Tech Risk Reading Picks

1. AI risk in healthcare: The World Health Organization (WHO) acknowledges the transformative potential of generative AI models in healthcare. However, the chief scientist emphasizes that developers, regulators, and users must thoroughly consider and address the associated risks. Among the risks identified for lower-income countries are lack of maintenance and data bias. [more]

2. NATO’s AI initatives: Scientists from The University of Alabama in Huntsville (UAH), affiliated with the University of Alabama System, are spearheading a collaborative effort with the North Atlantic Treaty Organization (NATO) to tackle evolving security concerns posed by quantum technologies. [more]

3. Quantum risk: The Bank of England has released a blog post discussing the potential impact of quantum technology on financial markets. The post explores how quantum technology could enhance efficiency in online payments and brings attention to its potential influence on the financial industry. [more] [more-BOE]

4. PQC preparation: Thales has introduced the PQC Starter Kit in partnership with Quantinuum, aiming to assist enterprises in getting ready for Post-Quantum Cryptography (PQC). This unique kit enables businesses to test quantum-resistant encryption keys in a secure environment, helping them comprehend the impact of quantum computing on their infrastructure security. [more][more-2]

5. Adversary technique: Cybercriminals are utilizing TeamViewer, a widely used remote access tool installed on numerous devices, to gain initial access to networks. This method has become increasingly common as attackers exploit the tool's widespread presence on endpoints, facilitating unauthorized entry into victim environments. [more]

6. Managing evolving threats: It is noted that threat actors are adept at exploiting organizational vulnerabilities to gain access to remote environments. The article suggested six recommendations for organisations to improve their security hygiene. [more]

   1. Change your vulnerability mindset to identify legacy vulnerability management systems.

   2. Implement strong authentication methods for key internet-facing systems, such as multi-factor authentication.

   3. Ensuring continuous visibility into on-premises and cloud assets is a must for security.

   4. Attack premeditation is another vital way to secure your systems.

   5. Address cloud misconfigurations head-on. Regularly review and update your organization’s cloud configurations to align with industry best practices.

   6. Respond to threats quickly. Install protocols and mechanisms to help your team quickly leverage attack surface management tools to prioritize patches and remediate common exposures.

7. Web3 Cryptospace spotlight:

   1. 66,000 users of Trezor breached: Trezor, a hardware wallet manufacturer, reported a security breach on January 20, revealing that nearly 66,000 users' contact information was exposed. The breach involved unauthorized access to a third-party support portal on January 17. Users who interacted with Trezor's support team since December 2021 may have had their data compromised. Though unconfirmed, Trezor is notifying the affected users about the potential exposure of their contact details and the risk of phishing attacks. The company has already emailed all 66,000 contacts to inform them of the incident. [more]

   2. Concentric lost private key: Concentric, a liquidity management app on Arbitrum, suffered a social engineering attack resulting in the theft of $1.7 million in cryptocurrency. The attacker exploited an employee's deployer wallet to access a vital private key, gaining control over vaults and the ability to create new LP tokens. Stolen funds were converted to Ethereum and distributed through three addresses. [more]

   3. Ethereum network concentration risk: A bug in Ethereum's Nethermind client software affected a portion of validators, creating a debate on the need for "client diversity" to avoid a single point of failure. Nethermind powers around 8% of Ethereum's validators, and though the bug was critical, Ethereum continued to operate as other clients remained unaffected. The incident highlighted concerns about overreliance on a single client, with Geth being the most popular one. Despite the bug, Ethereum remained functional, and Nethermind developers quickly released a patch. [more]