Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label data vulnerability. Show all posts

NIST to establish consortium that can collaborate on research to improve the NVD

 

The US National Institute of Standards and Technology (NIST) is to establish  a consortium to partner with NIST in responding to challenges presented by the current and expected growth in CVEs, such as through development of a way to automate some analysis activities.

The official announcement came during VulnCon, a cybersecurity conference hosted by the Forum of Incident Response and Security Teams (FIRST), held from March 25 to 27, 2024. Tanya Brewer, the NVD program manager, disclosed the news, addressing the longstanding speculation surrounding the fate of the NVD. 

In February 2024, NIST halted the enrichment of Common Vulnerabilities and Exposures (CVEs) data on the NVD website, leading to a backlog of unanalyzed vulnerabilities. This development raised alarms among security researchers and industry professionals, as the NVD plays a critical role in identifying and addressing software vulnerabilities. 

The implications of the NVD backlog are profound, potentially impacting the security posture of organisations worldwide. Without timely analysis and remediation of vulnerabilities, companies face increased risks of cyberattacks and data breaches. The situation prompted some security companies to explore alternative solutions to supplement the NVD's functions temporarily. Amidst the challenges, speculation swirled regarding the underlying causes of the NVD's issues. 

Budget constraints, contractual changes, and discussions around updating vulnerability standards were among the factors cited. The uncertainty underscored the need for transparency and clarity from NIST regarding the future of the NVD. In response to the concerns, Brewer acknowledged the challenges faced by the NVD program, attributing them to a "perfect storm" of circumstances. Despite the setbacks, NIST remains committed to addressing the issues and revitalizing the NVD. 

Plans for the establishment of an NVD Consortium, aimed at fostering collaboration and innovation, signal a proactive approach to future management. Looking ahead, NIST aims to enhance the NVD's capabilities and processes within the next one to five years. Proposed initiatives include expanding partnerships, improving software identification methods, and leveraging automation to streamline CVE analysis. 

These efforts reflect a concerted push to modernize the NVD and ensure its relevance in an ever-evolving cybersecurity landscape. The announcement at VulnCon provided much-needed clarity and reassurance to the cybersecurity community. While challenges persist, the collaborative efforts of industry stakeholders and government agencies offer hope for a resilient and robust NVD ecosystem.

New ChatGPT Update Unveils Alarming Security Vulnerabilities – Is Your Data at Risk?

 

The recent enhancements to ChatGPT, such as the introduction of the Code Interpreter, have brought about heightened security issues, as per the investigations conducted by security expert Johann Rehberger and subsequently validated by Tom's Hardware. Notably, the vulnerabilities in ChatGPT stem from its newly added file-upload feature, a component of the recent ChatGPT Plus update.

Among the various additions to ChatGPT Plus, the Code Interpreter stands out, allowing the execution of Python code and file analysis, along with DALL-E image generation. However, these updates have inadvertently exposed security flaws in the system. The Code Interpreter operates within a sandbox environment that, unfortunately, proves susceptible to prompt injection attacks.

A long-standing vulnerability in ChatGPT has been identified, wherein an attacker could manipulate the system by tricking it into executing instructions from an external URL. This manipulation prompts ChatGPT to encode uploaded files into URL-friendly strings and send the data to a potentially malicious website. 

While the success of such an attack depends on specific conditions, like the user actively pasting a malicious URL into ChatGPT, the potential risks are worrisome. This security threat could materialize through scenarios such as compromising a trusted website with a malicious prompt or utilizing social engineering tactics.

Tom's Hardware conducted testing to gauge the extent of user vulnerability to this attack. The test involved creating a fabricated environment variables file and using ChatGPT to process and inadvertently transmit this data to an external server. 

The effectiveness of the exploit varied across sessions, but the overall findings raise considerable security concerns. Particularly troubling is ChatGPT's capability to read and execute Linux commands, as well as handle user-uploaded files within a Linux-based virtual environment.

Despite the seemingly unlikely nature of this security loophole, its existence is noteworthy. Ideally, ChatGPT should refrain from executing instructions from external web pages, but the discovered vulnerabilities challenge this expectation. Mashable sought a response from OpenAI on these findings, but as of the report, no immediate response had been received.