Tech Risk Reading Picks

1. Cloud blindspots: The growing cybersecurity concern is noted in the Asia-Pacific (APAC) region. 46% of respondents reported inadequate visibility into potential misconfigurations in their cloud infrastructure. This lack of visibility increases the risk exposure for organizations in the APAC region regarding their cloud security. [more]

2. Free OT defence: Industrial cybersecurity firm Dragos has expanded its Community Defense Program to offer free operational technology (OT) security software and resources to small electric, water, and natural gas utilities in the United States. This program, initially launched as a pilot last year, is now available to US-based utilities with an annual revenue of less than $100 million. Participating utilities will receive indefinite access to the Dragos Platform, providing OT network visibility and monitoring capabilities to enhance asset inventory, threat detection, vulnerability management, and threat hunting. [more]

3. Quantum security in the Cloud: Researchers in China have proposed a new protocol for cloud-based information storage that aims to merge quantum-level security with improved data-storage efficiency. The protocol combines quantum key distribution (QKD) and Shamir's secret sharing techniques. The researchers assert that this approach could enhance the security of sensitive data, such as patients' genetic information, stored in the cloud. However, some independent experts are skeptical about whether this protocol truly represents a significant advancement in information security. [more]

4. 2024 could be a Quantum year: Deloitte anticipates the maturation of post-quantum cryptography (PQC) will be inline with the release of standards by NIST in 2024. Federal and financial organizations are leading the way in preparing for the quantum era, with a focus on cryptographic agility. Draft PQC standards have been released, prompting organizations to assess their cryptographic exposure. Those already on the quantum readiness journey will enhance their cryptographic agility plans. The PQC ecosystem is expanding, with more vendors contributing to the transition. [more]

Web3 Cryptospace Spotlight

1. $2.7 million lost: 13 Dec - OKX decentralized exchange (DEX) suffered a $2.7 million hack after the private key of the proxy admin owner was reportedly leaked. On December 12, the owner of the proxy administrator upgraded the DEX smart contract. Unfortunately, an attacker gained access to the admin key of the smart contract, granting them the capability to implement malicious functionalities. OKX announced that they would reimburse the losses, and pursue legal action against the exploiter. [more][more-2]

2. Ledger Connect Kit hack: 14 Dec - Ledger, a cryptocurrency hardware wallet provider, faced an exploit on Ledger Connect Kit, a JavaScript library connecting websites to wallets. The industry cooperated with Ledger to swiftly counter the exploit, which operated for less than two hours. Importantly, the exploit solely impacted third-party DApps utilizing Ledger Connect Kit and did not compromise the integrity of Ledger hardware or Ledger Live. Based on Blockaid estimate, anywhere from 500 to 1000 crypto wallets were compromised, leading to more than $500,000 being stolen from crypto and NFT users. [more][more-2]

   1. The attacker injecting malicious code into the GitHub library for Connect Kit, a popular blockchain software maintained by Ledger, a crypto wallet company. This has affected several prominent DeFi protocols using the library, prompting warnings for users to avoid decentralized apps (dApps) until these protocols are updated. [more]

3. Script error: 11 Dec - Yearn Finance, a yield-farming protocol, revealed that a faulty multisig script resulted in a 63% loss of its treasury's position. The incident occurred during a regular fee token conversion, causing a swap of 3,794,894 lp-yCRVv2 tokens for 779,958 yvDAI tokens. The error in the script transferred the entire treasury balance, instead of a smaller fees portion, due to insufficient output checks and a logical error. Although user funds were not affected, the trade caused significant price slippage, which normalized shortly after. The protocol team requested users who profited from the incident to return a reasonable amount to Yearn's main multisig. [more][more-2]

   1. To avoid similar incidents in the future, protocol developers aim to take several preventive measures. These include segregating POL funds into specialized manager contracts, enhancing the clarity of output messages on trading scripts for better human understanding, and implementing stricter price impact thresholds.

4. More secure Web3 space: In 2023, losses from cryptocurrency hacking have decreased by over 50% compared to 2022, according to a report by blockchain intelligence firm TRM Labs. The report indicated that losses from 160 crypto project hacks totaled around $1.7 billion in 2023 was a significant reduction from the $4 billion stolen in 2022. TRM Labs attributed this decline to improved security measures within the cryptocurrency industry, including the implementation of real-time transaction monitoring and anomaly detection systems. These enhancements have strengthened digital wallets and exchange platforms, contributing to a more secure environment for cryptocurrency transactions. [more][more-2]

   1. A considerable portion of the losses came from large-scale attacks on specific targets, with the top 10 hacks responsible for around 70% of the total funds stolen.

5. Bitcoin ordinal spamming bug: The controversial Bitcoin ordinals-related bug, involving spam, has been highlighted by a developer and subsequently added to the U.S. National Vulnerability Database, which catalogs cybersecurity threats. [more]