Tech Risk Reading Picks

1. Managing AI risks and opportunities:

   1. Developers’ AI issue: A report from Snyk, a software security platform, indicates that over half of developers are aware that generative AI tools often produce insecure code. Despite this knowledge, 96% of development teams continue to use these tools, with more than half using them regularly. The survey, involving 537 software engineering and security professionals, also highlights that 79.9% of respondents admitted to bypassing security policies to utilize AI, indicating a significant disregard for organizational security protocols. Snyk's Principal Developer Advocate, Simon Maple, expressed surprise at the high percentage of developers sidestepping security policies to use AI. [more][more-Snyk]

   2. Forrester Research's recent report highlights the rise of "bring your own AI" (BYOAI) activities among employees, where they use external AI services for work, including generative AI like ChatGPT and DALL-E2. This poses security challenges similar to "shadow IT," with potential risks such as data loss and copyright violations. The use of various AI tools and APIs may expose companies to more risks than seen with bring your own device (BYOD) practices. [more][more-Forrester]

   3. While generative AI tools, like ChatGPT, offer efficiency in everyday tasks, concerns arise from the massive data they are built on, posing privacy issues. Security risks include attackers exploiting AI capabilities for faster and more convincing attacks. On the other hand, Generative AI can enhance cybersecurity training by simulating real-world attacks, increasing user awareness and immunity. As AI continues to impact the cyber threat landscape, the challenge is to use its power for good rather than trying to reverse its progress. [more]

2. AI development: Meta's chief scientist, Yann LeCun, believes that achieving true artificial general intelligence (AGI) with common sense is decades away, contrasting with Nvidia CEO Jensen Huang, who claims AI will surpass human abilities in less than five years. He argues that current language-focused AI models lack a deep understanding of the world and proposes a shift towards multimodal AI systems, combining text, audio, and visual data for more advanced applications. [more]

3. AI impacts on environment: AI graphic processing units (GPUs) consume four times more power than servers used for cloud applications. McKinsey predicts a significant increase in the power needs of U.S. data centers, from 17 GW in 2022 to 35 GW by 2030. AI also demands substantial water for cooling, contributing to a 34% increase in Microsoft's water usage in 2022. The availability of renewable energy plays a crucial role in meeting data centers' power demands sustainably. Nordic countries, with cooler climates and abundant renewables, are becoming popular locations for data centers. [more]

4. IBM quantum progression: IBM revealed a new method for linking chips within machines and connecting those machines. They believe that when this approach is combined with a new error-correction code, it has the potential to create powerful quantum machines by the year 2033. [more]

5. Cloud ransomware threat: In a recent investigation by Dig, they unveiled that ransomware attacks, particularly targeting cloud assets like Amazon S3 and Azure Storage, are on the rise. Shockingly, a majority of organizations seem unprepared to tackle these threats effectively, as evidenced by low adoption rates of essential security measures. Only 31% of S3 buckets have versioning enabled, a critical aspect for data recovery, and two-thirds of sensitive buckets lack proper logging, an essential prerequisite for detection. Dig’s investigative article goes beyond theoretical discussions and delves into the practical aspects of ransomware attacks within cloud environments. [more]

Web3 Cryptospace Spotlight

1. 15 times more tokens lost: In November 2023, the cryptocurrency industry experienced its worst month of the year in terms of losses. The losses being 15 times higher than those in October 2023. Both decentralized finance (DeFi) and centralized finance (CeFi) were heavily targeted by hacks and frauds, resulting in over $343 million in damages. [more]

2. Domain hijacked: 28 Nov - The DeFi platforms Aerodrome and Velodrome reported compromises to their front ends. The two platforms posted announcements on X (formerly Twitter) stating their front ends were compromised and asked users not to interact with the platforms while investigations are underway. [more][more-Aerodrome][more-Velodrome]

3. Address poisoning: A sophisticated cyber attack occurred from November 26 to December 3, where a skilled attacker specializing in 'Address Poisoning' stole approximately $2.05 million from nearly 10 users of Safe Wallet, a popular cryptocurrency storage service. The same attacker is believed to have amassed a total of $5 million over the past four months, targeting 21 victims. The 'Address Poisoning' method involves creating a crypto address that closely resembles the victim's regular transaction addresses, leading victims to mistakenly send substantial funds to the hacker's address instead of the intended recipient. [more]

4. North Korean-backed state hackers, including groups like Kimsuky, Lazarus Group, and Andariel, have reportedly stolen around $3 billion in a series of cyberattacks on the cryptocurrency industry since January 2017. These hacking groups, operating on a large scale similar to cybercriminal gangs, were responsible for 44% of all stolen cryptocurrency in the previous year. Their primary targets include cryptocurrency exchanges, but they have also been linked to attacks on individual users and venture capital firms. The information comes from a report by Recorded Future's Insikt Group. [more]

5. Bitcoin network congestion: Bitcoin is facing potential congestion due to Ordinals and BRC-20 tokens exploiting a bug in the network. Luke Dashjr, a Bitcoin Core developer, warned that this bug could allow the creation of new tokens that spam the blockchain. The issue stems from inscriptions used by these tokens, exploiting a vulnerability in Bitcoin Core, allowing them to exceed transaction data size limits. Although addressed in Bitcoin Knots v25.1, the vulnerability persists in Bitcoin Core's upcoming v26 release, causing concern in the community. [more]