A new theoretical attack described by researchers with LayerX lays out how frighteningly simple it would be for a malicious or compromised browser extension to intercept user chats with LLMs and insert prompt injection attacks designed to exfiltrate data without the target being aware.
Cyber Security
Cyber criminals, state-sponsored hackers and even the occasional disgruntled employee are constantly looking to gain unauthorized access for a variety of purposes: theft of money, cyber espionage, personal information for sale or for use in scams, and damage to critical infrastructure for just a few of the most common.
So how does an organization mitigate an entire world full of continual cyber attacks? Just as buildings have a number of necessary elements of physical security: access control, cameras, alarms and so on; there are similar key elements of cyber security that are absolutely vital for just about any modern business.
It starts with identifying and closing the most common doors that attackers use. For example, phishing attacks on employees are far and away the most common initial point of entry. The breach of even a low-level employee account can quickly turn into an escalation in access privileges and the ability to reach sensitive information. This is also true of smart devices, which are generally more poorly secured than computers and phones.
Each of the fined companies learned that they had been breached during the SolarWinds hack in 2020 or 2021. Each was found by the SEC to have negligently minimized its cybersecurity disclosures in ways that could mislead investors, but all using somewhat different language.
The 1.2 terabyte MOAB file is broken up into over 3,800 folders, each one representing a prior data leak that saw personal information or credentials make their way to the open internet. In total there are over 26 billion records.
This is a password leak compilation largely built on massive breaches of the recent past. The 1.5 billion passwords added since the last RockYou edition appear to all be from breaches that took place from 2021 to 2024.
Google Threat Intelligence Group is now reporting "multiple intrusions" at US-based insurance firms by Scattered Spider, which in some cases has caused outages and business disruptions.
The Copilot vulnerability chain requires three steps, two of which are old-fashioned injections and request forgeries. But they are kicked off by using a P2P injection that convinces Copilot it is OK to serve up malicious links. The end result is that the AI assists with data theft from across the target’s Microsoft ecosystem.
Report finds that the vast majority of app developers are pushing vulnerable code, and that truly secure applications capable of repelling a determined attacker are few and far between.
Slack debuted its long-awaited direct messaging feature but within just a few days it was gone, pulled due to a technical oversight that created major security concerns.
Recent creative crypto scams illustrate some specific things that investors need to be prepared for. A scam involving Squid Game demonstrates how FOMO can catch investors, and a Google Ads scheme used phishing techniques to steal wallets.
Attacker exploiting new Intel chip vulnerability will need to go through multiple complex steps and have physical access to the device to gain full access to the system.










