Tech Risk Reading Picks

1. GenAI threat suface: Cybersecurity researchers have discovered security vulnerabilities in third-party plugins for OpenAI's ChatGPT. This would pose a potential risk for unauthorized access to sensitive data. These flaws could enable attackers to install harmful plugins without user consent, potentially compromising accounts on platforms like GitHub. One of the flaws unearthed by Salt Labs involves exploiting the OAuth workflow to trick a user into installing an arbitrary plugin by taking advantage of the fact that ChatGPT doesn't validate that the user indeed started the plugin installation. [more]

2. Google Chrome phishing protection: Google is updating Safe Browsing in Chrome to offer real-time protection against malware and phishing without compromising privacy. Safe Browsing, launched in 2005, has evolved to block malicious domains and social engineering attacks. Users can opt for Enhanced Protection mode for AI-powered proactive defense. [more]

3. Europe AI Act: Lawmakers in the European Parliament overwhelmingly approved the Artificial Intelligence Act, five years after initial proposals, aiming to ensure safety, compliance with fundamental rights, and innovation. The regulation, passed with 523 votes in favor, 46 against, and 49 abstentions, aims to protect fundamental rights, democracy, and the environment from high-risk AI while boosting innovation. It establishes obligations based on AI's potential risks and impact level. The act bans certain AI applications threatening citizens' rights, including biometric categorization systems, untargeted facial image scraping, emotion recognition in workplaces and schools, social scoring, predictive policing solely based on profiling, and AI exploiting human vulnerabilities. [more]

4. Pitfall of innovation: According to Edelman’s studt, across 28 markets, citizens feel that innovation isn't being handled well. They worry that government regulations aren't keeping up with the fast pace of invention, and businesses aren't considering the impact on jobs, privacy, or lifestyle. [more]

5. Breach not contained: Microsoft is still battling to remove Russian government hackers who breached senior executives' email accounts in November. These hackers, from Russia's SVR foreign intelligence service, utilized stolen data to infiltrate source-code repositories and internal systems. Microsoft confirmed the theft of cryptographic secrets from email communications with customers and is assisting affected parties in securing their systems. [more]

6. Cloud security advice: NSA and CISA teamed up to release 10 Cybersecurity Information Sheets (CSIs) focusing on cloud security strategies. Here's the summary. [more][more-2]

   1. Uphold the cloud shared responsibility model: Clarifies security responsibilities for both Cloud Service Providers (CSP) and customers.

   2. Use secure cloud identity and access management practices: Provides guidance on managing identities securely in the cloud.

   3. Use secure cloud key management practices: Emphasizes the importance of proper key management in the cloud environment.

   4. Implement network segmentation and encryption: Advises on applying network security principles unique to cloud environments.

   5. Secure data in the cloud: Focuses on securing and auditing cloud storage to protect sensitive data.

   6. Defend continuous integration/continuous delivery environments: Enhances DevSecOps practices for cloud deployments.

   7. Enforce secure automated deployment practices: Utilizes Infrastructure as Code (IaC) and other tools for secure deployments.

   8. Account for complexities of hybrid and multi-cloud environments: Addresses challenges and solutions in managing diverse cloud setups.

   9. Mitigate risks from managed service providers: Discusses cybersecurity risks associated with using managed service providers in the cloud.

   10. Manage cloud logs for effective threat hunting: Emphasizes the importance of monitoring logs for threat detection and compliance.

7. Stealthy Andriod malware: IBM's new report reveals a stealthy Android malware called PixPirate that doesn't have an icon, making it invisible on devices up to Android version 14. Instead of a launcher icon, PixPirate uses two apps: a downloader and the malware itself ('droppee'). The downloader, distributed through phishing messages, requests risky permissions like Accessibility Services and installs the droppee app. Droppee doesn't have a main activity, but it exports a service for other apps to connect to. The downloader uses this service to trigger droppee PixPirate, allowing it to execute in the background without the victim's knowledge. [more]

8. Web3 Cryptospace Spotlight

   1. Coinbase bug: 9 Mar - DeFi platform Unizen was exploited for over $2 million. PeckShield first discovered the incident and subsequently confirmed by SlowMist. This was due to an external call vulnerability in the Ethereum contract. Users are advised to revoke approvals linked to the hacker's address. Unizen offered a 20% bounty for the stolen assets' return and is cooperating with law enforcement. Despite ongoing negotiations, they announced plans on March 11 to compensate 99% of victims immediately, prioritizing a careful, personalized reimbursement process. [more][more-2]

   2. Lesser stolen tokens: In 2023, despite an increase in the number of cryptocurrency hacking incidents, the total stolen funds dropped significantly. Chainalysis reported 231 hacking incidents, up from 219 in 2022, but the stolen funds decreased by 54.3%, falling from $3.7 billion to $1.7 billion. The North Korean Lazarus Group played a significant role in this reduction.

      The decline in stolen funds was mainly due to a decrease in DeFi hacking incidents, which peaked between 2021 and 2022. In 2022, cybercriminals stole over $3.1 billion from DeFi protocols, but by 2023, this figure had dropped to $1.1 billion, marking a 63.7% decrease. [more][more-2]

   3. Quantum safe Ethereum: Ethereum co-founder Vitalik Buterin has proposed a hard fork strategy to protect Ethereum funds from potential quantum computer attacks. Buterin's plan involves the strengthening of Ethereum's defenses against potential breaches by quantum computing. The concern arises from the theoretical ability of quantum computers to decrypt private keys and compromise blockchain security. However, this could disrupt consensus mechanisms and compromise the integrity of smart contracts, posing a threat to Ethereum's long-term viability. [more]