Tech Risk Reading Picks

1. Rise of shadow AI: The rise of unsanctioned AI tools in workplaces, known as "Shadow AI," poses significant cybersecurity risks. Employees often use generative AI tools without IT approval to boost productivity, unknowingly exposing sensitive data such as intellectual property, financial records, and personal information through prompts. This lack of oversight has already led to incidents like the leakage of source code at Samsung. Shadow AI not only increases the risk of data breaches but also creates opportunities for cybercriminals to exploit leaked information for targeted attacks.

   To address this challenge, organizations must implement robust policies, educate employees on secure AI practices, and restrict usage to vetted enterprise-grade tools. Regular audits and employee training are essential to close security gaps, while technologies like identity access management (IAM) and anti-data exfiltration (ADX) tools can safeguard data. By prioritizing secure AI adoption and proactive monitoring, companies can balance the efficiency gains of AI with the need to protect sensitive information. [more]

2. 2024 HackerOne Security Report: The 2024 Hacker-Powered Security Report by HackerOne highlights the growing reliance on human intelligence to address AI security risks, with 68% of professionals favoring unbiased external AI reviews and a 171% increase in AI assets being scrutinized on the platform. Cross-site scripting (XSS) and misconfigurations remain top vulnerabilities, while tech-savvy industries, particularly Web3, excel at reducing them. Crypto organizations lead in bounty rewards, with payouts reaching $1 million. Security researchers are motivated by income (77%) and skill development (64%), emphasizing the essential role of human expertise in tackling AI and emerging technology challenges. [more][more-hackerone_report]

3. Post Quantum Computing (PQC) preparedness: Researchers at the National Center for Supercomputing Applications (NCSA) are addressing critical vulnerabilities that quantum computers could exploit within the next decade. Their study reveals current encryption methods are largely unprepared for the quantum era, with only 0.029% of systems adopting quantum-resistant measures like those in OpenSSH and Google Chrome. [more]

4. Central banks PQC experiment: The Banque de France (BdF) and the Monetary Authority of Singapore (MAS) successfully conducted a joint experiment in post-quantum cryptography (PQC) to secure email communications using quantum-resistant algorithms, marking a key milestone in preparing for quantum computing threats. By employing CRYSTALS-Dilithium and CRYSTALS-Kyber algorithms, they demonstrated the practicality of PQC in real-world systems like Microsoft Outlook while highlighting the need for broader standardization of infrastructure and protocols. The initiative also explored the potential for PQC integration into payment networks to safeguard financial data, with plans to expand testing to cross-border transactions, reinforcing their commitment to securing global financial systems through collaboration. [more]

Web3 Cryptospace Spotlight

1. Risk of Web3 desktop wallets: CertiK's recent security assessment of Web3 desktop wallets highlights significant vulnerabilities that could expose users' digital assets to theft and cyberattacks. The analysis identified risks such as supply chain attacks, weak encryption algorithms, plain text private key storage, and poor brute-force protection, all of which make these wallets susceptible to hacking and malware threats. Many users lack the technical expertise to perform critical safety checks, such as Hash verification of installation packages, further increasing their exposure to these risks. To address these challenges, CertiK recommends alternatives like MPC wallets and hardware wallets. MPC wallets enhance security by splitting private keys into fragments distributed across multiple nodes, eliminating single points of failure. Hardware wallets, on the other hand, provide physical isolation by storing private keys offline, significantly reducing the risk of internet-based threats. CertiK also emphasizes the need for wallet developers to strengthen encryption protocols, implement sandbox protections, and educate users on best practices to ensure digital asset safety. By adopting more secure wallet options and improving awareness, the Web3 ecosystem can enhance user protection and foster its healthy development. [more]

2. Vulnerabilities found in prominent Web3 projects: QuillAudits, a blockchain security leader, identified and mitigated 47 vulnerabilities across five Web3 projects—StakedDX, Huddle01, Hivello, Zoniqx, and KYEX—enhancing their security and reliability. Key fixes included addressing double-spending, centralization risks, and gas fee errors while leveraging tools like OpenZeppelin libraries to strengthen smart contract operations. These audits ensure safer staking, token management, and DeFi solutions, reinforcing QuillAudits’ commitment to a secure and robust decentralized ecosystem. [more]