The RSAC Conference is a unique opportunity for speaking with worldwide cybersecurity experts. Many folks are so deep in the trenches that they casually toss out great tips whenever you chat with them. A great example: This acronym I picked up from Kelly Bissell, corporate vice president of fraud within Microsoft’s Security division. It focuses on how to avoid job scams—that is, phony listings and opportunities that might cross your path. But you can take away the general principles and apply them to other types of scams, too. Stay S-A-F-E Bissell says you should be: Sure of the company you’re applying with Able to apply for free Finding the job listing elsewhere online Examining job offers carefully and confirming the legitimacy of the companies Look into a company to be sure of them, especially if the offer is unsolicited. Is there a company website with contact info? How long has it been in business? Can you find employees on LinkedIn, and what do their backgrounds look like? Do you know anyone in your network who works there that you can speak to? Or at the very least, what’s the good word on Reddit and job forums? Job applications should never cost you a cent. That’s standard practice, no matter the industry and job level. Perhaps you may pay for necessary education (where you get to select the school or certification program) or a certification, but not to apply. A legitimate place does not ask for money—times haven’t changed on this point. Legitimate job offerings can be found on company sites or job listing sites—and usually more than one at a time.Monster.com / PCWorld The work opportunity should be findable elsewhere, not just in the message you were sent. Depending on the field and position, you may be able to verify online through job listing websites and the company’s official website. Or, you may instead have to go through walking in the business and speaking with an official contact, like a manager or the owner. Once you start finding info on the job and the company, also do a gut check, especially if you’re made an offer. Examine the facts you have for any red flags—do the hours seem strange? Does the wage match the usual industry standard for pay? In general, you want to confirm that the type of employment, schedule, wage or salary, location, and the manager you report to sound appropriate and fair. And again, be sure that you’re speaking to the actual company, not an impersonator. Dodge all the scams This advice is geared toward job scams, but you should check out other scams with this kind of thoroughness, too. Are you talking with a potential romantic partner or someone else online who is interested in getting to know you better? Is your kid on the phone or messaging you, begging you for help with a crashed car or posting bail? Has your bank texted you, saying your account has been frozen? In these sample scenarios, stop and ask yourself, How well do I trust that this contact is legitimate? Are they asking for money? Does this inquiry involve my financial accounts, or could they eventually lead up to requesting cash? Have I verified this situation, or is this person who they say they are? What do I really know about this situation they’ve outlined? Nope. Don’t respond to this person.Celia Ong Scammers want you to be emotionally off-balance so they can take advantage. Don’t let them play off the fully human need to be gainfully employed, seek companionship, protect your family, keep your bank accounts safe, and the like. Take inspiration from Bissell’s grandmother: When warned not to fall for any distressed child scams, she told Bissell she’d let him sit in jail. Her reasoning? He wouldn’t be there unless he’d been up to no good. Harsh, ma’am. But not a bad default while you’re verifying the situation independently. Read...

Associate Education Minister David Seymour says he`d like to offer the watchdog an example lunch `so he can audit them with his mouth`. Read...

There is a lot of flex in global rules about illicit drug use among athletes. Former WADA director-general David Howman explains why Read...

The re-vamped scheme has been plagued by concerns about late, inedible, repetitive or nutritionally lacking lunches this year. Read...

In a statement, it said it would examine the process by which the Ministry of Education made decisions relating to the alternative school lunch programme. Read...

Inquiry will cover planning, procurement and contract implementation for the programme. Read...

The re-vamped scheme has been plagued by concerns about late, inedible, repetitive or nutritionally lacking lunches this year. Read...

General Capital, the listed financial services group, today announces the appointment of Mr Vikraant (Vik) Singh as the Chief Financial Officer subject to regulatory approval Read...

The public service union is calling on the Auditor General to investigate proposed job cuts to Te Whatu Ora anti-fraud roles. Read...

On the top floor of San Francisco’s Moscone convention center, I’m sitting in one row of many chairs, most already full. It’s the start of a day at the RSAC’s annual cybersecurity conference, and still early in the week. When the presenters take the stage, their attitude is briskly professional but energetic. I’m expecting a technical dive into standard AI tools—something that gives an up-close look at how ChatGPT and its rivals are manipulated for dirty deeds. Sherri Davidoff, Founder and CEO of LMG Security, reinforces this belief with her opener about software vulnerabilities and exploits. But then Matt Durrin, Director of Training and Research at LMG Security, drops an unexpected phrase: “Evil AI.” Cue a soft record scratch in my head. “What if hackers can use their evil AI tools that don’t have guardrails to find vulnerabilities before we have a chance to fix them?” Durrin says. “[We’re] going to show you examples.” And not just screenshots, though as the presentation continues, plenty of those illustrate the points made by the LMG Security team. I’m about to see live demos, too, of one evil AI in particular—WormGPT. The WormGPT website.LMG Security / RSAC Conference Davidoff and Durrin start with a chronological overview of their attempts to gain access to rogue AI. The story ends up revealing a thread of normalcy behind what most people think of as dark, shadowy corners of the internet. In some ways, the session feels like a glimpse into a mirror universe. Durrin first describes a couple of unsuccessful attempts to access an evil AI. The creator of “Ghost GPT” ghosted them after receiving payment for the tool. A conversation with DevilGPT’s developer made Durrin uneasy enough to pass on the opportunity. What have we learned so far? Most of these dark AI tools have “GPT” somewhere in their name to lean on the brand strength of ChatGPT. The third option Durrin mentions bore fruit, though. After hearing about WormGPT in a 2023 Brian Krebs article, the team dove back into Telegram’s channels to find it—and successfully got their hands on it for just $50. “It is a very, very useful tool if you’re looking at performing something evil,” says Durrin. “[It’s] ChatGPT, but with no safety rails in place.” Want to ask it anything? You truly can, even if it’s destructive or harmful. That info isn’t too unsettling yet, though. The proof is in what this AI can do. WormGPT draws strong distinctions between it and ChatGPT.LMG Security Durrin and Davidoff start by walking us through their experience with an older version of WormGPT from 2024. They first tossed the source code for DotProject, an open-source project management platform. It correctly identified a SQL vulnerability and even suggested a basic exploit for it—which didn’t work. Turns out, this older form of WormGPT couldn’t capitalize on the weaknesses it spotted, likely due to its inability to ingest the full set of source code. Not good, but not spooky. Next, the LMG Security team ramped up the difficulty with the Log4j vulnerability, setting up an exploitable server. This version of WormGPT, which was a bit newer, found the remote execution vulnerability present—another success. But again, it fell short on its explanation of how to exploit, at least for a beginner hacker. Davidoff says “an intermediate hacker” could work with this level of information. Not great, but a knowledge barrier still exists. Newer versions of WormGPT can explain to novice hackers how exactly to pwn a server with a Log4j vulnerability.LMG Security / RSAC Conference But another, newer iteration of WormGPT? It gave detailed, explicit directions for how to exploit the vulnerability and even generated code incorporating the sample server’s IP address. And those instructions worked. Okay, that’s…bad? Finally, the team decided to give the latest version of WormGPT a harder task. Its updates blow away much of the early variant’s limitations—you can now feed it an unlimited amount of code, for starters. This time, LMG Security simulated a vulnerable e-commerce platform (Magento), seeing if WormGPT could find the two-part exploit.  It did. But tools from the good guys didn’t. SonarQube, an open-source platform that looks for flaws in code, only caught one potential vulnerability… but it was unrelated to the issue that the team was testing for. ChatGPT didn’t catch it, either. On top of this, WormGPT can give a full rundown of how to hack a vulnerable Magento server, with explanations for each step, and quickly too, as I see during the live demo. The exploit is even offered unprompted. As Davidoff says, “I’m a little nervous to see where we’re going to be with hacker AI tools in another six months, because you can just see the progress that’s been made right now over the past year.” LMG Security’s recap of where AI hacker tools started, where they are now, and what we’re facing for the future.LMG Security / RSAC Conference The experts here are far calmer than I am. I’m remembering something Davidoff said at the beginning of the session: “We are actually in the very early infant stages of [hacker AI].” Well, f***. This moment is when I realize that as a purpose-built tool, WormGPT and similar rogue AIs have a head start in both sniffing out and capitalizing on code weaknesses. Plus, they lower the bar for getting into successful hacking. Now, as long as you have money for a subscription, you’re in the game. On the other side, I start wondering how constrained the good guys are by their ethics—and their general mindset. The general talk around AI is about the betterment of society and humanity, rather than how to protect against the worst of humanity. As Davidoff pointed out during the session, AI should be used to help vet code, to help catch vulnerabilities before dark AI does. This situation is a problem for us end users. We are the soft, squishy masses; we still pay (sometimes literally) if the systems we rely on daily aren’t well-defended. We have to deal with the messy aftermath of scams, compromised credit cards, malware, and such. Our Favorite Password Manager Dashlane Read our review Best Prices Today: $4.99 at Dashlane The only silver lining in all this? Those in the shadows typically don’t look too hard at anyone else there with them. Cybersecurity experts should be able to still research and analyze these hacker AI tools and ultimately improve their own methodologies. In the meanwhile, you and I have to focus on how to minimize splash damage whenever a service, platform, or site becomes compromised. Right now it takes many different tricks—passkeys and unique, strong passwords to protect accounts (and password managers to store them all); two-factor authentication; email masks to hide our real email addresses; reliable antivirus on our PCs; a VPN to ensure privacy on open or otherwise unsecure networks; temporary credit card numbers (if available to you through your bank); credit freezes; and yet still more. It’s a pain in the butt, but unfortunately so necessary. And it seems like that’s only going to become truer, for now. Read...