Tech Risk Reading Picks

1. Major data breach exposed over 10 millon: A major data breach exposed over 10 million interactions from an AI-powered call center platform in the Middle East. Attackers gained unauthorized access to the platform’s management dashboard, compromising consumer, operator, and AI agent conversations. The breach included sensitive personally identifiable information (PII), like national ID documents, which could be exploited for fraud, phishing, and social engineering schemes. Resecurity, the cybersecurity firm that discovered the breach, warned of risks such as data exfiltration, trust exploitation, and session hijacking. Though mitigated, the incident raises concerns about the security of AI platforms handling sensitive data. [more]

2. Substantial threat to military-grade encryption: Chinese scientists have reportedly used the D-Wave Advantage quantum computer to successfully target encryption algorithms, including Present, Gift-64, and Rectangle, which are foundational for many encryption standards like AES-256. This marks the first instance of a quantum computer posing a substantial threat to military-grade encryption. The breakthrough leveraged a technique called quantum annealing, allowing the machine to efficiently solve complex problems by bypassing obstacles traditional methods struggle with. Although this poses a potential risk to cryptographic security, limitations in quantum computing technology, such as environmental and hardware constraints, currently prevent full-scale decryption. [more]

3. Urging for PQC readiness: The US government is urging the private sector to adopt stronger encryption standards to prepare for the cybersecurity risks posed by quantum computing, which could easily break current encryption systems. Agencies like NIST and CISA have released guidelines for transitioning to "post-quantum cryptography," emphasizing the need for immediate action. While tech giants like Google and Amazon are making progress, many organizations face a lengthy and costly process, with experts estimating a decade to fully upgrade systems. The government also advocates for "crypto agility," ensuring encryption can be updated as new threats emerge, aligning with broader efforts to protect sensitive data from future risks. [more]

4. Targeting Gmail users: AI-driven phishing scams targeting Gmail users are becoming increasingly sophisticated, using fake notifications, AI-generated calls, and legitimate-looking Google pages to deceive users. Security experts, including Microsoft’s Sam Mitrovic and Y Combinator’s Garry Tan, have recently reported such attempts. Scammers are also exploiting Google Forms for phishing. In response, Google offers advice on avoiding scams and is collaborating with major tech companies to launch the Global Signal Exchange, a database of scam reports set to go live in 2025. Gmail users, especially high-risk individuals, are urged to review Google’s phishing guidelines and consider the Advanced Protection Program for added security. [more]

5. Corporate govenance at risk: As AI evolves, its influence on corporate governance is growing. AI brings both opportunities and risks that boards must oversee to ensure effective governance and shareholder protection. Key risks include data privacy breaches, intellectual property issues, AI-generated misinformation, regulatory compliance challenges, ethical concerns, and potential liability from insufficient oversight. Boards must stay proactive, ensure robust security, promote ethical AI use, and integrate AI risk management into their frameworks. By addressing these concerns, companies can leverage AI responsibly while safeguarding their legal and ethical standiing. [more]

Web3 Cryptospace Spotlight

1. Web3 ping of death: A vulnerability in Near Protocol, a smart contract platform, could have allowed attackers to crash every node on the network, effectively shutting it down. The flaw, dubbed the "Web3 Ping of Death," was discovered by security firm Zellic, which found that the issue stemmed from improper handling of SECP256K1 signature verifications. Although Near nodes could accept SECP256K signatures, they couldn't generate them, preventing accidental crashes. However, a malicious node could have exploited this flaw to crash the network. The issue was patched in January, and Zellic was awarded $150,000 for the discovery. [more]

2. Concerns with the Liquid Staking Module ATOM faces potential security risks: The Cosmos ecosystem's staked ATOM faces potential security risks due to concerns with the Liquid Staking Module (LSM). Jae Kwon, a Cosmos co-founder, highlighted that the code for the LSM was written by developers linked to North Korea, raising concerns about vulnerabilities. These developers were also involved in addressing security issues and that could have allowed them to obscure any weaknesses. This situation poses risks to staked ATOM tokens, and the community is urged to take action to mitigate potential threats. [more][more-about]

3. The SlowMist September Security Report: This quarter saw 93 hacking incidents and over 33,000 phishing victims. Total losses reached about $784 million, with $27.54 million recovered. In July, losses hit $300 million. August saw an increase to $316 million, mainly due to a $243 million scam. September had lower losses but remained tense. Three major incidents caused over $100 million in damages. Phishing and hacking activity stayed high throughout the quarter. [more]

4. $30M exploited: Victims of Radiant Capital's recent $50 million exploit faced further issues when web3 security firm Ancilia mistakenly shared a link to a wallet-draining phishing site. The exploit, which targeted Radiant’s smart contracts on BNB Chain and Arbitrum, allowed attackers to siphon assets like USDC and ETH. Following the attack, Radiant urged users to revoke wallet permissions using Revoke.cash to prevent further theft. Unfortunately, scammers impersonated Radiant on X, and Ancilia mistakenly promoted the fake account.[more]