Tech Risk Reading Picks

1. NIST releases post-quantum cryptography standards: The National Institute of Standards and Technology (NIST) has finalized its first three post-quantum cryptography standards: CRYSTALS-Kyber for public key encryption and key establishment, and CRYSTALS-Dilithium and SPHINCS+ for digital signatures. These standards are designed to protect against future quantum computer threats, which could break current encryption methods. NIST encourages their immediate adoption to secure sensitive data, with more algorithms under evaluation as potential backups. [more]

2. Singapore Central Bank collaborate with industrial partners on quantum security: The Monetary Authority of Singapore (MAS) is collaborating with banks and technology partners to enhance quantum security in financial services. This initiative aims to develop Quantum Key Distribution (QKD). QKD is a secure communication method for exchanging cryptographic keys only known between shared parties. in financial services methods to safeguard data against potential future threats from quantum computing. The project involves testing and implementing algorithms to protect financial transactions and communications. [more]

3. AI psychological and ethical risk: OpenAI's new voice mode allows its AI to respond with human-like speech, raising concerns about users forming emotional attachments to AI. This feature, integrated into ChatGPT, blurs the line between human and machine interactions, potentially impacting mental health and relationships. Experts warn that as AI becomes more lifelike, users might increasingly rely on it for companionship, which could lead to ethical and psychological challenges. [more]

4. Automated AI phishing: Microsoft's new AI tool, Copilot, has sparked concerns over its potential misuse in phishing attacks and data extraction. Security experts warn that cybercriminals could exploit Copilot's advanced capabilities to craft convincing phishing emails and automate the extraction of sensitive data from compromised systems. While Microsoft promotes Copilot as a productivity enhancer, the dual-use nature of AI tools like this raises significant security risks. [more]

5. AI threats discussed at Blackhat: At Black Hat 2024, significant attention was given to the emerging threats posed by AI in cybersecurity. Experts warned that AI could be weaponized by attackers to automate and scale cyberattacks, making them more sophisticated and harder to detect. Discussions included how AI might be used to breach defenses, generate malicious code, and exploit vulnerabilities more efficiently. The consensus was that while AI offers powerful tools for defense, it also presents new challenges that the cybersecurity industry must urgently address. [more]

   1. In addition, Wiz researchers revealed that AI infrastructure providers like Hugging Face, Replicate, and SAP AI Core are vulnerable to novel attacks. The researchers demonstrated how they could exploit these platforms by uploading malicious models and bypassing containerization, allowing access to sensitive user data. They stressed that AI security is often overlooked and urged platforms to improve isolation and sandboxing standards to prevent cross-tenant attacks. The rapid adoption of AI, often without proper security measures, poses significant risks. [more]

Web3 Cryptospace Spotlight

1. Hardware wallets’ firmware vulnerability: Researchers have discovered the "Dark Skippy" method, which exploits firmware vulnerabilities in Bitcoin hardware wallets. This technique embeds fragments of a user's seed phrase into transaction data, which attackers can then reconstruct using Pollard's Kangaroo Algorithm. This algorithm allows the attacker to piece together the private key, potentially leading to theft of the wallet's contents. The researchers pointed out the importance of strengthening hardware wallet firmware security to prevent such sophisticated attacks. [more]

2. DeFi Nexera lost $1.5M: The DeFi protocol Nexera was hacked for $1.5 million due to a vulnerability in its smart contract system. The exploit involved manipulating the protocol’s token transfer logic, allowing the attacker to bypass withdrawal limits and drain funds. Nexera has acknowledged the issue and is working on implementing measures to prevent similar attacks in the future. [more]

Aviation Technology Risk

1. GPS spoofing attacks on commerial airlines: Researchers have discovered that GPS spoofing can be used to manipulate the timing systems of commercial airlines, potentially leading to significant disruptions. The technique involves sending false GPS signals to aircraft, which can alter the timekeeping systems essential for navigation and communication. This vulnerability highlights the need for stronger security measures in aviation to protect against such sophisticated cyberattacks that could compromise safety and operations. [more]

2. Airlines may face increased regulatory scrutiny: Airlines are under increased scrutiny to protect against cyber fraud due to stringent demands from governments and regulatory bodies. For example, the European Union's General Data Protection Regulation (GDPR) mandates strict data protection measures, with hefty fines for non-compliance. Similarly, the U.S. Department of Homeland Security has issued guidelines for the aviation sector to enhance cybersecurity protocols. These regulations are part of a broader push to ensure that airlines safeguard customer data and mitigate the risks of cyberattacks, or face significant legal and financial penalties. [more]

3. Airlines cyber threat landscape - growing threat of supply chain disruption: The 2024 global aviation cyber risk landscape highlights several critical threats. These include attacks on air traffic management systems, vulnerabilities in airline and airport IT infrastructure, threats to passenger data, and the increasing risk of ransomware targeting aviation networks. Additionally, the report identifies the growing threat of supply chain disruptions caused by cyberattacks on third-party vendors. [more][more-report]