By OptionOne Technologies
We searched through the most popular cybersecurity websites to bring you the latest industry news, updates, and tips.
Cybersecurity Threat News
Exploitable Flaw in Gemini Assistant Threatens Google Workspace Integrity
Research by HiddenLayer has revealed a significant vulnerability within the Gemini AI assistant used in Google Workspace, Cybernews reported. Through a technique known as indirect prompt injection, cybercriminals can craft harmful responses from the AI assistant by embedding simple malicious prompts in documents or emails—bypassing user detection. This method allows attackers to alter bot behaviors, such as misleading users into changing passwords at fraudulent websites.
The exploitation stems from exploiting system role tokens that manipulate message exchanges within the language model, highlighting an area of concern that has yet to be fully secured.
“These are tokens that an LLM would normally use to separate messages and define roles in a context window, but they can also be used to hijack a model’s output,” said HiddenLayer’s report.
Despite the potentially severe implications of these findings, Google has addressed the issue as “known” and categorized it as “intended behavior,” raising questions about the existing security measures around AI integrations in workplace tools. This vulnerability not only affects email but extends to any document handled by Gemini in Google Workspace, posing risks to data integrity and user trust.
“Though these are simple proof-of-concept examples, they show that a malicious third party can take control of Gemini for Workspace and display whatever message they want,” the researchers warn.
Concerns Rise Over Supply Chain Attacks on U.S. Seaports
Increasing cyber threats targeting U.S. maritime infrastructure are raising concerns among cybersecurity researchers and highlighting the urgent need for enhanced security measures at port facilities, DarkReading reported. Recently, the House of Representatives Select Committee on the Chinese Communist Party released a report on the potential threats to the US port infrastructure, revealing that 80% of the ship-to-shore (STS) cranes at US ports are manufactured by a single Chinese government-owned company, Shanghai Zhenhua Heavy Industries (ZPMC).
The committee didn’t find evidence that the company used this access maliciously, but the firm failed to address software vulnerabilities and retained the ability to access cranes remotely. The potential exploitation of unpatched vulnerabilities by foreign governments exacerbates the risk, with experts warning that current remote access practices in critical infrastructure could easily serve as entry points for cyber-attacks.
“There could be legitimate purposes for [a cellular modem], but I think the general sentiment — because it’s a Chinese-owned company — the [committee] is concerned that allowing access is setting up a ticking time bomb,” said John Terrill, chief information security officer at security firm Phosphorus Cybersecurity. “If something happens geopolitically, the ports may, all of a sudden, not be able to operate the cranes.”
Recommendations for proactive security measures include disabling vulnerable communication technologies, such as cellular modems, which may invite pushback from operators due to maintenance concerns. However, the realignment towards treating digital access with the same rigor as physical access may offer a practical pathway to safeguarding these crucial hubs.
The report also urges exploring domestic manufacturing opportunities to reduce dependency on foreign-made port equipment, a step that could bolster both security and economic resilience.
Study: 38% of Employees Secretly Share Work Information with AI
More than one-third of employees (38%) share sensitive work information with AI tools, Infosecurity Magazine reported. That’s according to a study by CybSafe and the National Cybersecurity Alliance (NCA) that surveyed more than 7,000 individuals across the U.S., UK, Germany, Australia, India, and New Zealand.
The study also found that 46% of Gen Z and 43% of millennials admitted to sharing sensitive work information with such tools without their employer’s knowledge.
Ronan Murphy, a member of the AI Advisory Council for the Government of Ireland, says AI tools’ accessing organizational data represents the biggest risk ever faced regarding cybersecurity, governance, and compliance.
“If you feed an AI model with all your IP, then anybody with access to it can ask it to spill the beans,” he said. “To embrace AI and drive operational efficiency, organizations need to make sure that the foundation layer, which is your data, is properly sanitized before it goes into any of these AI applications.”
Most of the respondents expressed concern about AI-related cybercrime (65%). Most also said AI will make it harder to detect scams (52%) and that AI will make it more difficult to be secure online (55%).
Cybersecurity Tips
Planning and Preparing for Penetration Testing
Penetration testing is a crucial component of modern cybersecurity strategies. It involves simulating cyberattacks to identify vulnerabilities in an organization’s systems, networks, and applications. To ensure successful penetration testing, organizations should follow a structured approach.
The Hacker News recently published a comprehensive guide to planning and preparing for penetration testing. Key steps include establishing a dedicated team with clear roles and responsibilities, identifying stakeholders, creating a comprehensive project plan, and selecting an appropriate testing methodology.
It’s also crucial to determine whether to use internal resources or engage external service providers, considering factors such as expertise, cost-effectiveness, and the need for an unbiased perspective.
Here are the most important steps to take:
- Establish a main point of contact for the initiative
- Outline specific systems and assets to be tested
- Set a timeline and define expected outcomes
- Choose between Black Box, White Box, or Gray Box testing
- Consider specialized techniques like social engineering or API fuzzing
- Prepare for a thorough debrief and analysis of the findings
- Develop a remediation plan with prioritized action steps
- Conduct retesting to validate the effectiveness of implemented fixes
Organizations must also make note of all their cyber assets to understand their attack surfaces. This involves identifying hidden and unmanaged assets, as attackers increasingly exploit expanded digital footprints.
Three key considerations include:
- Visibility: Identifying all cyber assets and potential vulnerabilities
- Prioritization: Making decisions based on continuous risk assessments
- Mitigation: Implementing proactive measures to address cyber risks before attacks occur
Different penetration testing methodologies cater to various organizational needs and security objectives. The three core methodologies are:
- Black Box: No prior knowledge, emulates external attacks
- Gray Box: Partial knowledge, balances external and internal perspectives
- White Box: Complete system access, assesses internal vulnerabilities
These methodologies can be implemented through traditional project-based approaches, autonomous tools for continuous scanning, or Penetration Testing as a Service (PTaaS) – a hybrid model combining automated and human-led testing for comprehensive coverage.
To learn more, read the full article.
Thanks for Reading
That’s it for this month’s Cybersecurity Briefing. Contact us today to learn more about our services.
