Tech Risk Reading Picks

1. Insuring against AI risk: The insurance industry, long a leader in risk management, is rapidly adapting to the transformative impact of AI. The Swiss Re Institute highlights the new risks AI introduces, such as algorithmic bias and decision-making errors, which can render traditional risk models outdated. It suggests that as AI's influence grows, sectors like health and pharmaceuticals will face substantial loss potentials. Insurers are beginning to offer AI-specific coverage, but must also guard against 'silent AI risks' that could accumulate within portfolios. Combining AI with human expertise and ethical oversight is essential to leverage AI's benefits while mitigating its risks. Through regulation, international cooperation, and innovative insurance products, the industry can safely harness AI's potential for an efficient future. [more]

2. Flaw in AI services: Cybersecurity researchers have identified a severe security flaw in Replicate, an AI-as-a-service provider, that could have let attackers access proprietary AI models and sensitive information. The flaw involves using AI models packaged in formats that allow arbitrary code execution, enabling cross-tenant attacks. Researchers from Wiz demonstrated this by creating a rogue container with the open-source tool Cog, achieving remote code execution on Replicate’s infrastructure. They exploited a TCP connection with a Redis server in a Kubernetes cluster on Google Cloud to inject commands, facilitating cross-tenant attacks. This vulnerability could expose proprietary data, affect AI model integrity, and compromise sensitive information, including PII. [more]

3. Post-quantum cryptographic algorithms coming soon: The U.S. National Institute of Standards and Technology (NIST) will soon release post-quantum cryptographic algorithms, according to Anne Neuberger, the White House's top cyber advisor. This step is crucial in preparing for the advent of cryptographically relevant quantum computers (CRQCs), which could potentially break current encryption methods. While the U.S. anticipates CRQCs might become operational by the early 2030s, the new algorithms aim to protect sensitive data collected today from future decryption threats. NIST is set to finalize three algorithms this summer, but implementing these in existing systems will be complex due to the resource demands of post-quantum cryptography. [more]

4. Quantum Programming: Quantum programming languages are specialized languages for writing programs on quantum computers, incorporating unique quantum mechanics principles like superposition, entanglement, and qubits.

   Types

   1. Quantum Instruction Sets: Convert calculations into instructions for quantum processors.

   2. Quantum Software Development Kits (SDKs): Tools for designing, simulating, and preparing quantum programs for execution.

   Top 5 Languages in 2024

   1. Python: Easy to learn, with quantum libraries like QuTip.

   2. Qiskit: IBM's SDK for quantum computing, supporting circuits and algorithms.

   3. Ocean: D-Wave’s tools for solving complex problems on its quantum computers.

   4. Q#: Microsoft's language for quantum algorithms, integrated with classical control flows.

   5. Cirq: Google’s framework for NISQ computers, with built-in simulators.

5. 4th zero-day Chrome exploit in a month: Google has released an update to address a high-severity security flaw in Chrome, tracked as CVE-2024-5274. This critical vulnerability is a type confusion issue in the V8 JavaScript and WebAssembly engine. Type confusion vulnerabilities occur when a threat actor modifies a variable to trigger unintended actions, potentially leading to crashes, arbitrary code execution, or bypassing access controls. This marks the fourth zero-day vulnerability Google has patched this month, following CVE-2024-4947, CVE-2024-4761, and CVE-2024-4671. Google advises Windows and macOS users to update to Chrome version 125.0.6422.112/.113 and Linux users to version 125.0.6422.112. Users of Chromium-based browsers should also apply fixes as they become available. [more]

6. Targetting financial institutions: Hackers, identified as 'UAC-0188,' are using code from a Python clone of Minesweeper to hide malicious scripts targeting financial institutions in Europe and the US. They send emails from "xxxxxx[@]some-domain[.]com," posing as a medical center, with a Dropbox link to a 33MB .SCR file. This file combines Minesweeper code with hidden malicious scripts that download SuperOps RMM, a remote management tool, giving attackers direct access to compromised systems. CERT-UA advises monitoring for SuperOps RMM presence as a sign of compromise and provides additional indicators for detection. [more]

7. Hackers are using AI to find bugs: Hackers are increasingly using AI tools to identify bugs in computer code and claim lucrative rewards from bug bounty schemes. These schemes, run by tech giants like Microsoft and Google, incentivize reporting security flaws so developers can fix them. Researchers like Yang Liu from Nanyang Technological University have created AI tools like GPTScan and PropertyGPT to detect and correct vulnerabilities in smart contracts on blockchains, uncovering numerous bugs and earning significant rewards. However, the same AI capabilities are also being exploited to generate fake but convincing bug reports, complicating the verification process. Ethical hackers have integrated AI into their bug-finding strategies, enhancing their effectiveness and communication. Despite this, the rise of AI-generated, erroneous reports is causing concern among developers, as these reports are often elaborate and time-consuming to review. Platforms like HackerOne may counter this by implementing rated profiles for report submitters to reduce bogus submissions. [more]

8. Regulating emerging tech - US perspective: The debate about the speed of legislative action on AI has raised questions about Congress's role in regulating new technologies. Historically, Congress has rarely passed new laws for emerging technologies unless they lacked any statutory precedent, as seen with nuclear weapons. Instead, regulation often falls to other actors such as scientists, executive agencies, the media, investors, and the public, who collectively influence the development and control of new technologies. Congress often engages in "fire alarm oversight," setting up mechanisms for the public and interest groups to monitor and respond to administrative actions. This approach is partly due to the expertise gap between Congress and technical experts, as well as the public's general lack of concern about tech issues compared to more immediate problems like the economy or health care. Despite the lack of new laws, existing statutes can sometimes apply to new technologies, reducing the need for immediate legislative action. Additionally, non-legislative actors, including developers, journalists, and the public, play crucial roles in regulating tech. For example, public backlash and media scrutiny can pressure companies to adjust their practices, as seen with Facebook's Beacon feature and cryptocurrency scandals uncovered by Coindesk.

9. Web3 Cryptospace Spotlight

   1. $3M worth of bitcoin recovered through hacking: Two years ago, "Michael," who owns about $2 million worth of bitcoin stored in an encrypted digital wallet, sought help from hardware hacker Joe Grand to recover his password. Michael's password was generated using RoboForm and stored in a corrupted TrueCrypt file. Initially, Grand declined to help since his hardware skills weren't relevant. However, after some time, he reconsidered and teamed up with a friend named Bruno. They discovered a flaw in the RoboForm version used by Michael in 2013, which tied password generation to the computer's date and time. By replicating the conditions under which the password was generated, they eventually recovered it. Michael's bitcoin, initially worth $5,300 in 2013, is now valued at $3 million. He credits the password loss for preventing him from selling the bitcoin prematurely, leading to greater financial gain. [more]