TechRisk Reading Picks

1. Managing AI risks:

   1. The Biden administration introduced an extensive executive order to regulate AI technologies, aiming to maintain American leadership in AI and safeguard civil rights and safety. It is seen as a significant step to align government regulations with advancing technology. [more][more-whitehouse]

   2. Google has extended its bug bounty program to incentivise cybersecurity researchers who find vulnerabilities related to artificial intelligence (AI). The initiative seeks to encourage research focusing on AI safety and security, including concerns like unfair bias, model manipulation, and misinterpretations of data. Additionally, Google plans to enhance open source security efforts for AI supply chains, aiming to make information about AI supply chain security more accessible and verifiable. [more]

   3. Among 200 Chief Information Security Officers (CISOs), surveyed in the UK and Europe, revealed concerns about the increasing use of deepfake AI in cyber attacks. 83% of respondents expect generative AI to play a larger role in future cyber attacks. However, only 16% believe their organizations have an excellent understanding of these advanced AI tools. Mandeep Thandi, Gemserv's director of cyber and privacy, highlighted the pivotal role CISOs play in leveraging AI to enhance cyber defense and predict threats in the evolving cybersecurity landscape. [more][more-report]

2. Credential, gone in 5 minutes: Security researchers discovered a long-term cryptojacking campaign called "EleKtra-Leak" where attackers autonomously clone GitHub repositories to steal exposed AWS credentials within five minutes. After which, they rapidly launch multiple Amazon EC2 instances across various regions to mine Monero. [more]

   1. In the space of just over a month, between August 30 and October 6, the researchers identified 474 different miners being operated by "potentially actor-controlled EC2 instances."

3. Q-day drill: NATO countries are working to safeguard military 5G networks from hacking by adversaries with powerful quantum computers. A recent exercise in Latvia, called the "2023 Next-Generation Communication Network Technologies," focused on secure systems for multi-domain operations. Demonstrations highlighted virtual reality, post-quantum encryption for better control, and sensor fusion for situational awareness. Quantum computers pose a threat to traditional encryption, prompting the development of "quantum-resistant encryption" for enhanced security. [more]

Web3 Cryptospace Spotlight

1. FTX saga verdict: Sam Bankman-Fried, FTX founder, was found guilty on all seven counts in the FTX fraud trial. U.S. Attorney Damian Williams labeled the case as one of the most significant financial frauds in American history. Bankman-Fried faces a potential sentencing date of March 28, 2024, with the possibility of spending several decades in prison, up to a maximum of 115 years. The jury also unanimously delivered the guilty verdict. [more]

2. Astrid Finance exploited: 28 Oct - Astrid Finance was exploited on the Ethereum Mainnet and lost digital assets worth approximately $228,000 due to a smart contract logic error. [more][more-securityanalysis]

   1. The smart contract failed to validate the staked token address, which allowed the attacker to deploy fake tokens, mint them, and claim the allowance to drain funds from the pool.

3. Unibot exploited: 30 Oct - DeFi Unibot suffered approximately $600K loss in digital assets due to a vulnerability in a newly deployed router contract. After detecting the attack, Unibot promptly halted trades via the vulnerable contract and initiated measures to revoke token approvals in affected wallets to prevent further losses. [more]

4. Onyx rounding issue: 1 Nov - Onyx Protocol, a DeFi project, suffered a security breach resulting in a loss of over $2 million in digital assets. “The attacker took out a flash loan of a substantial amount of ETH, swapped it for PEPE, and donated it to a specific pool to manipulate the exchange rate. Subsequently, due to the so-called precision loss, the attacker was able to withdraw more of the underlying asset by burning fewer shares,” BlockSec explained. [more][more-2]

5. LastPass hack’s aftershock: The LastPass hack from earlier this year continues to incur significant losses for its users. As of 25 Oct, it was observed that around $4.4 million was drained from over 25 victims due to a recent hacking incident of the LastPass password management system. [more]