🦾 Shadow AI - 7 December 2023

Demystifying AI - An SEO Heist and What it Means for Security

AI isn’t only going to amplify existing threat vectors, it’s going to create new ones security and business professionals aren’t prepared to defend.  In this Twitter thread, Jake Ward describes how he used AI to "steal" 3.6M in total web traffic from competitors. The process involved identifying a competitor, exporting their sitemap, and using this data to generate article ideas. AI was then used to rapidly create and publish 1,800 articles in a few hours which quickly diverted traffic to his site. The results were notable:

• 490K in monthly traffic

• 3.6M in total traffic since publishing

• 13K keywords on page 1 of Google

Security teams need to be prepared to help business teams, including marketing in this case, reduce the risk of being negatively impacted by the efficiency and scalability of AI. If you’re a Business Information Security Officer, start understanding all the different practical ways AI can impact your business units today. For example, new channels of threat intelligence may need to be established to monitor for SEO manipulation or attack tactics against a company’s web properties. Incident playbooks may need to be expanded in many new ways, including how to swiftly respond to SEO-related incidents, attribute the bad actors, and take action.

At the same time, critical algorithms like SEO are going to need an overhaul to account for AI’s impact. The measurements of today are not going to work tomorrow. Ironically, higher quality, unique content (not AI driven) may need to be weighted more. Bad actors also will need to face strong penalties for engaging in this type of behavior.

AI News to Know

• Gemini’s Release and Capabilities: Google released Gemini, a flexible three tiered, multimodal model for building and scaling AI at various complexities. Google claims that Gemini Ultra, its most advance model, outperforms GPT-4 across a range of text and multimodal benchmarks. How quickly will OpenAI counterpunch with GPT-5, or will that be slowed down with the recent governance changes?

  

• AI Alliance: IBM and Meta launched the AI Alliance, a group of 50 organizations with an international reach across industry, startup, academia, research and government, to support open innovation and open science in AI. The alliance is focused on six areas, including AI benchmarking, regulation, and safety and aims to counterbalance the growth of closed AI models like OpenAI.

• AI Insight Forum Update: Senator Schumer’s AI Insight Forum wrapped up its eighth and ninth closed door sessions yesterday covering “doomsday scenarios” and national security. As we head into 2024, Congress will hopefully find common ground in developing a legislative framework that balances short-term AI risk with doomsday scenarios and the risk of China outcompeting the U.S.

AI on the Market

• AI Value Chain: Ivana Delevska and Spear Investments published a great deep dive on the AI value chain. It’s focused on three main areas: hardware, data infrastructure, and AI applications. Securing the AI value chain will be increasingly important as AI usage expands and Spear sees the hardware and data infrastructure layers as areas with the most opportunities to capture value.

  

• ChatGPT vs Snyk Code: James Berthoty, an application security guru and founder of Latio Tech, was impressed with ChatGPT’s performance as a security scanner compared to Snyk Code on straightforward python code. In a quick proof of concept with a general model, ChatGPT returned better results than Synk, one of the industry leaders in this space. James’ proof of concept highlights how the static scanning market is at risk of getting upended with the emergence of a well trained application security focused LLM.