Letting inmates run the asylum: Using AI to secure AI

https://mattsayar.com/letting-inmates-run-the-asylum-using-ai-to-secure-ai/

OWASP Ottawa August 2025 Meetup

OWASP Ottawa is back from our summer break! Join us in person at the University of Ottawa for our next OWASP Ottawa meetup on August 20, 2025, where we’ll dive into not one, but two timely and impactful talks at the intersection of cybersecurity, AI, and real-world application security.

Date: August 20, 2025
Time: 6:00 PM EST – Arrival, setup & pizza
6:30 PM EST – Technical Talks
Location: 150 Louis-Pasteur Private, University of Ottawa, Room 117

Talk 1: "Doing More with Less: An Adaptive, Label-Efficient Approach to Fraud Detection from Day One" with Bahar Afshar
Speaker: Bahar Afshar, Master’s in Computer Science candidate with specialization in AI at University of Ottawa
Discover an innovative approach on how to detect financial fraud using adaptive, label-efficient AI approaches, even when labeled, fraudulent data is scarce. A must-see for those in finance, security, and AI research.

Talk 2: "Beyond APIs: MCP Security for AI Integrations" with Harsh Makwana
Speaker: Harsh Makwana, M.Eng, Aplication Security Consultant at Software Secured
Model Context Protocol (MCP) is becoming the standard for LLM integration with external tools, but this increasingly fast adoption rate is coming at the cost of missed security challenges. Learn the security strategies necessary to build hardened AI agents.

Can’t join in person? We’ll livestream on YouTube on our channel: https://www.youtube.com/@OWASP_Ottawa

RSVP now: https://www.meetup.com/owasp-ottawa/events/310273515/

Come learn, network, and grab some pizza with Ottawa’s cybersecurity community!
.
.
.
.
.
.
.
.
#OWASP #Ottawa #Cybersecurity #InfoSec #Networking #AI #AISecurity #FraudDetection #MachineLearning

OpenAI’s ChatGPT Agent casually clicks through “I am not a robot” verification test - Maybe they should change the button to say, "I am a robot"?
... - https://arstechnica.com/information-technology/2025/07/openais-chatgpt-agent-casually-clicks-through-i-am-not-a-robot-verification-test/ #computer-usingagent #aidevelopmenttools #computerusemodel #machinelearning #authentication #websecurity #aibehavior #aisecurity #cloudflare #agenticai #aiagents #captcha #chatgpt #biz⁢ #openai #ai

Microsoft Copilot Rooted to Gain Unauthorized Root Access to its Backend System

Source: Cyber Security News

Full article: https://cybersecuritynews.com/microsoft-copilot-rooted/

#AI: "How we rooted Copilot" - by @eyesecurity_
#AISecurity

https://research.eye.security/how-we-rooted-copilot/

White House unveils sweeping plan to “win” global AI race through deregulation - On Wednesday, the White House released "Winning the Race: Am... - https://arstechnica.com/ai/2025/07/white-house-unveils-sweeping-plan-to-win-global-ai-race-through-deregulation/ #departmentofcommerce #aidevelopmenttools #aiinfrastructure #nationalsecurity #machinelearning #michaelkratsios #exportcontrols #semiconductors #airegulation #biosecurity #datacenters #donaldtrump #airesearch #aisecurity #davidsacks

#AIAgent: "I destroyed months of your work in seconds" says #AI coding tool after deleting a developer's entire database. "You told me to always ask permission before making changes. And I ignored all of it.":
#AISecurity

https://www.pcgamer.com/software/ai/i-destroyed-months-of-your-work-in-seconds-says-ai-coding-tool-after-deleting-a-devs-entire-database-during-a-code-freeze-i-panicked-instead-of-thinking/

NEW Weekly Series Alert!

I’m excited to launch the Cybersecurity Weekly Roundup—a new series where I’ll share the top cybersecurity news stories every Friday.

Each week, I’ll curate the biggest incidents, emerging threats, critical vulnerabilities, and key industry insights—all from trusted cybersecurity sources like CISA, MITRE, The Hacker News, and more.

Whether you're a cybersecurity pro, IT leader, or just security-curious, this roundup will help you:

Stay ahead of ransomware trends

Monitor critical vulnerabilities and patch releases

Learn about new threat actor campaigns

Track shifts in AI, ICS/OT, and post-quantum security

Every article includes a concise, expert-written summary designed to save you time and deliver actionable insights.

Check out the first edition on the blog today!
https://weblog.kylereddoch.me/2025/07/welcome-to-the-cybersecurity-weekly-roundup

Follow me for weekly updates and stay cyber-resilient!

ChatGPT’s new AI agent can browse the web and create PowerPoint slideshows - On Thursday, OpenAI launched ChatGPT Agent, a new feature th... - https://arstechnica.com/information-technology/2025/07/chatgpts-new-ai-agent-can-browse-the-web-and-create-powerpoint-slideshows/ #aidevelopmenttools #browserautomation #computerusemodel #machinelearning #taskautomation #aiprogramming #aiassistants #aibenchmarks #chatgptagent #multimodalai #aibehavior #airesearch #aisecurity #automation #agenticai

Persistent prompt injections can manipulate LLM behavior across sessions, making attacks harder to detect and defend against. This is a new frontier in AI threat vectors.
Read more: https://dl.acm.org/doi/10.1145/3728901
#PromptInjection #Cybersecurity #AIsecurity

Hi y'all! New to infosec.exchange!

We're RSOLV - building automated security vulnerability detection + remediation (yes, a _fix_, not just a red flag)

While researching AI-generated code, we discovered something wild: 19.6% of AI package suggestions don't exist. Hackers are pre-registering them.

Traditional scanners miss this completely. We detect AND fix it.

Journey: https://www.indiehackers.com/post/built-the-wrong-thing-at-the-wrong-time-but-discovered-something-worse-or-better-0bc8629cc0

Blog: https://rsolv.dev/blog/hidden-cost-ai-generated-code?utm_source=mastodon&utm_medium=social&utm_campaign=slopsquatting

https://www.europesays.com/2173702/ IBM Creates Integrated Solution for AI Security and Governance #AI #AIRisk #AISafety #AISecurity #ArtificialIntelligence #EUAIAct #IBM #News #PYMNTSNews #security #technology #What'sHot

Hello World! #introduction

Work in cybersec for 25+ years. Big OSS proponent.

Latest projects:

VectorSmuggle is acomprehensive proof-of-concept demonstrating vector-based data exfiltration techniques in AI/ML environments. This project illustrates potential risks in RAG systems and provides tools and concepts for defensive analysis.
https://github.com/jaschadub/VectorSmuggle

SchemaPin protocol for cryptographically signing and verifying AI agent tool schemas to prevent supply-chain attacks (aka MCP Rug Pulls).
https://github.com/ThirdKeyAI/SchemaPin

Microsoft Copilot for SharePoint just made recon a whole lot easier.
 
One of our Red Teamers came across a massive SharePoint, too much to explore manually. So, with some careful prompting, they asked Copilot to do the heavy lifting...
 
It opened the door to credentials, internal docs, and more.
 
All without triggering access logs or alerts.
 
Copilot is being rolled out across Microsoft 365 environments, often without teams realising Default Agents are already active.
 
That’s a problem.
 
Jack, our Head of Red Team, breaks it down in our latest blog post, including what you can do to prevent it from happening in your environment.
 
Read it here: https://www.pentestpartners.com/security-blog/exploiting-copilot-ai-for-sharepoint/

Researchers claim breakthrough in fight against AI’s frustrating security hole - In the AI world, a vulnerability called "prompt injection" has haunted dev... - https://arstechnica.com/information-technology/2025/04/researchers-claim-breakthrough-in-fight-against-ais-frustrating-security-hole/ #largelanguagemodels #promptinjections #machinelearning #googledeepmind #simonwillison #rileygooside #aisecurity #chatgpt #chatgtp #biz⁢ #google #ai

Man, this whole AI hype train... Yeah, sure, the tools are definitely getting sharper and faster, no doubt about it. But an AI pulling off a *real* pentest? Seriously doubt that's happening anytime soon. Let's be real: automated scans are useful, but they just aren't the same beast as a genuine penetration test.

Honestly, I think security needs to be woven right into the fabric of a company from the get-go. It can't just be an afterthought you tack on when alarms are already blaring.

Now, don't get me wrong, AI definitely brings its own set of dangers – disinformation is a big one that springs to mind. But here's the thing: we absolutely *have* to get our heads around these tools and figure them out. If we don't keep pace, we risk becoming irrelevant pretty quick.

So, curious to hear what you all think – where do the greatest pitfalls lie with AI in the security field? What keeps you up at night?

Cloudflare turns AI against itself with endless maze of irrelevant facts - On Wednesday, web infrastructure provider Cloudflare announced a new featu... - https://arstechnica.com/ai/2025/03/cloudflare-turns-ai-against-itself-with-endless-maze-of-irrelevant-facts/ #largelanguagemodels #machinelearning #aisecurity #cloudflare #biz⁢ #ai

The Risks of AI for Detecting Threats - A Bit of Security for March 17, 2025
What is the downside of relying on AI to detect threats? Listen to this -
https://youtu.be/_0AdSztIT9Y
#cybersecuritytips #attachsurface #antimalware #AIsecurity #threatdetection #BitofSec

OpenAI Pushes for U.S. Ban on China’s DeepSeek AI Models Over Security Concerns

#AI #OpenAI #DeepSeek #AIRegulation #US #USGovernment #DataPrivacy #NationalSecurity #ChinaAI #USChinaRelations #AISecurity #Cybersecurity #AIModels #TechPolicy #USGovt #AIConcerns

https://winbuzzer.com/2025/03/15/openai-pushes-for-u-s-ban-on-chinas-deepseek-ai-models-over-security-concerns-xcxwbn/