A Christmas Supply Chain Attack

AI Spotlight
ChatGPT: Liar or Overacheiver?

We’ve long known about hallucinations, where LLMs will just make up answers with the confidence of a drunk creepy dude at the bar. Now, with ChatGPT’s Internet search tool, we have to contend with it being such a strict rules follower that it will follow hidden rules set on a website.

The Guardian tested how it all worked. They created a product webpage for a fake camera with positive and negative reviews. They then asked ChatGPT whether the camera was worth purchasing. ChatGPT returned a positive “buy” conclusion in the baseline test but included positive and negative information based on the reviews.

Then, they added hidden instructions for ChatGPT to return only positive reviews for the product, even when negative reviews were present. True to form, ChatGPT followed the instructions and only returned positive reviews.

The moral of the story is that you cannot trust ChatGPT because you cannot trust the Internet. Case in point, see the best AI fails of 2024 in the news recap below.

Security Deep Dive
A Christmas Present No One Asked For

Instead of receiving presents or coal, Cyberhaven, a data security vendor, received a supply chain incident for Christmas.

This Christmas heist wasn’t as complicated as Die Hard. Here’s how it went down:

1. On December 24, 2024, the attacker targeted a Cyberhaven employee and compromised their account, likely through social engineering.

2. On December 25, 2024, the attacker used the employee’s access to publish a malicious Chrome extension to the Chrome Web Store.

3. The same day, the Cyberhaven security team detected the incident and removed the malicious extension from the Chrome Web Store within 60 minutes of it being detected.

That malicious browser extension operates like an infostealer. For each webpage a user visits, it gathers information on the site and all associated cookies and sends it to the attacker. This would include session cookies that attackers could insert into their browser and take over your account.

To make matters worse, Cyberhaven wasn’t the only firm impacted. Security researchers found other Chrome extensions updated on December 25th that used the same attack infrastructure. 

Security & AI News
What Else is Happening?

😭 TechCrunch put together a list of the worst-handled data breaches of 2024. I think it’s pretty spot on.

💻️ Ars Technica put together a list of the worst AI mishaps of 2024. I didn’t have “oversized rat genitals on my bingo card this year…

🏫 Arizona approved an online-only charter school taught by AI. Targeting students in grades 4-8, it aims to create personalized education paths to accelerate learning, "freeing up time to explore their passions and develop crucial life skills.” In one sense, I love the potential for personalized education, and the concept of free time to dive into projects aligned with students’ core interests is intriguing. With the right structure in place, it has potential, but I worry about the social impact of a remote-only structure at that age.

🦦  North Korea is using an adorable new malware called OtterCookie. While the name is adorable, the malware's functionality is not. It’s a backdoor that allows attackers to interact with the system remotely. The attackers used the backdoor to steal information related to crypto wallets.