DevSecOps Blueprint: from Vulnerability Management and Security-by-Design to Pipeline Integrity


ChatGPT Data Breach Break Down

OpenAi experienced a data breach due to a vulnerability in Redis, raising concerns about securing ChatGPT.

This breach actually started all the way back in March where some users were posting on Reddit and other forums that they could see the chat history of other users well it turns out that threat actors were actually behind this they exploited a vulnerability in the redis open source library that chat GDP use this vulnerability allowed them to see the chat history of other active users it also allowed them to see the username email and some partial credit had information of some users as well so you may be thinking okay what's the big deal some chat history of cheat jet TDP how does that pose a big security risk and this is really where my arguments of the article that I wrote can really come in there is huge amounts of sensitive information being piped into chat GDP from employees of organizations and it's happening across all Fields software developers are using it to help them with their code so there's proprietary code being put in there perhaps there's credentials and secrets as it's asking it to write code to connect to different Services your data is being input in there to try and break it down and analyze it but this could be very sensitive even your legal teams are probably using it to analyze the legal contracts that are coming through so that you can see how so much sensitive information is ended up being stored in chat GDP but here's the kicker chat GDP says specifically do not do this why because it doesn't have sufficient security to be able to protect this data and you know what that's kind of fair enough on chair TDP to say hey this is not what our products made for but that's not going to stop employees from using it in this way GDP doesn't have fine great access logs it doesn't have encryption of the data as we can see by the vulnerabilities it doesn't have access control and there's no way of governing what's going into chat GDP there's no overarching different roles where you can see it from a director's point of view so surely the solution then is just to ban chat tgp and many organizations are Samsung is one of the latest ones that has rolled out a complete ban on all of its employees of using chat GTP data security service cyber Haven has said that it's blocked requests to input data into chat GDP are 4.2 percent of the 1.6 million workers at its clients companies but here's why I think that that is never going to work there is a palpable fear in the industry and I feel it and so do probably you that if you're not using large language models like chat GDP to increase your productivity then you're going to fall behind the threshold blocking chat dtp now feels like you're blocking someone's productivity so they're going to find ways around that now all of these factors combined actually make chat GDP one of the most juiciest high value targets for attackers they can potentially gain access to lots of high value sensitive data that isn't sufficiently protected by chat GTP attackers are always going to take the path of least resistance and there's lots of ways that you can try and hack into traditp you can find vulnerabilities in the entire system which is what we're talking about in this data breach and that's definitely going to continue to happen chat GDP is part of your supply chain whether you want it to be or not and therefore an attack on chat GDP is potentially a massive supply chain attack on many many organizations the other area is tagging individual accounts for instance conducting phishing campaigns to get into the history of chat GDP because again the user accounts don't consider this to be sensitive so chat GDP accounts are not sufficiently protected but also through individual access tokens one interesting metric that really shows the massive increase in how chat GTP is being used at work is the massive increase of open AI access credentials that are being leaked in public spaces one of the things that get Guardian is famous for is monitoring public spaces like to try and find leaked credentials the biggest Spike that we ever saw for a single type of credential was open AI credentials at the end of 2022 and this Spike has continued to grow now these are open AI credentials that are being used inside source code so programmatically but have been leaked in a public repository these access tokens potentially could give me the chat history of that user as well so this is just another Avenue that attackers can use chat GDP now there is another risk that I talked about in my article about using chat GDP and it's one that I've used for lots of different AI products and that is that AI isn't really that good it's incredible but in terms of being a good software engineer uh well it's not that great trttp and other AI systems are trained on the common crawl data set this is publicly available information what is one of the biggest sources of this data set it's actually public repositories and GitHub because this is one of the biggest providers of source code in the world and that's what AI wants lots of data but here's a little thought experiment go to a random open GitHub repository and look at the quality of the code is it good or is it bad the majority is going to be bad and that's what chat GDP is being trained on so when you ask it to do simple tasks it's going to do it in a way that's probably not that secure so we can't ban chat GDP We Can't Stop our employees from using it we can't really stop employees from putting sensitive information in there Chad TDP doesn't sufficiently store it and it's kind of a shitty engineer so are we all doomed well honestly this is the part of the video where I would probably be able to plug something or provide some kind of solution and honestly I'm sorry I just don't there are some things that we should do and some things that we should consider for sure but in terms of an all-around solution well there's just not one available yet the firstly I think Banning chat GTP is the wrong move it's gonna make using it more secretive which means that you're going to have less visibility over what your employees are doing I don't think you're going to stop them from using chat GDP so it's time to lean into it educate employees about what kind of information can be put into there how it can be used and that way at least you'll get some visibility and oversight into areas that it's being used for how your employees use chat GDP could actually be some good indicators of some areas of tools that perhaps you're missing are they using it to analyze data perhaps you need to invest in creating some purpose-built data analytics tools that actually store it sufficiently and enable them to do the same job but in a secure way Cloud GDP can provide some insights into that when it comes to plugging in sensitive information into chat GDP like secrets and credentials well this one good sequence detection and sequence management comes into play what we've always been talking about how do we prevent our secrets from being leaked we wrap them in our vaults in our secret managers we monitor where they are if your employees don't have access to secrets and there's less likely that they're going to sprawl