September 29, 2023
In this Episode:
Marcel Brown: September 28th, 1997. Just a little over two weeks after naming Steve Jobs interim CEO, Apple launches their Think Different ad campaign. “Here’s to the Crazy Ones, the misfits, the rebels, the troublemakers, the round pegs in the square holes. Because the people who are crazy enough to think they can change the world, are the ones who do.”
Edwin Kwan: Security researchers have discovered a campaign where attackers were attempting to sneak code into software projects by disguising them as changes made by GitHub Dependabot.
Trac Bannon: CISA has published a comprehensive guide for planning and implementing effective security measures. Why does it matter that the security planning workbook comes from CISA? By CISA taking lead and making the workbook public, the techniques and guidance are accessible to any organization, regardless of size or resources.
Katy Craig: Prepare for security success with the Cybersecurity and Infrastructure Security Agency’s Security Planning Workbook. What’s unique about this workbook is its accessibility. You don’t need to be a security expert to use it effectively.
Olimpiu Pop: This month, the Cybersecurity and Infrastructure Security Agency published its security planning workbook for those who want to improve their security, regardless of the scope of their organization. The workbook will respond to questions like, ” How do you form a planning team? How do you assess risk? What should you consider when mitigating risk?”
Today is Friday, September 29th, 2023. From Sourced Network Productions in New York City, It’s 5:05. I’m Mark Miller sitting in for Hillary Coover, who will be back on Monday. Today’s episode includes our Friday Point of View segments with updates from Trac Bannon, Katy Craig, and Olimpiu Pop on CISA’s Security Planning Workbook. To start today’s updates, Edwin Kwan talks about a campaign where attackers were attempting to sneak code into software projects by disguising them as changes made by GitHub Dependabot.
The Stories Behind the Cybersecurity Headlines
Attackers Impersonating Dependabot try to Sneak Malicious Code Changes
Attackers targeting software supply chains are impersonating GitHub Dependabot to sneak their malicious code changes past developers.
This is Edwin Kwan from Sydney, Australia.
Security researchers have discovered a campaign where attackers were attempting to sneak code into software projects by disguising them as changes made by GitHub Dependabot.
Dependabot is designed to alert users of security vulnerabilities in a project’s dependencies. It does this by automatically generating pull requests to keep dependencies updated. As a result, there is a level of trust when developers are reviewing code changes made by Dependabot. They might not even be checking the code before approving the pull request and merging the changes into the project.
In order to launch the impersonation attack, the attackers would first need write access to the project repository. For this particular campaign, the attackers gained initial access to the hundreds of project repositories using stolen personal access tokens. It is not known how those tokens were stolen.
Such attacks are a reminder of the level of sophistication in software supply chain attacks.
– CheckMarx: https://checkmarx.com/blog/surprise-when-dependabot-contributes-malicious-code/
– Dark Reading: https://www.darkreading.com/application-security/supply-chain-attackers-escalate-with-github-dependabot-impersonation
– Hacker News: https://thehackernews.com/2023/09/github-repositories-hit-by-password.html
This Day in Tech History: Here’s to the Crazy Ones
This is Marcel Brown bringing you some technology history for September 27th through the 30th.
September 27th, 1983. Promising a free UNIX, Richard Stallman announces that he is going to write a complete UNIX compatible software system he calls GNU, which stands for GNU’s, not UNIX. This is a significant milestone in the history of open source and free software. Stallman would later found the Free Software Foundation.
September 27th, 1998. For some peculiar reason, Google has at times chosen the date of September 27th as their birthday. even though it is more officially September 4th or 7th.
Google has no explanation for celebrating their birthday on different days over the years other than to say, ” Google opened its doors in September 1998. The exact date when we celebrate our birthday has moved around over the years, depending on when people feel like having cake.”
September 27th is also my first daughter’s birthday. Happy birthday, Isabella!
September 28th, 1997. Just a little over two weeks after naming Steve Jobs interim CEO, Apple launches their Think Different ad campaign. Designed to reintroduce the Apple brand, the campaign was nearly universally praised by the press, general public, and advertising industry, winning several awards along the way.
Looking back in context, Think Different was the symbolic start of Apple’s resurgence from near collapse in the 1990s into the world’s most valuable company. The campaign was anchored on the now famous prose commonly called Crazy Ones, which was narrated by Richard Dreyfuss in the commercial most people are familiar with.
It is commonly thought that Steve Jobs wrote Crazy Ones, but in fact, it was written by Rob Siltanen and Ken Segal, who worked at Apple’s advertising agency.
“Here’s to the Crazy Ones, the misfits, the rebels, the troublemakers, the round pegs in the square holes. The ones who see things differently, they’re not found of rules and they have no respect for the status quo. You can quote them, disagree with them. Glorify or vilify them. About the only thing you can’t do is ignore them, because they change things. They push the human race forward, and while some may see them as the crazy ones, we see genius. Because the people who are crazy enough to think they can change the world, are the ones who do.”
September 29th, 1983. Microsoft releases their first software application, Microsoft Word 1. 0. For use with MS DOS compatible systems, Word was the first word processing software to make extensive use of a computer mouse.
Not coincidentally, Microsoft had released a computer mouse for IBM compatible PCs earlier in the year.
A demo version was also included for free with a copy of PC World Magazine, and marking the first time a floppy disk was included with a magazine.
September 30th, 1980. Digital, Intel, and Xerox released version 1. 0 of the Ethernet specification, known as the Bluebook. Since that time, Ethernet has evolved into the de facto networking standard for local area networks in business and in the home.
That’s your technology history for this week. For more, tune in next week and visit my website, ThisDayInTechHistory.Com.
And now it’s Point of View Friday with Trac Bannon, Katy Craig, and Olimpiu Pop talking about CISA’s new Security Planning Workbook.
More CISA Leadership: Security Planning Workbook
Looking for a one-stop shop to help you bolster your plans for cyber and physical defense? CISA has published a comprehensive guide for planning and implementing effective security measures. Why does it matter that the security planning workbook comes from CISA?
Hello, this is Trac Bannon reporting from Camp Hill, Pennsylvania.
The Cybersecurity and Infrastructure Security Agency, CISA, serves as the national leading authority on safeguarding critical infrastructure and enhancing cybersecurity measures. Part of their mission is providing guidance and that includes frameworks and workbooks.
CISA’s involvement drives guidelines that are standardized across various sectors. This is crucial for interoperability and effective collaboration between different organizations and government agencies. Given CISA’s deep expertise in cybersecurity, the workbook carries an authoritative voice. Many organizations are more likely to trust and implement guidelines created by an established federal agency.
CISA has the resources to create a workbook that covers a broad spectrum of security topics, ranging from cyber to physical security. The all encompassing approach enables organizations to consider their security posture holistically. They also have the capability to keep the information current. Cyber threats are continually evolving, so these materials must have real time relevance.
By CISA taking lead and making the workbook public, the techniques and guidance are accessible to any organization, regardless of size or resources. This means a benefit to the entire security landscape at large. It doesn’t hurt that CISA is well positioned to align the workbook’s guidelines with existing legal and regulatory requirements.
Perhaps most importantly, the workbook serves the greater purpose of national security. By assisting organizations in strengthening their security postures, CISA’s workbook indirectly contributes to the safeguarding of the nation’s critical infrastructure against cyber and physical threats.
Head over to 505updates for today’s resources on this post.
Something to noodle on.
CISA’s Cybersecurity Workbook: What’s Inside
This is Katy Craig in San Diego, California.
What’s unique about this workbook is its accessibility. You don’t need to be a security expert to use it effectively. Whether you’re an individual or part of a group tasked with security responsibilities, CISA’s workbook can guide you through the process.
Here’s what you’ll find inside:
- Forming a Planning Team. Get contact info for your security team, safety team, and key contacts.
- Risk Assessment. Assess threats, vulnerabilities, and risks step by step.
- Mitigation. Plan how to reduce vulnerabilities.
- Additional Elements. Cover training, exercises, communication, and recovery plans.
- Finalizing Your Plan. Bring it all together for a comprehensive plan.
- Supplemental Planning. Explore options for disaster and emergency planning.
- Resources. Find support for your planning efforts.
Remember, take your time to create a strong security plan that fits your needs. CISA’s workbook is here to help you succeed.
This is Katy Craig. Stay safe out there.
CISA’s Workbook Prepares You for more than Digital Risk
“It depends”, is the standard prefix of any response in the software industry. Probably that’s true for any industry. But with us, it seems even more so. When we are looking at the cyber security field, security in general, actually, context is even more important.
This month, the Cybersecurity and Infrastructure Security Agency published its security planning workbook for those who want to improve their security, regardless of the scope of their organization. The workbook will respond to questions like, ” How do you form a planning team? How do you assess risk? What should you consider when mitigating risk?”
Another important take of the workbook is that it provides detailed information on how to be prepared for any kind of incident, not just a cybersecurity one.
Besides guidelines, examples of templates are provided as well, making it really useful for broad audiences.
One of the most important aspects is that they recommend horizontal inclusion at the organizational level, to ensure all the needed input. Having a Crisis Task Force at the organizational level ensures the real understanding of the impact of a threat. More than that, with representatives from each area, swift decisions will be taken and the impact will be diminished.
So, even if you face the risk of being exposed to highly critical vulnerability, you can understand the risk your organization is exposed to and ensure you address them accordingly.
The full episode, contains more points of view on the topic. You can find it on 505updates.com, where you’ll also find the transcript and resources
Olimpiu Pop reporting from Transylvania, Romania.
That’s our updates for today, September 29th, 2023. I’m Mark Miller. We’ll be back on Monday, at 5:05.