October 31, 2023
In this Episode:
Marcel Brown: October 31st, 2000. Russia launches Soyuz TM-31 carrying the first crew to the International Space Station. Between the 2011 retirement of the space shuttle and the 2020 demo flight of SpaceX Crew Dragon, the Soyuz served as the only means to ferry crew to or from the International Space Station.
Edwin Kwan: Casio has suffered a data breach that has affected over 120,000 customers in 149 countries. Casio said that the cause of the breach was due to some of the network settings in the development environment being disabled due to system operational error.
Ian Garrett: This is the second part of our exploration into software supply chain attacks. We’ll explore dependency confusion, stolen SSL and code-signing certificates, the targeting of developers CI/CD infrastructure, and the use of social engineering to drop malicious code.
Hillary Coover: US and Customs Enforcement Agency, ICE, is employing an AI powered tool known as Giant Oak Search Technology to scan social media posts for content that it deems derogatory to the United States. This revelation, first brought to light by 404 Media, has really ruffled some feathers.
The Stories Behind the Cybersecurity Headlines
Casio Data Breach affects over 120,000 customers in 149 countries
This is Edwin Kwan from Sydney, Australia.
The Japanese electronics manufacturer said that the data breach occurred in ClassPad.net, which is one of their software subsidiaries. ClassPad is Casio’s education web app that allows users to work with computation, graphing, statistics, and more.
The information that was leaked included customer names, email addresses, country of residence, order details, service usage information, and payment methods. Credit card information was not included in the breach. Of those impacted, over 91, 000 were customers in Japan and over 35,000 were customers residing in other countries.
Casio said that the cause of the breach was due to some of the network settings in the development environment being disabled due to system operational error. As part of their response, they have restricted access to the affected databases and have reported the incident to Japan’s Personal Information Protection Commission and to JUAS, which is the ‘PrivacyMark’ Certification Organization.
Casio also said In their statement that they will continue to consult with and engage an external security specialist organization to conduct further internal investigations, analyze the root cause, and devise appropriate countermeasures in response to this incident. They will also be engaging a law firm and are cooperating with the police investigations.
– Casio: https://world.casio.com/information/1018-incident/
– The Record: https://therecord.media/casio-data-breach-classpad-education-app
– The Register: https://www.theregister.com/2023/10/19/casio_data_theft/
6 Types of Supply Chain Attacks (Part 2)
This is the second part of our exploration into software supply chain attacks. We’ll continue to delve into the different types of these attacks, understanding the tactics used by attackers to compromise the software development lifecycle. We’ll explore dependency confusion, stolen SSL and code-signing certificates, the targeting of developers CI/CD infrastructure, and the use of social engineering to drop malicious code.
Hey folks, this is Ian Garrett in Arlington, Virginia.
Type 3 is the Dependency Confusion Attack. Dependency confusion attacks are notable for their simplicity and automation. Attackers exploit the design weaknesses of using internal dependencies with the same names as public, open-source repositories. By registering a public dependency with a higher version number, attackers can insert their code into software builds. The nature of this attack led to multiple breaches, and it highlights a weakness in open-source ecosystems.
Type 4 is Stolen SSL and Code-Signing Certificates. Stolen SSL certificates can threaten secure communications, while compromised code-signing certificates can allow attackers to sign their malware as legitimate software. The consequences are far reaching, impacting the security of end users.
Type 5 is attacks against CI/CD infrastructure. Attackers may compromise CI/CD infrastructure, as observed with GitHub Actions. They exploit automated CI/CD tasks by slightly altering GitHub Action scripts, leading to a successful supply chain attack. This tactic abuses automation while tricking developers into accepting malicious pull requests.
Type 6 is Using Social Engineering to Drop Malicious Code. The human element is a significant weakness in the software supply chain attacks. Attackers may exploit trust within developer communities or university researchers with seemingly credible email addresses. The expectation of good faith contributions may lead to unnoticed malicious code introductions.
As these attack vectors continue to evolve, it’s important to stay up to date with the latest advancements in attacker strategies to stay secure.
Threat Posed by Chinese Espionage and Social Engineering
The US and Customs Enforcement Agency, ICE, is employing an AI powered tool known as Giant Oak Search Technology to scan social media posts for content that it deems derogatory to the United States. This revelation, first brought to light by 404 Media, has really ruffled some feathers. But I’m here to tell you the ruffled feathers and headlines are probably an overreaction.
Hi, this is Hillary Coover in Washington, DC
GOST came under fire recently for its role in ICE’s vetting program. GOST collects and analyzes social media posts and assesses individuals’ potential risk to the nation. It showcases how information is processed, and utilized to determine who is allowed to stay in the country and who is not.
The system ranks an individual’s social media scores on a scale from one to a hundred based on its relevance to the user’s perceived mission. While the review of social media content is not a novel concept and has been used in the past to investigate potentially dangerous people, the advent of AI tools like GOST raises concerns about the thinning line between homeland security and individual liberties. These tools can process a lot of information at speeds beyond human capabilities, amplifying the potential for errors and misuse.
One significant point that often gets missed in these discussions is that most social media data aggregation services primarily focus on publicly available accounts, not private ones. The logistics of maintaining accounts on personas dedicated to collecting private or connected accounts’ posts, and information are incredibly resource-intensive. Perhaps GOST is doing both, but they are not gathering private information at scale.
This Day, October 31, in Tech History
October 31st, 2000. Russia launches Soyuz TM-31 carrying the first crew to the International Space Station. The Soyuz was designed for the Soviet space program by the Korolev Design Bureau. Between the 2011 retirement of the space shuttle and the 2020 demo flight of SpaceX Crew Dragon, the Soyuz served as the only means to ferry crew to or from the International Space Station.
As a side note, the ISS has been continuously manned since its first mission. In fact, you can track the path of the space station and know when it will be flying over your house. by using an app on your phone. I use the ISS Detector App. Is extremely precise and gives you up to the second readings on where the space station is and when it will be visible in your location.
That’s it for your technology history for today. Check back in each day as host Marcel Brown brings the interesting tidbits that made this life interesting. You can get daily at ThisDayInTechHistory.com.