What TRG learnt this week.

In EmergingTech

1. UK viewed AI as chronic risk: UK government flagged artificial intelligence (AI) as a “chronic risk.” It notes that AI poses continuous challenges that can impact the economy, society, and national security. This edition of the National Risk Register also marks the first time that AI has been featured as a strategic risk for the UK. [more][more-UKGovernmentRisk]

2. Potential systemic risk by AI: Securities and Exchange Commission (SEC) Chairman Gary Gensler warned that artificial intelligence (AI) will eventually lead to financial crises. He also said if AI gives out “faulty” financial advice, investment advisers are still held responsible for it. [more]

3. Gartner risk survey. Gartner surved 249 senior enterprise risk executives and noted that AI was on of their top concerns. Generative AI was the second most-frequently named risk Gartner’s second quarter survey and appearing the top 10 for the first time. This reflects both the rapid growth of public awareness and usage of generative AI tools, as well as the breadth of potential use cases, and therefore potential risks, that these tools engender. [more]

4. Generative AI eroded trust: One big result is an online content crisis, an enormous and growing glut of unchecked, machine-made material riddled with potentially dangerous errors, misinformation and criminal scams. This situation leaves security specialists, regulators and everyday people scrambling for a way to tell AI-generated products apart from human work. Current AI-detection tools are deeply unreliable. [more]

5. Generative AI risk management challenges: Generative AI-based tools are set to offer workers an enormous productivity boost, but business technology leaders charged with implementing them are scrambling to understand their potential cybersecurity risks. Some of these challenges include AI bill of materials which are harder to manage. Also, large language models are so complex that it is nearly impossible to audit them in-depth, and there’s no visibility, monitoring, or explainability for some of those features. [more]

6. Cryptography: New open source framework to simplify cryptography management launched by SandboxAQ. Sandwich enables developers to create their own stack, or “sandwich,” of protocols and implementations that becomes available as a cohesive cryptographic object. It supports multiple languages (C/C++, Rust, Python and Go), operating systems (MacOS, Linux), and cryptographic libraries (OpenSSL, BoringSSL and libOQS), with future additions planned based on feedback from the open source and cybersecurity communities. [more][more-sandboxaq]

7. What is Quantum Resistance? Quantum resistance, also known as quantum-secure, post-quantum, or quantum-safe cryptography, refers to cryptographic algorithms that can withstand potential code-breaking attempts by quantum computers. [more]

8. SGX security flaw: A Google Researcher, Daniel Moghimi, discovered new CPU attacks to exploit a vulnerability dubbed Downfall that affects multiple Intel microprocessor families and allows stealing passwords, encryption keys, and private data from users that share the same computer. Tracked as CVE-2022-40982, a threat actor exploiting the flaw can extract sensitive information that is protected by Software Guard eXtensions (SGX), Intel’s hardware-based memory encryption that separates in memory code and data from software on the system. [more]

   1. Moghimi developed two Downfall attack techniques, Gather Data Sampling (GDS) - which is also the name Intel uses to refer to the issue and Gather Value Injection (GVI) - which combines GDS with the Load Value Injection (LVI) technique disclosed in 2020.

   2. Using the GDS technique, Moghimi was able to steal AES 128-bit and 256-bit cryptographic keys on a separate virtual machine (VM) from the controlled one, with each system on sibling threads of the same CPU core.

In Web3 Cryptospace

1. Aave’s Earning Farm compromised by a reentrancy attack: 9 Aug - Blockchain security firm PeckShield revealed that Aave’s Earning Farm has been compromised by a reentrancy attack, resulting in the theft of at least $287,000 worth of ETH. [more]

2. Cypher was hacked for $1M: 8 Aug, Solana-based DEX Cypher was hacked and resulted in an estimated loss of $1 million. The DEX team was investigating for the cause. [more]

3. Steadefi fully compromised due private key disclosure: 7 Aug - DeFi application Steadefi was exploited for approximately $1.1M and all of its funds at risk. The attacker reportedly stole the private key to the team’s deployer wallet, granting access to perform ownerOnly functions. The exploiter then “went on to take various owner-only actions such as allowing any wallet to be able to borrow any available funds from the lending vaults." [more][more-2]

4. H1 2023 hacks: Peckshield said that in H1 2023, there are 395+ major hacks (386 DeFi related) in Web3 space, leading to ~$479.4m loss. Among these hacks, top 10 account for $378.3m (79%) of total stolen funds. [more]

   

5. Lazarus group targeted CoinsPaid. The company noted that fake interview and subsequent hack were the culmination of an elaborate six-month operation in which attackers launched numerous denial-of-service and brute-force attacks. In the run-up to the breach, CoinsPaid was studied closely, phishing attacks were conducted and attackers also reached out to multiple staff members with questions and job offers in order to gain access to internal systems, according to a company investigation. This was noted to be the typical playbook that the Lazarus group used. [more]

6. Weakness among 15 MPC-based wallets: The Fireblocks cryptography research team has uncovered BitForge – a series of zero-day vulnerabilities in some of the most widely adopted implementations of multi-party computation (MPC) protocols, including GG-18, GG-20, and Lindell17. [more]

   1. Multi-party computation remains the industry standard for wallet security, trusted and relied upon by countless institutions and retail users across the field. The Fireblocks research team analyzed dozens of publicly available MPC protocols and wallet providers. In doing so, the team uncovered zero-day vulnerabilities in implementations used by more than 15 digital asset wallet providers, blockchains, and open-source projects, that would allow an attacker with privileged access to drain funds from wallets.