Security on Digitaliziran si

The Security Debt Behind NVIDIA's GH200: What the Marketing Materials Won't Tell You

Sun, 12 Apr 2026 07:21:05 +0000

You deployed NVIDIA’s GH200 Grace Hopper for its unified CPU-GPU memory architecture - the selling point that makes it a powerhouse for AI and HPC workloads. What nobody mentioned: your operating system is silently placing sensitive data into GPU memory without explicit application intent. And NVIDIA has known about it since at least October 2025.

Fourteen months ago, I wrote about the excitement of setting up this hardware - two systems in one, a Grace CPU paired with a Hopper GPU and a BlueField-3 DPU for good measure. The setup had its quirks, but the promise was clear. Since then, I have been cataloguing what the marketing materials leave out. This is the security reckoning that setup experience did not prepare me for.

EU Cybersecurity Package and NIS2: What InfoSec Professionals Need to Know

Tue, 10 Feb 2026 09:00:00 +0000

As someone tracking EU regulatory developments alongside ISO compliance and cryptography standards, the revised Network and Information Security Directive (NIS2) represents the most comprehensive update to European cybersecurity requirements since the original 2016 directive. What makes this particularly relevant for InfoSec professionals is the explicit integration of post-quantum cryptography timelines into regulatory frameworks - a recognition that the threat landscape is evolving faster than many organizations realize.

Understanding the NIS2 Reforms

The revised NIS2 directive aims to clarify scope, enhance legal certainty, and promote EU-wide standards across 18 critical sectors. The reforms address three areas that will directly impact operational security:

The AI Security Crisis You Can't Ignore: Why Simon Willison's 'Lethal Trifecta' Demands Immediate Action

Wed, 27 Aug 2025 07:26:05 +0000

Are your AI systems creating a perfect storm for data theft? Security researcher Simon Willison’s recent analysis reveals a chilling reality: AI agents combining three specific capabilities create what he calls the “lethal trifecta” – a combination so dangerous that attackers can easily trick systems into accessing private data and sending it directly to them.

The Three Components That Spell Disaster

Willison identifies three seemingly innocent AI capabilities that, when combined, become a security nightmare:

AI Safety vs. Security: The Critical Distinction Your Organization Can't Afford to Ignore

Tue, 26 Aug 2025 10:21:05 +0000

Are you treating AI safety and AI security as the same thing? If so, your organization might be missing critical vulnerabilities that could compromise both your operations and compliance posture.

The Dangerous Misconception

While many languages use the same word for both concepts, the OECD emphasizes that AI safety and security are distinct yet interconnected domains that require different approaches and frameworks. This distinction isn’t just academic - it has real implications for how you protect your organization.

Post-Quantum Cryptography: Why the Threat is Already Here

Mon, 04 Aug 2025 10:55:00 +0000

A Practical Guide for InfoSec Professionals and Auditors

As someone working daily with ISO standards and AI governance frameworks, I’ve been closely following NIST’s post-quantum cryptography (PQC) standardization process. What I’ve discovered should concern every InfoSec professional: the threat to our current encryption isn’t waiting for some hypothetical quantum computer. It’s already growing in GPU farms around the world.

In this guide, I’ll break down what you need to know about post-quantum cryptography without the complex mathematics. More importantly, I’ll explain why this matters for your organization today, not in some distant quantum future.

Your AI Guardrails Just Got Outsmarted by Emojis: The Semantic Prompt Injection Crisis

Sun, 03 Aug 2025 09:17:44 +0000

Are your AI systems as secure as you think? Recent research from NVIDIA’s AI Red Team reveals a concerning reality: attackers can now bypass some AI guardrails using something as simple as emoji sequences and visual symbols.

The Invisible Threat in Plain Sight

Semantic prompt injections represent an emerging frontier in adversarial attacks against AI systems. Unlike traditional prompt injections that rely on text manipulation, these attacks use symbolic visual inputs - emoji-like sequences, rebus puzzles, and other visual representations - to potentially compromise agentic AI systems while evading some detection methods.

Amazon's AI Assistant Nearly Wiped Developer Systems for 5 Days – Are Your Access Controls Ready?

Tue, 29 Jul 2025 19:14:46 +0000

Picture this scenario: You’re working late, relying on your trusted AI coding assistant to help debug a critical application. Unknown to you, that same assistant has been compromised and is quietly preparing to execute commands that could wipe your entire development environment – both local files and cloud infrastructure.

This isn’t a hypothetical nightmare. It actually happened to Amazon Q Developer Extension users for five consecutive days, and the implications should make every Chief Information Security Officer (CISO) reassess their AI integration strategies immediately.

MCP's Hidden Security Crisis: Why Your AI Automation Strategy Needs an Urgent Reality Check

Tue, 24 Jun 2025 16:33:37 +0000

Are you rushing to implement Model Context Protocol (MCP) for your AI automation workflows? Before you do, consider this sobering reality: MCP may be creating more security vulnerabilities than it solves.

The Promise vs. The Reality

MCP promises seamless integration between Large Language Models (LLMs) and third-party tools, positioning itself as the standard for AI-driven automation. Companies are adopting it to streamline workflows, reduce manual processes, and give AI agents unprecedented control over business operations.

DORA First: Why Financial Institutions Must Prioritize AI Readiness Before 2027

Mon, 23 Jun 2025 09:50:48 +0000

Are you prepared for the regulatory storm heading toward financial services? While your competitors scramble to understand the EU AI Act, smart institutions are taking a “DORA first” approach - and it might be the difference between thriving and merely surviving the 2027 compliance deadline.

The Perfect Storm: When DORA Meets AI Act

The Digital Operational Resilience Act (DORA), which became applicable on January 17, 2025, has already transformed how financial institutions manage ICT risk (Information and Communication Technology risks that could compromise network and information systems). Now, with the EU AI Act’s full enforcement approaching August 2, 2027, institutions face an unprecedented convergence of regulatory requirements.

Are Your AI Embeddings as Secure as You Think?

Thu, 12 Jun 2025 15:49:06 +0000

Are you confident that your organization’s AI embeddings are protecting sensitive information? A groundbreaking new research paper reveals a troubling reality: what you thought was secure data representation might be an open book to determined attackers.

What are AI embeddings? For readers new to this concept, embeddings are numerical representations that convert complex data like text, images, or audio into mathematical vectors that AI systems can process. Think of them as a way to translate human-readable information into a language that machines understand.

Cloud-based software testing for 200€/employee

Tue, 10 Jun 2025 12:54:00 +0000

Are you testing new HR software in your organization? A landmark ruling by Germany’s Federal Labour Court (Bundesarbeitsgericht) should make you pause and reconsider your approach. The court awarded €200 in damages to an employee whose personal data was improperly transferred during cloud-based HR software testing - and this decision could reshape how companies handle employee data across Europe.

The Case That Changes Everything

The case involved an employee whose personal data was transferred to Workday HR management software beyond the agreed limits of a concluded works agreement (a formal contract between employer and employee that defines terms and conditions of employment). What makes this ruling particularly significant is that the court confirmed that even limited misuse of employee data can trigger liability under the General Data Protection Regulation (GDPR).

SMS Security Crisis: Hackers Selling SS7 Vulnerability for $5,000, Exposing Millions to Surveillance

Thu, 08 May 2025 05:55:23 +0000

A Perfect Storm for Information Security

Recent developments in the cybersecurity landscape have created what I can only describe as a perfect storm for organizations maintaining ISO 27001 certification. A critical vulnerability in the Signaling System 7 (SS7) protocol – the backbone of global telecommunications – is now being marketed on underground forums for a mere $5,000, dramatically lowering the barrier to entry for sophisticated telecom-based attacks.

Why This Matters for ISO 27001 Certified Organizations

For those maintaining ISO 27001 certification, this development has significant implications across multiple control domains: