Tech Risk Reading Picks

1. Social impacts of AI: Concerns about AI extend beyond fears of it turning against humanity; they include risks to privacy, bias, and lack of transparency. However, a psychologist argues that the real danger lies in AI making people less disciplined in decision-making. Humans already tend to prefer decisions made for them, and AI worsen this by relying on biased data and perpetuating a cycle of poor decision-making. While AI has benefits in certain fields, its increasing role in daily decisions threatens human autonomy and critical thinking. Resisting the lure of AI is essential to preserve human agency and responsibility. [more]

2. AI deployment security guide by NSA, CISA & FBI: The U.S. Department of Defense, along with several international security agencies, released a guide titled "Deploying AI Systems Securely." It's a framework to help organizations deploy AI systems from other firms safely. Authored by various agencies, it emphasizes a holistic approach to AI security, detailing a six-step process for secure deployment: understanding the AI system, risk assessment, security planning, implementing controls, monitoring, and continuous improvement. [more][more-advisory]

3. Google on AI development: Google published six articles give in-depth guidance across the AI product development flow. Originally launched in 2019, they’ve been updated with new insights.[more]

4. Suspected AI enhanced APT attack: Cybercriminal group TA547, posing as German companies, is using AI-generated code in attacks across multiple industries in Germany. They send emails with fake invoices in password-protected ZIP files, containing malware triggered by a PowerShell script. Experts suspect the script was generated by an AI language model due to its perfection and specificity. This indicates a trend of cybercriminals using AI to enhance their attacks. However, the AI-generated content hasn't changed the malware's functionality or detection by defenders. TA547, identified as a financially motivated threat, has targeted various regions since 2023, delivering malware like NetSupport RAT. Recent targets include Spain, Switzerland, Austria, and the US. [more]

5. Shared responsibility in Cloud’s security: Organizations often overlook the shared responsibility model in cloud security, mistakenly assuming that the responsibility lies solely with the CSP. While CSPs offer robust security features, securing data in the cloud is a joint effort. Identity and Access Management, proper configuration, and data hygiene should be integrated into the organization's digital culture. Neglecting to take ownership of security responsibilities leaves organizations vulnerable to breaches, regardless of the security measures provided by the CSP. [more]

6. LeakyCLI: Orca, a cloud security firm, warns that command-line tools from major providers like Microsoft Azure, AWS, and Google Cloud can inadvertently expose sensitive information like credentials. These tools, used for interacting with cloud platforms, may inadvertently leak data via environment variables in build log files. Orca highlights that while CLI commands are assumed secure by default, they can pose risks in CI/CD environments. Initially found in Azure CLI, the vulnerability (CVE-2023-36052) was patched by Microsoft in November 2023. Orca later found similar issues, dubbed LeakyCLI, in AWS and Google Cloud CLI tools. [more]

7. Web3 Cryptospace Spotlight

   1. DeFi brokedown centrally: Decentralized finance (DeFi) apps suffered a breakdown due to a bug in Ethereum client Geth, causing a split in the Ethereum chain. Infura, a widely used service for Ethereum nodes, was affected because it was running the old, buggy version of Geth. This led to disruptions in various DeFi platforms like MetaMask, Compound Finance, Uniswap, Pool Together, and MakerDAO. Although Infura is back up and running, the incident highlights the risk of relying on a single provider. To strengthen DeFi, more apps should run their own nodes or use Infura backups, and users should ensure they're using the latest Ethereum client versions.

   2. DeFi Grand Base lost $2M: Grand Base, a DeFi platform, suffered a major hack due to a compromised private key, resulting in over $2 million in losses. The hacker accessed the project's wallet, initiated unauthorized transactions, causing a significant drop in the value of the GB token and impacting market stability. The attacker minted new tokens, exchanged them, and transferred them to Ethereum, exacerbating the damage. [more]

   3. First conviction for hacking a “smart contract”: A former Amazon engineer was sentenced to three years in prison for scamming over $12 million from two decentralized cryptocurrency exchanges in 2022. He exploited vulnerabilities in the exchanges' systems, including smart contracts, to manipulate pricing data and steal funds. The U.S. Justice Department called it the first conviction for hacking a smart contract. [more]