CyberWire Daily: AI Risk Frameworks, Data Breaches, and Crypto Laundering

Patch Tuesday and Vulnerability Updates

• Microsoft's November Patch Tuesday addressed over 60 flaws, including a critical race condition and double free bug in the Windows kernel, and a remote code execution bug in the GDI Plus graphics library.
• 💡 Major vendors like Siemens, Rockwell Automation, Aviva, and Schneider Electric released advisories for vulnerabilities in their industrial control system products.
• 📌 Adobe patched 29 vulnerabilities across various products, with several allowing arbitrary code execution.
• ⚡ Intel disclosed advisories for over 60 vulnerabilities in processors, firmware, and drivers, including high-severity flaws.
• ⚠️ Ivanti and Zoom also released patches for multiple vulnerabilities, some rated high severity, affecting endpoint manager and communication apps respectively.

AI and Data Security News

• 🎯 Google sued a China-based network called Lighthouse for operating a large-scale phishing-as-a-service operation targeting US organizations via SMS scams.
• 🧠 Google also launched "private AI compute" to bring Gemini AI models to the cloud with enhanced user data privacy through encryption and secure environments.
• 🚗 Hyundai Auto Ever America is notifying vehicle owners of a data breach exposing personal information like social security numbers and driver's license details.
• 🤖 Amazon introduced a bug bounty program for its Nova large language models, inviting researchers to find flaws related to prompt injection and jailbreaking.
• 🔍 The Rhadamanthys infostealer operation has been disrupted, with users reporting lost server access, possibly due to law enforcement intervention.
• 🤝 A Russian national is set to plead guilty in US federal court for acting as an initial access broker, selling stolen credentials to ransomware gangs.

AI Assessment Frameworks with Black Kite

• 💡 Bob Maley, CSO of Black Kite, discusses the extreme pressure on third-party risk management teams due to the rapid evolution of AI.
• 🧩 Traditional risk frameworks struggle to keep up with AI's pace, leading to a fragmented and chaotic landscape of assessments.
• 🔑 Black Kite developed the BKGA3 framework as an open standard to provide a common, non-negotiable set of security standards for assessing AI risk.
• 🌐 The openness of BKGA3 is crucial, aligning with Black Kite's mission to give back to the community and make resources freely available.
• 🚀 The framework was developed using AI to analyze and synthesize requirements from over 50 existing frameworks, acting as a "Rosetta Stone" for AI risk assessment.
• 📈 Keeping BKGA3 current involves using AI, automation, and continuously monitoring changes in compliance landscapes and emerging AI risks.
• ✅ "Responsible AI risk management" involves minimizing bias in AI development and deployment, acknowledging that complete removal of human bias is challenging.

Crypto Laundering Collapse

• 👑 Ji Minwan, known as the "Bitcoin Queen," was sentenced to over 11 years in prison for laundering $7.3 billion from a Chinese crypto scam affecting over 128,000 victims.
• 💰 Police seized 61,000 Bitcoin, valued at 5.5 billion pounds, the largest cryptocurrency haul ever recorded, highlighting the blockchain's traceability.