Hacking news, articles and features | 91av /topic/hacking/ Science news and science articles from 91av Fri, 07 Nov 2025 16:35:24 +0000 en-US hourly 1 https://wordpress.org/?v=7.0.1 242057827 How preppers plan to save us if the whole internet collapses /article/2500915-how-preppers-plan-to-save-us-if-the-whole-internet-collapses/?utm_campaign=RSS|NSNS&utm_content=hacking&utm_medium=RSS&utm_source=NSNS Tue, 04 Nov 2025 16:00:14 +0000 /?post_type=article&p=2500915 2500915 Hackers can steal data by messing with a computer’s processor /article/2426533-hackers-can-steal-data-by-messing-with-a-computers-processor/?utm_campaign=RSS|NSNS&utm_content=hacking&utm_medium=RSS&utm_source=NSNS Tue, 07 May 2024 13:23:05 +0000 /?post_type=article&p=2426533 2426533 ChatGPT wrote code that can make databases leak sensitive information /article/2399370-chatgpt-wrote-code-that-can-make-databases-leak-sensitive-information/?utm_campaign=RSS|NSNS&utm_content=hacking&utm_medium=RSS&utm_source=NSNS Wed, 25 Oct 2023 20:04:14 +0000 /?post_type=article&p=2399370 ChatGPT in web and mobile development
A vulnerability in Open AI’s ChatGPT – now fixed – could have been used by malicious actors
Amir Sajjad/Shutterstock

Researchers manipulated ChatGPT and five other commercial AI tools to create malicious code that could leak sensitive information from online databases, delete critical data or disrupt database cloud services in a first-of-its-kind demonstration.

The work has already led the companies responsible for some of the AI tools – including Baidu and OpenAI – to implement changes to prevent malicious users from taking advantage of the vulnerabilities.

“It’s the very first study to demonstrate that vulnerabilities of large language models in general can be exploited as an attack path to online commercial applications,” says , who co-led the study while at the University of Sheffield in the UK.

Peng and his colleagues looked at six AI services that can translate human questions into the SQL programming language, which is commonly used to query computer databases. “Text-to-SQL” systems that rely on AI have become increasingly popular – even standalone AI chatbots, such as OpenAI’s ChatGPT, can generate SQL code that can be plugged into such databases.

The researchers showed how this AI-generated code can be made to include instructions to leak database information, which could open the door to future cyberattacks. It could also purge system databases that store authorised user profiles, including names and passwords, and overwhelm the cloud servers hosting the databases through a denial-of-service attack. Peng and his colleagues presented their work at the 34th on 10 October in Florence, Italy.

Their tests with OpenAI’s ChatGPT back in February 2023 revealed the standalone AI chatbot could generate SQL code that damaged databases. Even someone using ChatGPT to generate code in order to query a database for an innocent purpose – such as a nurse interacting with clinical records stored in a healthcare system database – might actually be given harmful SQL code that damaged the database.

“The code generated from these tools may be dangerous, but these tools may not even warn the user,” says Peng.

The researchers disclosed their findings to OpenAI. Their follow-up testing suggests that OpenAI has now updated ChatGPT to shut down the text-to-SQL issues.

Another demonstration showed similar vulnerabilities in Baidu-UNIT, an intelligent dialogue platform offered by the Chinese tech giant Baidu that automatically converts client requests written in Chinese into SQL queries for Baidu’s cloud service. After the researchers sent a disclosure report with their testing results to Baidu in November 2022, the company gave them a financial reward for finding the weaknesses and patched the system by February 2023.

But unlike ChatGPT and other AIs that rely on large language models – which can perform new tasks without much or any prior training – Baidu’s AI-powered service leans more heavily on prewritten rules to carry out its text-to-SQL conversions.

Text-to-SQL systems based on large language models seem to be more easily manipulated into creating malicious code than older AIs that rely on prewritten rules, says Peng. But he still sees promise in using large language models for helping humans query databases, even if he describes the security risks as having “long been underrated before our study”.

Neither OpenAI nor Baidu responded to a 91av request for comment on the research.

Reference:

arXiv

]]>
2399370
Mathematician warns US spies may be weakening next-gen encryption /article/2396510-mathematician-warns-us-spies-may-be-weakening-next-gen-encryption/?utm_campaign=RSS|NSNS&utm_content=hacking&utm_medium=RSS&utm_source=NSNS Tue, 10 Oct 2023 15:55:58 +0000 /?post_type=article&p=2396510
The US National Security Agency headquarters at Fort Meade, Maryland
SAUL LOEB/AFP via Getty Images
A prominent cryptography expert has told 91av that a US spy agency could be weakening a new generation of algorithms designed to protect against hackers equipped with quantum computers. at the University of Illinois Chicago says that the US National Institute of Standards and Technology (NIST) is deliberately obscuring the level of involvement the US National Security Agency (NSA) has in developing new encryption standards for “post-quantum cryptography” (PQC). He also believes that NIST has made errors – either accidental or deliberate – in calculations describing the security of the new standards. NIST denies the claims. “NIST isn’t following procedures designed to stop NSA from weakening PQC,” says Bernstein. “People choosing cryptographic standards should be transparently and verifiably following clear public rules so that we don’t need to worry about their motivations. NIST promised transparency and then claimed it had shown all its work, but that claim simply isn’t true.” The mathematical problems we use to protect data are practically impossible for even the largest supercomputers to crack today. But when quantum computers become reliable and powerful enough, they will be able to break them in moments. Although it is unclear when such computers will emerge, NIST has been running a project to standardise a new generation of algorithms that resist their attacks. Bernstein, who in 2003 to refer to these kinds of algorithms, says the NSA is actively engaged in putting secret weaknesses into new encryption standards that will allow them to be more easily cracked with the right knowledge. NIST’s standards are used globally, so flaws could have a large impact. Bernstein alleges that NIST’s calculations for one of the upcoming PQC standards, Kyber512, are “glaringly wrong”, making it appear more secure than it really is. He says that NIST multiplied two numbers together when it would have been more correct to add them, resulting in an artificially high assessment of Kyber512’s robustness to attack.
“We disagree with his analysis,” says at NIST. “It’s a question for which there isn’t scientific certainty and intelligent people can have different views. We respect Dan’s opinion, but don’t agree with what he says.” Moody says that Kyber512 meets NIST’s “level one” security criteria, which makes it at least as hard to break as a commonly used existing algorithm, AES-128. That said, NIST recommends that, in practice, people should use a stronger version, Kyber768, which Moody says was a suggestion from the algorithm’s developers. NIST is currently in a period of public consultation and hopes to reveal the final standards for PQC algorithms next year so that organisations can begin to adopt them. The Kyber algorithm seems likely to make the cut as it has already progressed through several layers of selection. Given its secretive nature, it is difficult to say for sure whether or not the NSA has influenced the PQC standards, but there have long been suggestions and rumours that the agency deliberately weakens encryption algorithms. In 2013, The New York Times reported that the agency , and intelligence agency documents leaked by Edward Snowden in the same year contained references to the NSA deliberately placing a backdoor in a cryptography algorithm, although that algorithm was . Moody denies that NIST would ever agree to deliberately weaken a standard at the behest of the NSA and says that any secret weakness would have had to be inserted without its knowledge. He also says that in the wake of the Snowden revelations, NIST has tightened guidelines to ensure transparency and security and to rebuild confidence with cryptographic experts. “We wouldn’t have ever intentionally done anything like that,” says Moody, but he acknowledges the Snowden leaks caused a backlash. “Anytime the NSA gets brought up, there’s a number of cryptographers that are concerned and we’ve tried to be open and transparent about our interactions.” Moody says that the NSA has also – as far as a secretive intelligence agency can – tried to be more open. But the agency declined to comment when approached by 91av. “All we can do is tell people that NIST are the ones in the room making the decisions, but if you don’t believe us, there’s no way you could verify that without being inside NIST,” says Moody. However, Bernstein alleges that NIST hasn’t been open about the level of input by the NSA, “stonewalling” him when he has asked for information. As a result, he has made freedom of information requests and taken NIST to court, . Documents released to Bernstein indicate that a group described as the “Post Quantum Cryptography Team, National Institute of Standards and Technology” included many NSA members and that NIST had met with someone from the UK’s Government Communications Headquarters (GCHQ), the UK equivalent of the NSA. at the University of Surrey, UK, says there are reasons to be wary of encryption algorithms. For example, the GEA-1 code used in mobile phone networks during the 1990s and 2000s was found to have a flaw that made it millions of times less computationally intensive than it should have been to crack – although a culprit who put it there has never been identified. But Woodward says that the current PQC candidates have been heavily scrutinised by academics and industry and haven’t yet been found lacking, while other algorithms that featured in earlier stages of the competition have been demonstrated to be flawed and were eliminated. “Intelligence agencies have a history of weakening encryption, but there’s been such a lot of security analysis done on these candidates that I would be surprised if Kyber were somehow booby-trapped,” he says.]]>
2396510
Knowing how to hack will be vital in a cybercrime-filled future /article/2373435-knowing-how-to-hack-will-be-vital-in-a-cybercrime-filled-future/?utm_campaign=RSS|NSNS&utm_content=hacking&utm_medium=RSS&utm_source=NSNS Tue, 16 May 2023 15:00:00 +0000 http://mg25834390.100 2373435 Hackers can make computers destroy their own chips with electricity /article/2354844-hackers-can-make-computers-destroy-their-own-chips-with-electricity/?utm_campaign=RSS|NSNS&utm_content=hacking&utm_medium=RSS&utm_source=NSNS Thu, 19 Jan 2023 14:05:03 +0000 /?post_type=article&p=2354844 2354844 Ukraine’s army of hackers failed to thwart Russia and quickly gave up /article/2335965-ukraines-army-of-hackers-failed-to-thwart-russia-and-quickly-gave-up/?utm_campaign=RSS|NSNS&utm_content=hacking&utm_medium=RSS&utm_source=NSNS Thu, 01 Sep 2022 07:00:37 +0000 /?post_type=article&p=2335965 2335965 Hacking device can secretly swipe and tap your smartphone screen /article/2335970-hacking-device-can-secretly-swipe-and-tap-your-smartphone-screen/?utm_campaign=RSS|NSNS&utm_content=hacking&utm_medium=RSS&utm_source=NSNS Wed, 31 Aug 2022 14:00:40 +0000 /?post_type=article&p=2335970 2335970 Secure computers can leak data by using speakers to shake smartphones /article/2334828-secure-computers-can-leak-data-by-using-speakers-to-shake-smartphones/?utm_campaign=RSS|NSNS&utm_content=hacking&utm_medium=RSS&utm_source=NSNS Thu, 25 Aug 2022 09:05:38 +0000 /?post_type=article&p=2334828 2334828 What hackers get up to when left on an island in the Pacific /article/2333869-what-hackers-get-up-to-when-left-on-an-island-in-the-pacific/?utm_campaign=RSS|NSNS&utm_content=hacking&utm_medium=RSS&utm_source=NSNS Wed, 17 Aug 2022 18:00:00 +0000 http://mg25534000.100 2333869