Tech Risk Reading Picks

1. Copilot giving out sensitive data: Microsoft patched several security vulnerabilities in Copilot, an AI-powered assistant for developers, which posed risks of exposing sensitive user data. For example, a researcher could use invisible Unicode characters that Copilot could still interpret. This allowed malicious prompts to be hidden in links or documents, which, when clicked or processed, would send data to third-party servers for exfiltration. Attackers could inject these prompts via crafted emails or documents, causing Copilot to follow the hidden instructions and leak sensitive information. [more]

2. $2K AI subscriptions: OpenAI is reportedly considering offering high-end subscription plans for its upcoming AI models, with prices potentially reaching up to $2,000 per month. This would be a significant jump from the current ChatGPT Plus plan, which costs $20 per month. These premium tiers could be linked to the launch of advanced models like "Strawberry" and "Orion," designed for enhanced reasoning and performance. [more]

3. Gap in assessing risks of AI: According to a PwC survey, while 73% of executives use or plan to adopt generative AI, only 58% have assessed the business risks associated with it. The risks include cybersecurity, data governance, and model management. Though many organizations report progress in addressing these challenges, only 11% claim full implementation of AI risk measures. [more]

4. Insider threats posed by AI: As AI is increasingly integrated into national security and military operations, the primary risk isn't necessarily AI executing attacks autonomously, but rather the potential manipulation of the AI systems themselves. Key concerns include "poisoning" the training data or the model, allowing attackers to manipulate the outputs to their advantage. For example, adversaries could influence AI to provide false or misleading information, reveal sensitive data, or execute harmful actions. Additionally, supply chain vulnerabilities pose another risk, as attackers may target third-party vendors to compromise AI models indirectly. This highlights the importance of thorough Supply Chain Risk Management (SCRM) in both developing and deploying AI systems. Verifying the integrity and security of training data is crucial, as are safeguards throughout the development pipeline to ensure that AI models are not manipulated for malicious purposes. While AI is powerful, it must be treated with the same rigorous security measures as other sensitive technologies. [more]

5. Risks when adopting chaos engineering: Chaos engineering is a method of stress-testing systems by simulating real-world challenges like cyberattacks or internal failures. Its goal is to strengthen an organization's infrastructure by exposing hidden vulnerabilities that traditional testing might miss. However, while it promises valuable insights, chaos engineering requires significant resources and introduces risks, such as operational disruptions or focus shift. Enterprises must carefully weigh whether this approach aligns with their strategic objectives. For some, chaos engineering might be essential, but for others, prioritizing cybersecurity improvements or relying on cloud provider solutions may be more practical. [more]

6. Preparation for risks associated with quantum: Looming threat quantum computing poses to current information security systems. Quantum computers have the potential to solve complex mathematical problems. Key threats include potential data interception, "harvest now, decrypt later" attacks, and breaches in critical sectors like healthcare, finance, and government. Transitioning to quantum-safe cryptography is crucial, but this is a complex process that requires collaboration across academia, industries, and governments. Current efforts to develop quantum-resistant algorithms are ongoing, with organizations like NIST playing a pivotal role. While the timeline is uncertain, experts suggest significant quantum threats could emerge within the next decade, and early preparation is essential to mitigate potential risks. [more]

7. Preparing for technology risk in 2025: Forrester recommends CISO budget priorities in 2025 to focus on API and supply chain security. With the increasing use of APIs and third-party integrations, organizations face greater security challenges. Other key areas include cloud security, identity, and access management, emphasizing a proactive approach to manage growing cyber risks effectively. [more]

Web3 Cryptospace Spotlight

1. Penpie $27M hack: 3 Sep - a sophisticated attacker exploited a vulnerability in Penpie's system, resulting in the theft of 11,113.6 ETH (~$27.3 million). The attack stemmed from a reentrancy vulnerability which allowed the attacker to manipulate deposits and maximize rewards using a fake Pendle market. The system's open permissionless market design contributed to the exploit. Penpie responded by pausing deposits and withdrawals and restoring its frontend. [more][more-2]

Aviation Technology Risk

1. Cyber attack of Seattle-Tacoma International Airport: Seattle-Tacoma International Airport faced system outages after a cyberattack during its busiest Labor Day weekend, affecting over 500,000 passengers. Flight display and baggage systems were down, with some airlines resorting to manual check-ins. The Port of Seattle is still recovering, though security systems remain unaffected. Recovery efforts are ongoing, with no estimated time for full restoration. Despite the disruption, most flights are operating normally. [more]

2. Germany's air traffic control agency attacked: Germany's air traffic control agency, Deutsche Flugsicherung, confirmed a cyberattack targeting its administrative IT systems. Flight safety and operations were not affected, and the country's security authorities have been informed. The Federal Office for Information Security (BSI) is handling the situation, with reports suggesting Russian-affiliated APT28 may be behind the attack. Investigations into potential data access are ongoing. [more]