Tech Risk Reading Picks

1. The David Mayer Glitch: An unusual glitch in ChatGPT causes it to error out whenever asked about "David Mayer," sparking widespread speculation and experiments online. Redditors discovered the issue when ChatGPT refused to respond to queries involving the name, despite being able to discuss similar names like "David de Rothschild" or "David M." Theories range from a system bug or deliberate filter, possibly tied to privacy laws like the EU's "Right to be Forgotten," to a connection with public figures such as David Mayer de Rothschild or a historian with a controversial alias. The mystery remains unsolved, with OpenAI yet to clarify the reason behind this curious anomaly. [more]

2. AI increases risks on SaaS: Cybersecurity experts at AppOmni predict growing challenges for SaaS applications driven by advancements in AI, automation, and supply-chain vulnerabilities. AI will enable attackers to exploit SaaS vulnerabilities, bypass security measures, and execute sophisticated, large-scale attacks, lowering the barrier for less skilled adversaries. Automated tactics like password spraying and AI-driven phishing are expected to escalate breaches, while supply-chain attacks via third-party applications will demand greater scrutiny. Threat actors will also exploit gaps in legacy API endpoints, over-privileged access, and weak logging capabilities for swift, impactful attacks. To counter these threats, experts emphasize the need for robust security postures, improved access controls, and tightly integrated detection and response systems that address SaaS-specific risks. [more]

3. Rise in AI adoption in financial sector: AI adoption in the financial sector has surged, with 75% of firms now utilizing AI tools compared to 58% in 2022, driven by the efficiency and sophistication of foundation models. Initial implementations focused on automating low-risk, labor-intensive processes, but the scope is expanding to include sensitive data for seamless, automated financial operations. This rapid adoption has drawn attention from central banks and regulators, such as the European Central Bank and the Federal Reserve, who are assessing risks like cybersecurity, market concentration, and overdependence on a few major AI providers. While regulators emphasize that AI operates within existing legal frameworks, concerns about systemic vulnerabilities and the dominance of key technology suppliers remain pivotal to ensuring financial stability. [more]

4. Governing GenAI: The rapid rise of generative AI presents immense opportunities but also significant risks, leading some organizations to adopt restrictive "no-gen-AI" policies, which often backfire as employees find workarounds. Instead, a robust AI governance strategy is essential to safely and effectively integrate generative AI into workflows while remaining compliant with regulations. Vendors in this space offer varied approaches, including regulation-first tools like SolasAI and Holistic AI, which focus on bias detection and compliance, and employee-first tools like Portal26 and WitnessAI, which enforce proper usage and safeguard sensitive data. Additionally, solutions like Private AI and Enkrypt AI extend existing security and data governance capabilities to address generative AI-specific challenges. The dynamic nature of AI governance, shaped by evolving regulations and open-ended AI usage, underscores its critical role in managing risks and enabling innovation. [more]

5. Ransomware groups target VPNs: A report by Corvus Insurance highlights how ransomware groups exploit vulnerabilities in VPNs and weak passwords for initial network access, with 28.7% of Q3 2024 ransomware claims linked to these flaws. The report reveals a persistently high number of ransomware victims, dominated by groups like RansomHub, PLAY, and LockBit 3.0, though smaller groups are emerging in a competitive landscape. Critical sectors like construction and healthcare remain prime targets due to vulnerable systems and high ransom payment likelihood. Weak credentials and lack of MFA on VPN gateways remain key weaknesses, underscoring the human factor's role in cyber defenses. Experts stress that robust plans and secure access controls are critical as ransomware attacks grow more sophisticated and frequent. [more]

6. Quantum computing and blockchain technology:

   1. The rise of quantum computing presents a formidable challenge to blockchain technology, threatening to render traditional encryption methods obsolete and forcing a reevaluation of digital security frameworks. Platforms like Cardano are spearheading efforts to develop quantum-resistant solutions, reflecting both the urgency and complexity of safeguarding blockchain's role in critical sectors such as finance and identity verification. While quantum computing promises transformative innovations like faster data processing and advanced applications in healthcare and climate science, it also raises significant concerns, including economic inequities, geopolitical tensions, and the risk of exacerbating the digital divide. [more]

   2. The advent of quantum computing presents both opportunities and challenges for blockchain technology, particularly in cybersecurity. Classical encryption methods like RSA and ECC, which underpin blockchain security, face potential vulnerabilities from quantum algorithms such as Shor’s algorithm. To mitigate these risks, researchers are developing quantum-secure blockchain systems using post-quantum cryptographic approaches, such as lattice-based cryptography, quantum key distribution (QKD), and hybrid frameworks. These innovations aim to safeguard core blockchain principles—decentralization, security, and transparency—while maintaining scalability and efficiency. [more]

Web3 Cryptospace Spotlight

1. Largest bug bounty in crypto history: Uniswap Labs has launched the largest bug bounty in crypto history, offering up to $15.5 million to secure its upcoming Uniswap v4 core contracts, underscoring its commitment to DeFi security. This groundbreaking initiative invites developers and security researchers to identify vulnerabilities, with tiered rewards for critical, high, medium, and low-risk issues. The top payout surpasses previous records, such as Immunefi's $14.82 million in 2021, signaling a new benchmark in crypto security. By proactively engaging over 500 researchers and extending the scope to include smart contracts and wallet codes, Uniswap aims to protect user funds and mitigate risks, reinforcing its leadership in safeguarding decentralized finance. [more]

   1. Separately, Singapore-based Crypto.com has launched a $2 million bug bounty program in partnership with HackerOne to strengthen its security framework. Announced on 2 December, the tiered reward program incentivizes ethical hackers to identify vulnerabilities ranging from low severity ($200-$500 rewards) to critical issues with payouts reaching up to $2 million. [more]

2. Private key left open on GitHub: Pump Science, a decentralized science (DeSci) platform, suffered a major security breach after its private key was accidentally leaked on its GitHub codebase, enabling attackers to take control of its Pump.fun crypto wallet. This led to unauthorized token minting, including counterfeit tokens like Urolithin B through E and Cocaine ($COKE), which damaged the platform's reputation and caused a 25% drop in the value of its legitimate tokens, Urolithin A ($URO) and Rifampicin ($RIF). The breach stemmed from an oversight by the Solana-based BuilderZ team, who mistook the wallet for a test account. In response, Pump Science warned users to avoid new tokens from the compromised address, partnered with Blockaid for security, and committed to auditing its systems before future launches. [more]

3. Web3 security incidents in November: In November 2024, Web3 security incidents resulted in losses of approximately $86.24 million across 21 hacking cases and phishing scams affecting 9,208 victims. Key incidents included a $25.5 million exploit on Thala, $21 million theft on DEXX, and vulnerabilities exploited in MetaWin, DeltaPrime, and Polter Finance, totaling significant damages. While $25.5 million was recovered, contract vulnerabilities emerged as the leading cause of losses, accounting for 39% of the total. The SlowMist Security Team emphasized the importance of regular audits, cautious use of AI-generated code, and strengthened supply chain security, underscoring the need for vigilance against evolving threats in the Web3 ecosystem. [more]

4. Solana Web3.js library backdoored: This week, an attacker compromised a GitHub account with publishing rights, leading to the distribution of backdoored versions (1.95.6 and 1.95.7) of the Solana Web3.js library, widely used for building decentralized applications on the Solana network. The malicious versions, available for about five hours on December 2, 2024, allowed attackers to steal private key material and drain funds from affected dapps. While non-custodial wallets are unaffected, developers handling private keys directly were advised to immediately update to version 1.95.8, rotate credentials, and consider their systems fully compromised. GitHub warned that removing the malicious package alone might not eliminate all risks, emphasizing a full system reset. Despite no reports of major cryptocurrency wallet breaches, third-party tools updating dependencies may have been compromised. [more]

5. North Korean hackers drained billions in cryptocurrency: North Korean hackers have stolen billions in cryptocurrency and sensitive corporate data by impersonating venture capitalists, recruiters, and remote IT workers, researchers revealed at the Cyberwarcon conference. Using tactics like AI-generated profiles, malware-laden recruitment campaigns, and fake online personas, they infiltrate global organizations to fund the regime’s nuclear weapons program. Hackers target industries such as aerospace and defense, with groups like “Ruby Sleet” stealing proprietary information, while others like “Sapphire Sleet” use sophisticated scams to deploy malware. These operatives exploit the shift to remote work, establishing fake profiles on platforms like LinkedIn and GitHub to gain employment and leverage company resources through coordinated schemes involving US-based facilitators. [more]