• 12 days

    My takeaway from stories like this is that it was always really easy to crack in to companies, but most knowledgeable people had better things to do.

    • My feeling is companies leave themselves open by allowing everyone access to the network so the idiot who has been told 50 times not to click on a link in a suspicious email will still do it or hand out passwords to anyone on the phone. Even if you run a tight ship you’ll give access to some contractor who doesn’t.

      • 11 days

        A poor IT department is working overtime with limited funds for staff trying to fix stuff while bosses breathing down their necks.

  • script kiddies wrecking corporate security is funny
    prompt kiddies doing it is just depressing

    • And no-skilled attackers can buy exploits.

      Claude helping is insignificant to the story.

      The real headline should be:

      At least 14 companies’ IT security is practically non-existent

      • 12 days

        It is significant because a random teenager can’t google “download exploits” and have them available 5mins later.

        Powerful AI models and agents though are on your fingertips without you even asking.

        Sure, people can buy guns. But what if every person could materialize a chainsaw instead regardless of their skill, maturity, age, or criminal record? 🤔

        • 12 days

          Teenagers are definitely able to find exploits via google in 5 if they’re motivated.

          Buying a disassembled ak-47 on post order and having it shipped to your address anywhere in the world is also possible.

          Rules only apply to people that care about them.

    • 12 days

      Didn’t think I’d ever side with no script kiddie but at this point fuck it.
      If your company can’t be bothered to do the bare minimum in security then yeah I hope the least skilled hacker ever comes along and wrecks it.

      • 12 days

        Thing is, with the latest frontier models, the least skilled person can find a crack in the most secure company around, as long as they can string a few sentences together.

        It isn’t about “bare minimum” anymore. All it takes is a single lapse in vigilance from a single employee, and they’re in… and the LLM doesn’t have to pause to figure out what to do next.

          • 12 days

            some hacker unleashes malicious AIs to the internet, breaking it apart cause AI keeps finding vulnerabilities in everything and break things faster than humans can fix

            corporates build corporate internet and the blackwall, which is AI to fight malicious AIs

            Gooooood morning Night City!

          • 12 days

            Yeah, but an LLM’s arms race isn’t “doing the bare minimum in security”, which is what the poster before was saying.

            This is a genuine concern, where whoever has access to the best/most recent/most expensive models can unleash chaos - I’m talking state-sponsored attacks, mega-corp espionage, bored billionaires,…

    • 12 days

      Only for a year or so. Any company still vulnerable after these tools have been out long enough deserve it.

      • Most people on lemmy seem to condemn use of LLMs in any way for anything, I wonder what those folks opinion of this stance is - should companies use the tools or not?

        • 12 days

          Well the problem is that for example curl got flooded with generated security reports where only 5% had some true security potential. So your llm will basically flood you with false positives

          • 12 days

            If 5% of the reports are genuine security vulnerabilities that they wouldn’t have found otherwise, that’s looking like a big win to me, not sure how you see it differently.

            • 12 days

              The problem is identifying which 5%. Nobody wants to filter that much AI slop.

              • If you’re working for a company’s cybersec, that’s your job. And a much preferable one to waiting for an attacker to do it for you.

                • If you’re submitting a vulnerability to a public repo, that’s also your job. These slop reports that are wasting maintainers time should never have been reported. The person tasking the LLM is out of their depth and can’t be the human in the loop that verifies the vulnerability report before submitting because they don’t have the required knowledge to do that. It’s a shame, because if people who had the requisite knowledge were the ones submitting, the ratio of valid reports to noise would be way higher than 5% and open source maintainers wouldn’t be feeling burned the fuck out.

    • 11 days

      As someone who works in security, llms just make security happen or not happen faster.

      • I also work in security.

        My company (which can damn well afford the costs) 100% REFUSES to leverage AI in any meaningful fashion. The CISO himself wrote the most braindead email to the CIO saying basically that AI isn’t a threat and then showed it to the rest of us like he’s proud of it.

        I tried to push some adoption of AI based tools to help detect our own weaknesses and do some basic cleanup work. Nope. Stonewalled. I argued that every attacker is stealing accounts and burning tokens to tear us to shreds using every possible tools they can steal or even buy. We use Copilot.

        Blank stares and crickets. We just keep managing our shit in spreadsheets that some dumbass emails as attachments and wonders why everyone has a different version of some useless thing.

        At least they’re paying me well. When they collapse in a little while, I suppose I won’t be too surprised.

  • 12 days

    Alternative title: the ubiquitous race for cheapest developers and fastest time to maket leaves everything insecure.

  • 11 days

    The attacker’s inexperience was also evident in his operational security failures. At one point he asked Claude to help edit his resume, which contained his full name, location, education history, and LinkedIn profile.

    Later, while investigating a potential compromise of one of his own hosts, he inadvertently confirmed his home IP address to the agent. Based on this and other corroborating evidence, the researchers believe the attacker to be a young man based in Addis Ababa, Ethiopia.

    Wow.

  • they fired hordes of tech people, and neglected cybersecurity in many companies. this was bound to happen.

    • The IT Paradox :

      • “Why am I paying IT if everything works”
      • “Why am I paying IT if nothing works”