Newsletter

open source and cybersecurity news

November 23, 2023

It's 5:05, November 23, 2023. TIme for your cybersecurity and open source headlines

In this Episode:

Marcel Brown:  November 23rd, 2004. Blizzard Entertainment releases the massively multiplayer online role playing game, World of Warcraft. It quickly became the most popular MMORPG of all time. In the nearly 20 years since its release, World of Warcraft has had 9 major expansion packs, with 3 more expansion packs already planned for the future.

Edwin Kwan:  The Australian government has released its revised cybersecurity strategy for its plan to become a world leader in cyber security by 2030. It seeks to make Australia a hard target for cyber attacks by undermining cybercrime business models and putting Australian businesses and consumers in a stronger position to prepare and respond effectively.

Olimpiu Pop: The average Java application uses 148 dependencies, with around 10 releases occurring annually. That means that the developer is not only to make the initial selection of those libraries, but to track an average of 1,500 dependency changes throughout the year. Combine this with the fact that almost 20% of all track projects no further qualify as maintained.

Ian Garrett: Quishing, or QR code phishing, has seen a dramatic increase in 2023. This method involves encoding malicious links into QR codes, a technique that is proving both effective for attackers and challenging for defense systems. Let’s talk about why it’s on the rise, and what CISOs and security teams are doing about it.

From Sourced Network Productions in New York City, It’s 5:05 on Thursday, November 22nd, 2023. Happy Thanksgiving to those of you in the United States. This is your host, Mark Miller.

Stories in today’s episode come from Edwin Kwan in Sydney, Australia, Marcel Brown in St. Louis, Missouri, Olimpiu Pop in Transylvania, Romania and Ian Garrett from Arlington, Virginia. We’ll start off today’s episode with Edwin Kwan talking about the Australian government’s revised cybersecurity strategy. Let’s get to it.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
Australian Government Releases New Cybersecurity Strategy

Edwin Kwan, Contributing Journalist, It's 5:05 PodcastThe Australian government has released its revised cybersecurity strategy for its plan to become a world leader in cyber security by 2030.

This is Edwin Kwan from Sydney, Australia.

The strategy states that the Australian government needs to hold itself to the same standard it imposes on industry. It seeks to make Australia a hard target for cyber attacks by undermining cybercrime business models and putting Australian businesses and consumers in a stronger position to prepare and respond effectively.

The strategy recognizes that it’s not just about defending against threats, but also supporting technology adoption and growing the economy and that this is a “whole of nation” effort.

The strategy is built around six shields:

  1. Strong businesses and citizens
  2. Safe technology
  3. World class threat sharing and blocking
  4. Protected critical infrastructure
  5. Sovereign capabilities,
  6. Resilient region and global leadership.

Work on this is expected to start sometime in the next two years. Over 580 million in new funding has been committed under this strategy. This is on top of the existing 2.3 billion for existing cyber initiatives.

The bulk of the new funding will go towards protecting businesses and citizens through new support programs, public awareness campaigns, ransomware reporting requirements, strengthening critical infrastructure and government assets, and building regional cyber resilience and global leadership.

The cyber coordinator will be responsible for the whole of government coordination and delivery of the strategy.

Resources
– Home Affairs: https://www.homeaffairs.gov.au/cyber-security-subsite/files/2023-cyber-security-strategy.pdf

 

Olimpiu Pop
Part 2: Software Supply Chain Trends

Olimpiu Pop, Contributing JournalistThere are a couple of numbers from the software supply chain report that are coming back to my mind over and over again.

  • First, around 90 percent of modern software consists of open source.
  • Second, 96 percent of all the downloaded vulnerable open source components had a non -vulnerable version available.

A quarter of a million, is the number of supply chain attacks estimated for the current year, twice as many than in the previous four years combined.

We shouldn’t care. We pick a library every now and then. Some of us never had a chance to do so. Or do we? We should care because the effort is ongoing. The choice is continuous. And sometimes the choice is made for us.

Yes, I am talking about the dependency hell and transitive dependencies. and other choices that allow worms to get in the belly of our code.

I knew it was complicated, but now I have numbers that I want to share.

The average Java application uses 148 dependencies, with around 10 releases occurring annually. That means that the developer is not only to make the initial selection of those libraries, but to track an average of 1,500 dependency changes throughout the year. I’m certain that other ecosystems have a similar number, maybe even more. Combine this with the fact that almost 20% of all track projects no further qualify as maintained. And you got yourself a bunch of new to-dos for 2024.

I would like to say that this is all, but it’s not. Delve into more details about the topic. On 505updates. com, you can find the transcript and resources.

Olimpiu Pop, reporting from Transylvania, Romania.

Resources
– Sonatype: https://www.sonatype.com/resources/2022-software-supply-chain-report

 

Ian Garrett
Move Over Phishing, Quishing is the New Scam

Ian Garrett, Contributing Journalist, It's 5:05 Podcast

Quishing, or QR code phishing, has seen a dramatic increase in 2023, reported by various industry sources like Perception Point, Check Point, and AT& T. This method involves encoding malicious links into QR codes, a technique that is proving both effective for attackers and challenging for defense systems. Let’s talk about why it’s on the rise, and what CISOs and security teams are doing about it.

Hey folks, this is Ian Garrett in Arlington, Virginia.

As cybersecurity measures evolve, attackers are constantly seeking new methods to bypass defenses. The convenience and official appearance of QR codes make them an attractive tool for attackers. They are difficult for automated systems to detect and can easily fool users into divulging credentials.

Tackling this threat requires a multifaceted approach. Education is key. Users must be aware that QR codes are not inherently safe. Technologically, systems need to be upgraded to detect and unpack QR codes searching for hidden malicious content.

Quishing often involves cross device interaction, a tactic increasingly employed by attackers. Securing cross device interactions is crucial, especially given that mobile devices may offer a less secure platform. Attackers are using AI to generate convincing quishing attacks. Conversely, AI and image recognition technologies can be vital in detecting such attacks.

AI based detection looks for various signals of malicious presence, providing a broader picture of potential threats. Organizations should run simulated attacks, including QR codes, to assess the responsiveness of their employees, technology, and security teams. This also helps evaluate the effectiveness of breach response protocols.

MFA can mitigate the impact of compromised credentials in a Quishing attack. Interestingly, many Quishing emails mimic MFA verification notices, a tactic that must be considered in both employee education and design of legitimate verification processes.

Quishing represents an evolution in phishing tactics, leveraging the simplicity and ubiquity of QR codes. While initially targeting consumers, it’s increasingly affecting enterprise and government entities. This calls for a heightened focus on education, technological defenses, and continuous testing to combat the rising threat.

Resources
– CSO Online: https://www.csoonline.com/article/1248084/the-alarming-rise-of-quishing-is-a-red-flag-for-cisos.html

 

Marcel Brown
This Day, November 15, in Tech History

Marcel Brown, Contributing Journalist, It's 5:05 PodcastThis is Marcel Brown serving you up some freshly carved technology history for November 23rd. Happy Thanksgiving Day to all of you in the United States.

November 23rd, 1995. Alice, the Artificial Linguistic Internet Computer Entity, also known as AliceBot, or just Alice, is officially released by Richard Wallace. It is one of the earliest examples of a natural language processing chatbot. It appears to engage in conversation with a human by applying some heuristical pattern matching to the human’s input.

While the program is unable to pass the Turing test, it has won the Lebner Prize, awarded to accomplished humanoid talking robots, three times. It also served as the inspiration for Spike Jonze’s movie, “Her”, in which a human falls in love with a chatbot.

November 23rd, 2004. Blizzard Entertainment releases the massively multiplayer online role playing game, World of Warcraft. It quickly became the most popular MMORPG of all time, reaching a peak of 12 million subscribers in 2010, and by 2017 had grossed over $9.23 billion in revenue, making it one of the highest grossing video game franchises of all time.

In the nearly 20 years since its release, World of Warcraft has had 9 major expansion packs, with 3 more expansion packs already planned for the future.

That’s your technology history for today. For more, tune in tomorrow and visit my website, ThisDayInTechHistory. com.

Resources
https://thisdayintechhistory.com/11/23

That’s it for today’s open source in cyber security updates. For direct links to all stories and resources mentioned in today’s episode, go to 505updates.com. 5:05 is a Sourced Network Production with updates available Monday through Friday on your favorite audio streaming platform. So you tomorrow… at 5:05.

Contributors:

Comments:

Leave the first comment

Newsletter