Tech Risk Reading Picks

1. SANS-HackerOne AI survey report: A SANS Institute report, sponsored by HackerOne, found that 58% of security professionals fear an “arms race” between security teams and threat actors over AI. While 71% have used AI to automate tasks, concerns remain over AI-driven phishing (79%) and automated vulnerability exploitation (74%). To address AI safety and security, 68% recommend external reviews. Other findings include: 43% of organizations use AI in security, 41.8% faced employee pushback due to lack of AI transparency, AI is commonly used for anomaly detection (56.9%) and malware detection (50.5%), 58% noted AI struggles with new threats, often due to limited training data. [more]

2. IEEE AI maturity model: Organizations using AI systems face various legal, reputational, and ethical risks, which can be managed through good governance to ensure fairness, transparency, and societal benefit. To help organizations assess their AI governance practices, the IEEE-USA AI Policy Committee released a maturity model based on the NIST AI Risk Management Framework (RMF). While the NIST RMF outlines best practices, it lacks specific implementation guidance, making it hard for organizations and stakeholders to track progress. The new model addresses this by helping organizations evaluate their maturity through four stages: Map (identify risks), Measure (assess risks), Manage (prioritize actions), and Govern (foster a risk-aware culture). [more][more-IEEE_paper]

3. US Justice Department wanted to address AI-related risks: The Justice Department has updated its guidance for assessing corporate compliance programs, advising compliance officers to address AI-related risks. The revised DOJ guidelines emphasize risk assessment and adaptability in compliance, particularly in relation to emerging technologies like AI. Companies are encouraged to integrate AI governance and leverage data analytics effectively in their compliance efforts. The guidance also expands on handling whistleblowers, advocating for a stronger speak-up culture and fair treatment for those reporting misconduct. These changes are aimed at ensuring companies prioritize quality compliance performance over mere formalities. [more][more-DOJ_paper]

4. Quantum safe tokenized gold transaction: HSBC has successfully tested quantum-secure technology for trading tokenized physical gold, using post-quantum cryptography (PQC) and Quantinuum’s Quantum Origin technology to protect against future quantum computing threats. This builds on HSBC’s existing innovations, including tokenized gold for institutional and retail investors via its HSBC Orion platform, and converting gold tokens into ERC-20 tokens for better interoperability. [more][more-HSBC]

5. G7 cyber experts urged PQC preparation: The G7 Cyber Expert Group has urged the financial sector to prepare for quantum computing risks that could compromise current cryptographic protections. They recommend assessing vulnerabilities and developing transition plans to quantum-resistant cryptography. Quantum computers, which may emerge within the next decade, could decrypt sensitive financial and governmental data, posing major security threats. The group highlighted recent efforts by NIST and ENISA to establish post-quantum cryptography standards. Financial institutions should inventory current cryptographic usage and plan for secure technology upgrades to ensure economic security and resilience. [more][more-2]

Web3 Cryptospace Spotlight

1. Ethereum upcoming hard fork - Pectra: Ethereum developers have decided to split the upcoming hard fork, Pectra, into two separate packages to simplify the rollout and minimize potential issues. Initially expected to be Ethereum's largest upgrade, the division aims to reduce complexity. The first package, set for early 2025, will include eight Ethereum Improvement Proposals (EIPs), such as EIP-7702, aimed at enhancing wallet user experience. The second package will focus on upgrades like Ethereum’s Virtual Machine improvements and PeerDAS for better data availability, ensuring smoother implementation of the overall upgrade. [more]

2. 17% of Bitcoin nodes vulnerable: Bitcoin Core developers have warned about a critical vulnerability affecting roughly 17% of the network, particularly in all Bitcoin Core versions prior to 24.0.1. This flaw allows attackers to launch denial-of-service (DoS) attacks by overloading nodes with low-difficulty header chains, potentially crashing them. It impacts around 3,330 of the 19,200 accessible full nodes. The bug was fixed in version 24.0.1, released on December 12, 2022, and the latest version, 27.1, includes this fix. While few exploits are known, it could be used by powerful entities to disrupt Bitcoin. Developers are urging node operators to update their software. [more]

3. Crypto wallet scam: Check Point Research (CPR) uncovered a crypto scam using a malicious app posing as WalletConnect to steal funds from users’ crypto wallets. The app used social engineering, fake reviews, and anti-analysis techniques to remain undetected on Google Play for five months, stealing around $70,000. It targeted mobile users by tricking them into authorizing malicious transactions. The scam exploited confusion around WalletConnect, and used a sophisticated drainer toolkit capable of stealing various digital assets across multiple blockchains. [more]

4. Threat of malicious smart contracts in DeFi: In the world of decentralized finance (DeFi), smart contracts—self-executing code on blockchain networks—are critical to the operation of many crypto exchanges and protocols. [more]

   1. Understanding Malicious Smart Contracts

      Malicious smart contracts are deceptive scripts designed by hackers to exploit weaknesses in the code, thereby bypassing security measures. Though they may initially seem like legitimate contracts, they contain hidden flaws that enable attackers to steal funds, manipulate transactions, or disrupt services on target platforms. Such contracts often go undetected until considerable damage has been done.

   2. Common Exploits in the Crypto Space

      • Reentrancy Attacks: Hackers repeatedly call a function before a contract’s previous transaction is complete, disrupting its normal operations.

      • Flash Loan Attacks: Attackers take out large crypto loans and manipulate token prices within the same transaction to drain liquidity.

      • Oracle Manipulation: By providing false data to oracles, hackers can mislead smart contracts, leading to unintended system behaviors.

5. $50M drained: DeFi and crypto exchanges faced over $50 million stolen in a single week. [more]

   1. ShezmuTech – Lost $4.9 million on September 21 due to a contract vulnerability in a vault, allowing malicious minting of tokens. About $700,000 remains untouched due to liquidity restrictions.

   2. BingX – $43 million stolen from hot wallets on September 20. The hacker swapped more than 360 different altcoins for ETH and BNB. BingX has assured users of compensation and is collaborating with authorities.

   3. Banana Gun – $1.9 million (563 ETH) stolen on September 19, targeting user wallets. 36 victims identified so far, with the team still investigating the breach's origin.

   4. DeltaPrime – $5.98 million drained on September 16 through a leaked private key granting full access to users’ funds on the platform.