Tech Risk Reading Picks

1. Reduced human-generated content after GenAI: A new study published in *PNAS Nexus* highlights the potential threat generative AI like ChatGPT poses to Q&A platforms such as Stack Overflow and Reddit, observing a 25% decline in activity on Stack Overflow after ChatGPT's release. The study raises concerns that widespread adoption of AI could reduce human-generated content which will weaken the pool of public data needed to train future AI models and potentially leading to degraded model performance. [more]

2. Using AI to speed up malware development: a recent study by HP that reveals how hackers are leveraging AI, specifically generative AI, to create more dangerous and sophisticated malware. According to the study, AI can be used by cybercriminals to automate parts of the malware creation process, including writing malicious code and generating phishing emails. This significantly lowers the technical barrier for hackers, allowing even those with minimal programming skills to develop harmful software. The increasing use of AI in cyberattacks raises concerns about the future of cybersecurity as it becomes harder to detect and counter these evolving threats. [more]

3. Shared responsibility in AI domain: Since the launch of ChatGPT in November 2022, AI regulation has focused more on ethics than addressing the significant cybersecurity risks posed by generative AI models, such as data poisoning and misuse. Despite recognition of these threats, there's a divide over whether private industry or regulators should lead on cybersecurity. Ultimately, AI security should be a shared responsibility across government, industry, and users, requiring a proactive, security-first approach. [more]

4. AI labs inadequate in safety measures: A new study by the French nonprofit SaferAI has revealed inadequate safety measures at top AI labs, with Elon Musk's xAI ranking the worst, scoring 0/5. SaferAI, founded by Siméon Campos, assessed risk-management practices at six AI companies, focusing on areas like vulnerability testing and risk mitigation. The study found that xAI had published almost nothing on risk management, followed by Meta and Mistral AI, which also ranked poorly. OpenAI and Google DeepMind received weak scores, while Anthropic led with a moderate 2.2/5. The report aims to pressure companies to improve AI safety, aligning with global standards. [more]

   1. Separately, AI Safety Bill vetoed: California Governor Gavin Newsom vetoed Senate Bill 1047, which sought to impose safety regulations on large AI models, including mandatory "kill switches" and liability for harmful AI behavior. While the bill aimed to address risks from powerful AI systems, Newsom argued that it was too broad, potentially stifling innovation without adequately tackling real AI threats. He called for more targeted, science-based regulations instead. [more]

5. NVIDIA Container Toolkit vulnerability: Wiz researchers discovered a vulnerability (CVE-2024-0132) in the NVIDIA Container Toolkit that could allow attackers to break out of containerized environments and access sensitive data. The toolkit is used to enable GPU support in AI containers especially in shared platforms like Kubernetes. NVIDIA has issued a patch, urging organizations to update to mitigate these risks, and security experts recommend additional layers of protection beyond containers, such as virtualization. [more]

6. DHS assessment of AI risks: The Department of Homeland Security (DHS) has raised concerns in its 2025 threat assessment about the growing cyber threats posed by malicious use of generative AI. It warns that advancements in AI will enhance cyber actors' ability to develop malware, conduct vulnerability scans, and improve social engineering tactics. AI advancements speed up phishing and cyberattacks, increasing risks for sectors like healthcare and finance. [more]

7. Cyber threats and concerns of executives: The latest PwC cybersecurity report highlights that cloud threats are the top concern for 42% of business leaders, with many organizations feeling unprepared to address them. Hack-and-leak operations, third-party breaches, connected product attacks, and ransomware also rank high, with ransomware concern jumping to 42% among CISOs. Despite increased reliance on cloud, AI, and third parties expanding the attack surface, organizations are struggling to keep up with these evolving threats. [more]

8. Technology risks topped Chief Auditors’ concern: A poll by the Chartered Institute of Internal Auditors (Chartered IIA) reveals that AI-driven cybersecurity risks are set to dominate the business threat landscape by 2025. AI-related risks (including deep-fake attacks and sophisticated hacks, are rising rapidly) now ranked the fourth-biggest risk are expected to become the second by 2028. 83% of chief internal auditors (CIAs) identifying cyber and data security as top concerns. Other major risks include human capital challenges (52%), regulatory changes (46%), macroeconomic uncertainties, and environmental sustainability, reflecting the growing impact of digital and technological disruptions. [more][more-CIIA]

9. Legacy technology challenges: Legacy technology poses significant risks to businesses, including security vulnerabilities from unpatched systems, downtime due to outdated hardware, and technical debt that hampers innovation. Legacy systems are prone to cyberattacks, as they often rely on unsupported software and lack modern security features. [more]

Web3 Cryptospace Spotlight

1. 1 ETH for 1 BTC logic error: Bedrock, a major staking platform, experienced a security breach that allowed users to exchange 1 ETH for 1 BTC due to a bug, leading to a $2 million loss. The flaw, related to its synthetic Bitcoin token uniBTC, caused the vulnerability. At the time, Bitcoin was valued at $65,449, and Ethereum at $2,659, creating a significant price mismatch. Bedrock quickly resolved the issue, reassuring users that most funds are safe and is working on a reimbursement plan. The platform continues to investigate and implement new security measures to prevent future incidents. [more]

   1. After losing $2 million in a smart contract exploit, Bedrock extended a job offer to the hacker to assist in securing its protocol and recovering the stolen funds. [more]

2. Onyx Protocol exploited again through same weakness: On 26 Sep, Onyx Protocol was exploited for $3.8 million. This marks its second major hack. This attack leveraged a known vulnerability in the Compound Finance v2 codebase, which had been previously exploited in November 2023. The recent attack also involved a flaw in the protocol’s NFT liquidation contract. This contract allowed the attacker to manipulate and inflate liquidation rewards by exploiting improper validation of user inputs. [more]

3. Compromised email and $5.5M lost: EigenLayer reported that a hacker compromised an email thread related to an investor’s token transfer, resulting in the unauthorized sale of 1,673,645 EIGEN tokens. The attacker sold the tokens via a decentralized swap platform and transferred stablecoins to centralized exchanges, though some funds have been frozen. EigenLayer assured the community that the incident was isolated and not caused by a vulnerability in the protocol. Importantly, it did not impact the broader ecosystem. However, concerns were raised about the lack of a vesting contract for the tokens, prompting criticism of manual handling processes. [more]

4. Q3 2024 Web3 security insights: CertiK’s Q3 2024 Hack3d report revealed that hackers stole over $750 million across 155 incidents, pushing 2024's total stolen to nearly $2 billion. Despite fewer incidents, there was a 9.5% rise in the amount lost, indicating larger attacks. Phishing and private key compromises were the top attack vectors, accounting for $668 million in losses. Notable incidents include a $238 million theft from a Bitcoin whale and a $231 million attack on WazirX. The report offers insights into Web3 vulnerabilities, urging stronger security measures and user caution against phishing and private key risks. [more][more-Certik_report]

Aviation Technology Risk

1. Hacking control tower: The Israeli Defense Forces (IDF) reportedly hacked into the communication network of Beirut's Rafic Hariri International Airport, specifically targeting the control tower. [more]

2. Frequent flyer details misused for fraud: Qantas has reported that passport data may have been accessed after two contractors in India made unauthorized changes to customer bookings in an attempt to steal frequent flyer points. The incident, which affected 800 bookings in July and August, involved employees from a ground handling company. They altered frequent flyer details through partner airline systems to divert points into a new account. While Qantas stressed that this was not a cyberattack, the rogue employees have been suspended. The airline has since restored affected points, addressed the bookings, and tightened security on how frequent flyer details can be changed. [more]