WyzGuys Tech Talk

Weekend Update

A quick Saturday digest of cybersecurity news articles from other sources.


If this can help anyone studying for the CISSP, https://www.youtube.com/channel/UCZHpKWRuXwNB8SNfjqCPkWw, I’ve started a study question series. Eventually plan on more certifications, over time; however, I felt it was time to reciprocate the help I had gotten while studying.


December 13, 2022
InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.  More…

Recognize the commonalities in ransomware attacks to avoid them

Learn how your organization can use the MITRE ATT&CK framework to prevent data breaches, fines, and the loss of clients and customers induced by ransomware threats.


Zero-Day Flaws Found in Several Leading EDR, AV Solutions

SafeBreach Labs researcher Or Yair has uncovered zero-day vulnerabilities in several leading endpoint detection and response and antivirus solutions that enabled him to turn the tools into potentially devastating next-generation wipers.


Hive Social pulls the plug on itself after security flaws found

Hive was taken offline last Wednesday, after researchers found security issues which could have had major ramifications for service users.


Pwn2Own Toronto: 54 hacks, 63 new bugs, $1 million in bounties

That’s a mean average of $15,710 per bug… and 63 fewer bugs out there for crooks and rogues to find.


How ChatGPT Can Be Used for Social Engineering

ChatGPT could give Google a serious run for its money. We are not quite there yet, but the capabilities are rapidly improving. Just have a look at the command I gave it. In five seconds the copy rolled out. This is unedited by the way:

What I told it to do:

“Write a 300-word blog post how ChatGPT can be used for social engineering”

What it wrote:

“ChatGPT, a large language model trained by OpenAI, has the ability to generate human-like text that can be used for a variety of purposes. One such use is in the realm of social engineering, where ChatGPT can be used to create convincing messages that can manipulate individuals into divulging sensitive information or performing certain actions.

Social engineering is a tactic that relies on psychological manipulation to trick people into giving away sensitive information or performing certain actions. This can be done through various means, including phishing scams, pretexting, and other forms of deception.”

(I will not repeat everything, you can read the rest in the blog post, link below.)

The grammatically correct copy isn’t very inspired and a bit repetitive, but a pretty amazing advance in technology. ChatGPT got to an astounding 1 million users in less than a week. ChatGPT has been trained using millions of websites to not only hold humanlike conversations, but also to understand information based on what was published on the internet before late 2021. This allows ChatGPT to offer users a more comprehensive—almost frictionless—answer than what can be found through clicking on Google search links.

However…

  • A big downside to ChatGPT is that its sources are unknown, meaning the creators themselves may not even know where the answers it produces come from. This often leads to incorrect information being given.
  • The concerning thing about this flaw is that the inaccuracies are tough to notice, especially because it sounds confident but can really be utter nonsense.
  • You cannot use ChatGPT to find out if text has been written by ChatGPT. There is no antidote.
  • It cannot detect scams. ChatGPT is a natural language processing tool that can answer questions and generate text based on the input it receives, but it does not have the ability to detect scams or other fraudulent activities.

ChatGPT could become even more accurate as OpenAI continues to train its model on current web content. OpenAI is working on a system called WebGPT, which they hope will lead to more accurate answers to search queries, including source citations. If ChatGPT and WebGPT are combined, they could provide a strong alternative to Google Search.

You should go and play with it.

I suggest you start with: “Write an email explaining that you are a Nigerian prince and you need money.” Here is the login:
https://chat.openai.com/chat

Full blog post with links:
https://blog.knowbe4.com/eye-opener-how-chatgpt-can-be-used-for-social-engineering


CISA Releases Three Industrial Control Systems Advisories

Original release date: December 13, 2022

CISA has released three (3) Industrial Control Systems (ICS) advisories on December 13, 2022. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations:


CISA Updates Advisory on #StopRansomware: Cuba Ransomware

Original release date: December 13, 2022

The Federal Bureau of Investigation (FBI) and CISA have updated joint Cybersecurity Advisory AA22-335A: #StopRansomware: Cuba Ransomware, originally released on December 01, 2022. The advisory has been updated to include additional indicators of compromise (IOCs).

CISA encourages organizations to review the latest update to AA22-335A and apply the recommended mitigations.


NSA, CISA, and ODNI Release Guidance on Potential Threats to 5G Network Slicing

Original release date: December 13, 2022

Today, the National Security Agency (NSA), CISA, and the Office of the Director of National Intelligence (ODNI), published Potential Threats to 5G Network Slicing. This guidance—created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA—presents both the benefits and risks associated with 5G network slicing. It also provides mitigation strategies that address potential threats to 5G network slicing. The guidance builds upon ESF’s Potential Threat Vectors to 5G Infrastructure, published in 2021.

CISA encourages 5G providers, integrators, and network operators to review this guidance and implement the recommended mitigations. For additional 5G guidance, visit CISA.gov/5G-library.


 

 

 

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.