Tech Risk Reading Picks

1. AI impact on economy: The 2024 Economic Report of the President highlights that nearly 1 in 10 American workers are in jobs highly exposed to displacement by AI, with 2 in 10 potentially affected. Low-income and less-skilled workers may face negative impacts. However, the report suggests AI might reshape jobs rather than replace them entirely, citing examples like self-driving school buses needing attendants. It encourages government AI adoption, citing efficiency benefits and potential for private sector innovation. Yet, it warns of risks, including loss of accountability and jobs. Discriminatory biases in AI models are acknowledged. A productivity boom is not guaranteed. The report stated that "it may be a while before the full effects of AI are felt, and even longer before we can confidently observe it in economic statistics." Integration of AI hinges on technological, institutional, and regulatory factors.[more][more-2]

2. Top AI cyber risk: The top four AI cyber risks that keep CISOs awake at night are: a) Model training and attack surface vulnerabilities, b) Data privacy concerns, c) Exposure of corporate intellectual property (IP), d) Generative AI jailbreaks and backdoors. [more]

3. MITRE AI Lab: MITRE, a public interest nonprofit, inaugurated its AI Assurance and Discovery Lab aimed at testing AI systems for government use. The lab will assess risks, including bias, through simulations and experiments. MITRE aims to address public trust concerns about AI applications, highlighted in a recent poll. The lab aligns with President Biden's executive order on AI risk management, emphasizing standards development and red-teaming. [more]

4. AI platforms under attack: Cybersecurity researchers have identified a critical vulnerability in the Anyscale Ray AI platform, which threat actors are exploiting to hijack computing power for cryptocurrency mining and data theft. The vulnerability has been actively exploited for seven months across various sectors including education, cryptocurrency, and biopharma. This marks the first instance of AI workloads being targeted in the wild due to flaws in the AI infrastructure. [more]

5. Transition to memory-safe programming languages:Transitioning to memory-safe languages is complex due to existing codebases and expertise limitations. Starting new projects with memory-safe languages is the easiest approach. For existing projects, critical functions and libraries can be rewritten incrementally. Rust and Swift offer interoperability with non-safe languages. Organizations need to assess their developer resources and provide training for memory-safe languages. Despite challenges, prioritizing secure code from the outset is crucial for long-term cybersecurity benefits.[more]

6. Cloud risk: The Cloud Security Alliance (CSA) conducted a survey on security remediation, revealing that over 77% of IT and security professionals feel ill-prepared to tackle security threats. Commissioned by Dazz, a prominent figure in security remediation, the survey collected insights from more than 2,000 industry experts. The report highlights the importance of efficiency and effectiveness over the sheer number of security tools. Hillary Baron, the lead author and Senior Technical Director for Research at CSA, emphasized the need for a nuanced approach focusing on tools' integration and intelligent orchestration. The evolving cybersecurity landscape demands better visibility into code-to-cloud environments, accelerated remediation, enhanced collaboration, and streamlined processes to effectively counter risks. [more]

   1. Some of the key findings:

      1. Visibility in Cloud Environments: Only 23% of organizations reported full visibility into their cloud environments, with complexities like containers and serverless architectures posing challenges.

      2. False Positives and Duplicate Alerts: Sixty-three percent face challenges with duplicate alerts, and 60% with false positives, leading to alert fatigue and slower incident response times.

      3. Remediation Process Improvement Needed: Despite 83% using some automation, 75% spend over 20% of their time on manual tasks in remediation.

      4. Slow Response Times to Vulnerabilities: Eighteen percent take more than 4 days to address critical vulnerabilities, potentially increasing the risk of breaches.

7. Web3 Cryptospace Spotlight

   1. Smart contract logic flaw: 25 Mar - Curio, a Web3 project facilitating liquidity from real-world assets, suffered a $16 million exploit due to a permission access logic flaw. The vulnerability enabled an attacker to create 1 billion CGT tokens, valued at almost $40 million. [more]

   2. Insider job: 26 Mar - Munchables, an Ethereum-based NFT game, experienced a hack resulting in the loss of over 17,400 ETH (approx. $63M). The team, aided by investigators like PeckShield and ZachXBT, traced the stolen funds. ZachXBT alleged the hack was facilitated by a North Korean developer hired by Munchables, known as "Werewolves0943." On 27 Mar, Munchables revealed that the hacker was one of its developers. After an hour of negotiation, the developer agreed to return the funds, providing necessary private keys. Munchables confirmed the return of the funds in an official statement. [more]

   3. $11.6M whitehat rescue?: Prisma Finance DeFi protocol was exploited by a self acclaimed whitehat hacker for $11.6 million. The hacker communicated the intention to return stolen tokens through on-chain messages. The stolen tokens were initially sent to three addresses, and some were swapped to Ether and transferred to Tornado Cash, a cryptocurrency mixer. Prisma Finance has halted its protocol in response to the attack. [more]