Edwin Kwan:  Pizza Hut Australia notified 193, 000 customers that the company had suffered a data breach. That information included full name, delivery address, delivery instructions, email address, phone number, mass credit card data, and encrypted passwords for online accounts.

Katy Craig: Deputy Secretary of Defense Kathleen Hicks has just unveiled a vision called Replicator that’s all about scale and efficiency. Replicator isn’t just about mass-producing these systems, it’s about creating a blueprint for future scalability.

Hillary Coover: US voting machine companies are collaborating with cybersecurity experts to conduct additional stress tests on their systems in preparation for the 2024 election and to counter misinformation. Three major voting equipment manufacturers allowed a group of verified cybersecurity researchers access to their software and hardware for nearly two days.

Trac Bannon:   Golang introduced a new cool feature called the go.mod directive in Go version 1.21.  Unfortunately, the bad guys can exploit this. too.  According to the 2021 Go Developer Survey, there are approximately 2. 7 million developers who use Golang. That’s a pretty nice-sized attack surface.

Olimpiu Pop:  The libraries we use in our projects are used in their binary format. Yes, even open source ones. That means that the open part in the open source is not fully used, as the code is not inspected. Given the growing number of supply chain attacks, we need a solution for it. Reproducible builds will guarantee that what you have is actually what you wanted.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
Pizza Hut Australia Suffers Data Breach

Pizza Hut Australia notified 193, 000 customers that the company had suffered a data breach.

This is Edwin Kwan from Sydney, Australia.

Pizza Hut Australia became aware earlier this month that an unauthorized third-party had accessed its data. The company investigated and believes that only a small portion of its customers had their personal information stolen. That information included full name, delivery address, delivery instructions, email address, phone number, mass credit card data, and encrypted passwords for online accounts. They decided to send a notification to all 193,000 of their customers out of an abundance of caution to remind them of steps that they can take to protect their information and avoid potential scams.

Pizza Hut Australia and its parent company suffered cybersecurity incidents in the past, including a ransomware attack at the start of the year which forced the closure of 300 locations in the United Kingdom.

Resources
– Online 3: https://online3.com.au/pizza-hut-australia-hit-by-cyber-breach-customer-data-exposed/
– Bleeping Computer: https://www.bleepingcomputer.com/news/security/pizza-hut-australia-warns-193-000-customers-of-a-data-breach/

 

Katy Craig
DOD’s Replicator: Future of Autonomous Defense Systems

When you think about the future of autonomous defense systems, think less ‘Terminator’ and more ‘Replicator.’ Deputy Secretary of Defense Kathleen Hicks has just unveiled a vision called Replicator that’s all about scale and efficiency.

This is Katy Craig in San Diego, California.

Deputy Secretary of Defense Kathleen Hicks has set an ambitious goal for the Replicator project: to deploy thousands of attritable, autonomous systems across multiple domains in the next 18-24 months. Replicator isn’t just about mass-producing these systems, it’s about creating a blueprint for future scalability.

Hicks envisions all-domain attritable autonomy, which means these systems are designed to be expendable, yet highly efficient. Picture this: solar-powered, self-propelled, anti-domain, anti-aerial systems floating in the ocean, loaded with an array of sensors to provide real-time information. Or consider ground-based ADA2 systems that can scout dangerous areas, deliver logistics support, and secure Department of Defense infrastructure.

The idea is to use virtually limitless resources like solar power to operate these systems, making them both sustainable and effective. This isn’t just a one-off project. It’s a strategy aimed at revolutionizing how the Defense Department thinks about autonomous systems. The goal is to identify the most efficient and effective methods, and then replicate those methods for future projects.

So what we’re looking at is a future where autonomous systems are not just an add-on, but a fundamental component of defense strategy. It’s a bold vision, and if it comes to fruition, it could redefine the way we think about military operations.

This is Katy Craig. Stay safe out there.

Resources
– Defense.GOV: https://www.defense.gov/News/News-Stories/Article/Article/3518827/hicks-discusses-replicator-initiative/

 

Hillary Coover
Unmasking Election Security: How Cybersecurity Stress Tests Battle Misinformation

Could the cybersecurity stress tests employed by U. S. voting machine companies be the key to safeguarding future elections and dispelling conspiracy theories?

This is Hillary Coover in Washington, DC.

US voting machine companies are collaborating with cybersecurity experts to conduct additional stress tests on their systems in preparation for the 2024 election and to counter misinformation.

This initiative aims to increase transparency regarding the examination of election equipment by security professionals before it’s sent to polling locations. Three major voting equipment manufacturers– Election Systems and Software, Hart InterCivic, and Unisyn- allowed a group of verified cybersecurity researchers access to their software and hardware for nearly two days.

They tested various attack scenarios, including attempts to manipulate ballot boxes and disrupt electronic poll books used at polling stations. While the results are still being analyzed, the voting equipment vendors are already adjusting their security protocols in response to the findings. After facing threats following the 2020 election, when false claims were made about their equipment being used for election fraud, these voting equipment companies have had to carefully navigate discussions about vulnerabilities in their software.

The challenges lie in addressing these vulnerabilities without providing fodder for conspiracy theorists. With the 2024 election approaching, the misinformation environment remains a concern. Despite the risks involved in disclosing software vulnerabilities, the participating voting vendors are embracing a program called Coordinated Vulnerability Disclosure, a common practice in various industries, but one that hasn’t been readily adopted by the election sector due to public scrutiny and threats against election officials.

The voting machine manufacturers have their own internal security tests and collaborate with cybersecurity experts at the US government-funded Idaho National Laboratory, yet they still face skepticism from critics.

Time will tell whether these stress tests alleviate misinformation for our upcoming election.

Resources
– CNN: https://www.cnn.com/2023/09/20/politics/voting-machines-cybersecurity-2024/index.html

 

It’s Point of View Friday featuring Trac Bannon and Olimpiu Pop, with their perspectives on Go Programming Language’s newest release and it’s accompanying vulnerability.

 

Trac Bannon
GoLang Flaw in go.mod directive

Another day, another vulnerability. Golang introduced a new cool feature called the go.mod directive in Go version 1.21. The intent is to let developers specify a particular version of Go when building and testing a module. Unfortunately, the bad guys can exploit this too.

Hello, this is Trac Bannon reporting from Camp Hill, Pennsylvania.

This is why we can’t have nice things. But seriously, there is a new CVE reported on September 8. Its ID is CVE-2023-39320. There are no known exploits yet. But that doesn’t mean the bad guys are not hard at work. It only means the exploits haven’t been uncovered yet.

The vulnerability was introduced when the go.mod toolchain directive feature was introduced. There are nuances which may be keeping this CVE from widespread exploitation for now. The toolchain directive is only used when the module is the main module, which is the module that is built when running the go build command, and the main module default Go version has to be less than the suggested toolchain’s version.

Sounds benign, right? Simplicity and nuance are keys to exploits.

Technically, bad actors could execute scripts and arbitrary code by creating a malicious module that contains a specially-crafted go.mod file. Next step is to trick a victim into downloading and building the module. When the victim builds the module, the attacker can execute arbitrary code on the victim’s system.

Can you imagine the complete compromises possible? Gain unauthorized access, steal data, disrupt services, deploy ransomware? According to the 2021 Go Developer Survey, there are approximately 2. 7 million developers who use Golang. That’s a pretty nice-sized attack surface.

For now, good security hygiene applies. Migrate to the latest version of Go that includes a fix for this and rebuild any packages built with 1.21. Head over to 505updates for resources and details on today’s report.

Something to noodle on.

Resources
– NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-39320
– Red Hat: https://access.redhat.com/security/cve/cve-2023-39320
– go.DEV: https://go.dev/ref/mod
– Google Groups: https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ?pli=1
– JetBrains: https://blog.jetbrains.com/go/2021/02/03/the-state-of-go/

 

Olimpiu Pop
The First Perfect Reproducible Toolchain Shadowed By Critical Vulnerabilities

In many countries, especially in Europe, August is almost taken off the calendar. Everything stops to a standstill. In the Go programming language ecosystem, it was a bit different, as Go 1. 21 was released. One of its features, perfect reproducible builds, is game-changing to the supply chain security. Why is that, you wonder?

More often than not, the libraries we use in our projects are used in their binary format. Yes, even open source ones. That means that the open part in the open source is not fully used, as the code is not inspected. Given the growing number of supply chain attacks, we need a solution for it. Reproducible builds will guarantee that what you have is actually what you wanted.

There are multiple efforts in this space, but from what I know, the Go ecosystem is the one to provide a fully-reproducible toolchain. Version 1.21 is the one that brought it here, even if things were started in 1.20.

Unfortunately, besides the perfectly reproducible toolchain, this version also introduced a chain of vulnerabilities that arm an attacker with various mechanisms, including cross-site scripting, remote code execution, or even quick protocol disruption.

The five vulnerabilities have various CVSS severities, ranging from 9.8 to 6.1 and they are already fixed in versions 1.21.1 and 1.20.8. Golang is the base of the cloud native ecosystem, being the language in which Kubernetes and all the related tools were written. Make sure to run on the appropriate versions.

More angles on this story can be found on 505updates.com.

Olimpiu Pop, reported from Transylvania, Romania.

Resources

– go.DEV: https://go.dev/blog/rebuild
– NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-39318
– NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-39319
– NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-39320
– NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-39321
– NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-39322
– first.ORG: https://api.first.org/data/v1/epss?cve=CVE-2023-39320
– Google Groups: https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ?pli=1