Cyberview: WormGPT, FTC investigates OpenAI, 4-day deadline to report hacks

September 5, 2023


The latest Cyberview episode is out! Join cybersecurity experts Gerald Kasulis, Frida Kreitzer, and Carlos Salas as they explore the most talked-about news in the digital world, from WormGPT, ChatGPT’s evil twin, to OpenAI’s FTC investigation and the controversial 4-day breach disclosure rule. Dive into their discussion bellow to discover what’s new in tech and cybersecurity world.

In this episode, we dive into:

  • ChatGPT’s evil twin WormGPT

  • The Federal Trade Commission (FTC) investigation into OpenAI data leak and ChatGPT’s inaccuracy

  • A new 4-day rule for disclosing cyberattacks set by the US Securities and Exchange Commission (SEC)

ChatGPT's evil twin WormGPT

The new tool, WormGPT, is advertised on underground forums as a blackhat alternative to ChatGPT for launching phishing and business email compromise (BEC) attacks. Although, ChatGPT’s natural language abilities can already help hackers write convincing emails, resulting in the obvious signs of malicious emails disappearing.

Tools like ChatGPT and Google’s Bard have some safeguards in place that try to ensure that AI-generated content does not cause harm. However, WormGPT is specifically designed to be fully unrestricted and facilitate criminal activities, so it raises even more questions about the ethical limits of AI.

FTC investigates OpenAI over data leak and ChatGPT’s inaccuracy

Has ChatGPT broken consumer protection laws by risking personal reputations and data? The FTC has opened an investigation into OpenAI, requiring details on how OpenAI gathers and protects data and vets information.

The FTC wants to know how information was used to train its model and how it prevents false claims from being shown to users. Additionally, they are interested in how APIs connect to OpenAI’s systems and how user data is protected, all while the FTC issued multiple warnings that existing consumer protection laws apply to AI.

The 4-day deadline for public companies to report breaches

US companies hit by cyberattacks will face a 4-day deadline for publicly disclosing hacks, under new rules approved by the US Securities and Exchange Commission (SEC). There are mixed feelings about this new requirement. On the one hand, it is praised for encouraging transparency about cybersecurity breaches, as they are considered as important to investors as any other significant operational disruption.

On the other hand, the new rule is being labeled as a controversially short deadline that may not allow companies enough time to put an action plan in place or fix vulnerabilities. Although regulations state that if the SEC is informed in writing of a national security or public safety risk, a delay in breach disclosure of up to 60 days is allowed.

Stay tuned for the next episode of Cyberview.