TechRisk Reading Picks

1. Quantum resistance message app: Signal has announced its messaging app support for quantum resistance by upgrading the Extended Triple Diffie-Hellman (X3DH) specification to Post-Quantum Extended Diffie-Hellman (PQXDH). [more]

2. Microsoft’s AI team data exposure incident: Wiz Research found a data exposure incident on Microsoft’s AI GitHub repository, including over 30,000 internal Microsoft Teams messages, a disk backup of two employees’ workstations. These were caused by one misconfigured SAS token. [more]

3. AI-focused tech firms racing to the bottom: Max Tegmark organized an open letter in March calling for a six-month pause in developing powerful artificial intelligence (AI) systems. The letter had support from over 30,000 signatories, including Elon Musk and Steve Wozniak, but it did not result in a halt in the development of advanced AI systems. Tegmark acknowledged that he didn't expect the letter to succeed because tech companies are engaged in a competitive "race to the bottom" and cannot pause development individually. The letter had expressed concerns about an uncontrolled race in developing AI systems that could surpass human understanding and control. Tegmark noted that the competition is too intense for tech executives to pause development to consider AI risks [more]

4. Zero-trust may not suit OT environment: Dragos, a renowned OT security firm, noted that while a zero-trust approach could enhance security in operational technology (OT) settings, it's often impractical. Achieving true zero trust is challenging in OT networks due to their unique requirements and constraints. OT devices rely on mutual trust for efficient communication, and adding security measures could impact performance. While zero-trust concepts may work for remote access at the edge, they are not practical within operational systems. Additionally, the risk of implementing immature zero-trust technologies in critical infrastructure deters many from adopting them. Therefore, traditional network monitoring and controls remain preferable for most OT environments until more mature solutions become available. [more]

5. Quantum for cybersecurity: A brief understanding of age-old battle between codemakers and codebreakers. And why quantum development is critical. [more]

Web3 Cryptospace Spotlight

1. Malicious MetaMask: 16 Sep - Billionaire Mark Cuban lost over $800K in digital tokens after he downloaded a version of MetaMask with malware. [more]

2. DNS hijacked: 19 Sep - Balancer, an Ethereum-based automated market maker, attributed its website's front-end compromise on September 19 to a malicious attack on its DNS service provider. This had led to an estimated $238,000 in crypto stolen. [more]

   1. This is the second attack on Balancer in less than a month after it warned of a critical vulnerability on Aug. 22, suffering an estimated $2 million exploit related to the vulnerability just days later.

3. Third-party service compromised: 20 Sep - Ethereum blockchain analytics firm Nansen asked a subset of its users to reset their passwords following a data breach at its authentication provider. Nansen stated that although the passwords were encrypted, they advised the affected individuals to change their passwords as a precaution, considering the potential for brute-force attacks. The firm also emphasized the heightened risk of phishing attempts for those whose information had been exposed. [more]

4. Unlimited minting exploitation: 22 Sep - DeFi protocol Linear Finance suffered an attack that drained liquidity in its LUSD token. The exploit of the protocol’s smart contract allowed attackers to mint an unlimited amount of AAVE, a collateral token on Linear. The attacker then traded for LUSD on the Linear Exchange and dumped on PancakeSwap and Ascendex, causing a stablecoin value drop. In response, Linear Finance paused key protocol functions, disabled LUSD bridge access, hired a security team to track the attacker, and shared wallet info with authorities. [more][more-2]

5. CoinEx deployed more secure wallet system: CoinEx has begun to resume withdrawals and deposits following a $70 million hack (from their hot wallet system). They deployed a new wallet system and updated deposit addresses for several assets. CoinEx noted that withdrawal times may be longer than usual as they prioritize asset security before fully restoring withdrawal functionality. [more]

6. DeFi threat detection tool: Coinbase has been running Pessimism since the launch of the Base mainnet, and the team has now open sourced the solution under an MIT license. According to the announcement, Pessimism detects threats such as withdrawal enforcement or fault detection in OP Stack as well as events including balance enforcement or event emission in EVM chains. [more]