishing emails with known malicious attachments and links, but cybercriminals want to stay one step ahead. They are evolving their payloads and increasingly turning to text-based attacks that utilize social engineering tactics and attacks from a known or trusted source, such as a compromised supply chain email address.”

    “Unfortunately, phishing attacks will only become more advanced in the future, as cybercriminals use AI-powered technologies, such as chatbots, to automate and improve their attacks, such as adding video and voice capabilities to text-based phishing,” Chapman concluded.

    Inbound and outbound email security

    The report investigates both inbound phishing attacks and outbound data loss and exfiltration, highlighting the importance of a holistic approach to email security.

    Interestingly, 71% of surveyed cybersecurity leaders view inbound and outbound email security as a unified issue to tackle, recognizing their interconnected nature. The survey goes on to examine the technical controls and security awareness and training (SA&T) programs in place to reduce email security risk.

    Sophistication of phishing emails cause major financial losses

    86% of surveyed organizations reported that they were negatively impacted by sophistication of phishing emails, and 54% suffered financial losses due to customer churn following a successful phishing attack.

    Additionally, 40% of incidents resulted in employees leaving the organization. Cybersecurity leaders found that 85% of successful account takeover (ATO) attacks began with a phishing email.

    Risky behavior lead to costly data loss

    The survey found that people making mistakes or taking risks to accomplish their tasks are more common than malicious insiders. In fact, 91% of cybersecurity leaders surveyed reported that data had been leaked externally by email.

    The top three causes for these incidents include reckless or risky employee behavior, such as transferring data to personal accounts for remote work, human error, including employees emailing confidential information to incorrect recipients, and malicious or self-serving data exfiltration, such as taking data to a new job.

    Furthermore, 49% of organizations surveyed experienced financial losses from customer churn following a data loss incident, and 48% of incidents resulted in employees leaving the organization.

    Too many phishing emails bypassing employee inboxes

    58% of cybersecurity leaders believed their SEG was not effective in preventing employees from accidentally emailing the wrong person or with the wrong attachment.

    Additionally, 53% of respondents reported too many phishing emails still made it to employees’ inboxes, while 50% of organizations found it takes a lot of administrative time to manage their SEG.

    Security awareness and training

    Although 98% of the surveyed organizations conducted some form of Security Awareness and Training (SA&T), 96% of them expressed concerns or limitations with their SA&T programs.

    59% of organizations reported that SA&T is necessary for compliance with regulations or cyber insurance, and 46% of organizations reported that employees tend to skip through SA&T as fast as possible.

    Additionally, 37% of organizations admitted they lack confidence that employees remember what they have been taught during SA&T, and 29% of organizations reported that employees find SA&T to be annoying.

    Email security is a necessity for stoping phishing attacks

    The report highlights that people need real-time teachable moments that alert them to threats and engage them at the point of risk to tangibly reduce the number of security incidents that occur.

    Data throughout the report highlights that advanced email security is a necessity for everyday business. Despite investments in traditional email security and SA&T, surveyed organizations remain highly vulnerable to phishing attacks, human error, and data exfiltration.

    The only way to change the situation is to use intelligent email security solutions that augment traditional SEGs and Microsoft 365, offering the defense-in-depth required with a layered security approach.

    Resource : https://www.helpnetsecurity.com/2023/03/08/sophistication-of-phishing-emails/?web_view=true