Newsletter

open source and cybersecurity news

November 28, 2023

It's 5:05, November 28, 2023. TIme for your cybersecurity and open source headlines

In this Episode:

Marcel Brown: November 28, 1948. Just in time for the Christmas shopping season, 57 units of the first commercial instant camera, the Polaroid Land Camera Model 95, go on sale at the Jordan Marsh Department Store in Boston. Polaroid believed that 57 units would be enough to last through Christmas.

Edwin Kwan: Open Source Blender Project is being targeted by Distributed Denial of Service attacks resulting in site outages. The attacks have severely disrupted operations, making it difficult to process legitimate connection requests. Despite continuous efforts by the administrators, attempts to block attackers’ IP ranges were unsuccessful.

Katy Craig: In a landmark collaboration, the United States and the United Kingdom have jointly issued comprehensive guidelines to strengthen the security and integrity of artificial intelligence, or AI, systems. This crucial document is directed at AI system providers, including those using both in-house and external models and APIs.

Ian Garrett: Microsoft has announced the deprecation of Defender Application Guard for Office and the Windows Security Isolation APIs. These tools were integral in securing Microsoft 365 apps by creating a secure sandbox for files from untrusted sources. Microsoft’s decision to deprecate Defender Application Guard for Office has significant implications for organizations and IT professionals.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
Open Source 3D Design Suite Targeted by DDoS

Edwin Kwan, Contributing Journalist, It's 5:05 PodcastOpen Source Blender Project is being targeted by Distributed Denial of Service attacks resulting in site outages.

This is Edwin Kwan from Sydney, Australia.

Blender is a popular 3D design suite and is used for creating animated films, video games, motion graphics, and visual effects. The project team confirmed that its site outages are a result of ongoing Distributed Denial of Service attacks. The attacks have severely disrupted operations, making it difficult to process legitimate connection requests. Despite continuous efforts by the administrators, attempts to block attackers’ IP ranges were unsuccessful.

After four days of persistent problems, the team moved the main website to Cloudflare to mitigate the impact of the attacks. However, the attacks, totaling over 240 million bogus requests, are still ongoing. Blender warns users of potential challenges in accessing their services, including solving bot-filtering challenges, and certain sites like ” blender.org” remain inaccessible.

The motives and actors behind the attacks are unknown. Users are cautioned against downloading Blender from third-party sites, as it may lead to malware infections. If you are unable to download Blender from the official site due to the outages, alternative sources for Blender installation include Steam, GitHub, and the Microsoft App Store for Windows users.

Resources
– Blender: https://www.blender.org/news/cyberattack-november-2023/
– Bleeping Computer: https://www.bleepingcomputer.com/news/security/open-source-blender-project-battling-ddos-attacks-since-saturday/

 

Katy Craig
US and UK: Joint Guidelines for AI System Security

In a landmark collaboration, the United States and the United Kingdom have jointly issued comprehensive guidelines to strengthen the security and integrity of artificial intelligence, or AI, systems.

This is Katy Craig in San Diego, California.

This crucial document is directed at AI system providers, including those using both in-house and external models and APIs. It serves as a vital guide for all AI stakeholders from developers and data scientists to executives and decision makers, emphasizing the importance of secure AI system lifecycle management.

The guidelines underscore a fundamental truth: the societal benefits of AI are inseparable from its secure and responsible deployment. Given AI’s unique vulnerabilities, these guidelines stress that security must be a central consideration throughout the AI system’s entire life cycle, not just during the development phase.

The guidance is meticulously organized into four key stages.

1) Secure Design. Focusing on risk assessment and threat modeling, this stage addresses critical considerations in system and model design.

2) Secure Development. This section emphasizes supply chain security, thorough documentation, and effective management of assets and technical debt.

3) Secure Deployment. Covering the protection of infrastructure and AI models, it also includes developing robust incident management processes and responsible system release protocols.

4) Secure Operation and Maintenance. Important for the post-deployment phase, this section includes guidelines on system logging, monitoring, update management, and information sharing.

Adhering to a “secure-by-default” approach, these guidelines align with established frameworks from international agencies such as the NCSC, NIST, and CISA. The document prioritizes customer security outcomes, radical transparency, accountability, and the integration of security as a top business priority.

This is Katy Craig, stay safe out there.

Resources
– CISA: https://www.cisa.gov/news-events/news/dhs-cisa-and-uk-ncsc-release-joint-guidelines-secure-ai-system-development
– NCSC: https://www.ncsc.gov.uk/files/Guidelines-for-secure-AI-system-development.pdf

 

Ian Garrett
Deprecation of Defender Application Guard for MS Office

Ian Garrett, Contributing Journalist, It's 5:05 Podcast

You may have heard when Microsoft deprecated MSPaint five years ago, but what you may not know is that deprecation is a familiar move for the company. Recently, more Microsoft internal cybersecurity tools have been deprecated in favor of newer solutions, and Defender Application Guard for Office is no exception.

Hey folks, this is Ian Garrett in Arlington, Virginia.

Microsoft has announced the deprecation of Defender Application Guard for Office and the Windows Security Isolation APIs. These tools were integral in securing Microsoft 365 apps like Word, Excel, or PowerPoint for Windows 10 and 11 Enterprise editions by creating a secure sandbox for files from untrusted sources. However, Microsoft now recommends transitioning to Defender for Endpoint Attack Surface Reduction Rules, Protected View, and Windows Defender Application Control as alternatives.

The initial rollout of Application Guard for Office to Microsoft 365 customers occurred two years ago, following its limited preview launch in November 2019. It was available only to organizations with Microsoft 365 E5 or Microsoft 365 E5 security licenses.

Microsoft’s decision to deprecate Defender Application Guard for Office has significant implications for organizations and IT professionals. This move necessitates a shift in cybersecurity strategies for enterprises relying on Microsoft 365 apps. Businesses must now adapt new security measures recommended by Microsoft, such as Defender for Endpoint, which offers advanced protection against a variety of cyber threats, or seek protection for these cyber assets from other cybersecurity vendors. This change emphasizes the evolving nature of digital threats and the need for organizations to stay agile in their cybersecurity approaches.

The decision to deprecate these tools follows a long string of other Microsoft tools, both cybersecurity-related or not, that have been replaced over the years.

Resources
– Bleeping Computer: https://www.bleepingcomputer.com/news/microsoft/microsoft-deprecates-defender-application-guard-for-office/

 

Marcel Brown
This Day, November 28, in Tech History

Marcel Brown, Contributing Journalist, It's 5:05 PodcastThis is Marcel Brown bringing you some technology history for November 28th.

November 28, 1948. Just in time for the Christmas shopping season, 57 units of the first commercial instant camera, the Polaroid Land Camera Model 95, go on sale at the Jordan Marsh Department Store in Boston. Producing sepia tone photographs in about one minute, the Model 95 became a hit almost as quickly. Polaroid believed that 57 units would be enough to last through Christmas. All 57 units and all the film were sold on the first day.

It was simple to use, portable, and the instant gratification that came from the self-developing film made the camera very popular. The name “Land” came from the camera’s inventor, Edwin H. Land, who was also the company’s founder. Nearly 1 million Model 95s were produced, setting the stage for Polaroid’s flagship product line, making the company’s name synonymous with instant film and the cameras that used them.

True black and white instant film was released in 1950, but Polaroid didn’t create color film until 1963. Polaroid produced their instant film cameras until approximately 2008. However, due to the popularity of the Polaroid cameras and film, independent efforts at creating compatible films continued, and now it is once again possible to buy commercially produced Polaroid cameras and film.

That’s your technology history for today. For more, tune in tomorrow and visit my website, ThisDayInTechHistory.com.

Resources
https://thisdayintechhistory.com/11/28

Contributors:

Comments:

Newsletter