Newsletter

open source and cybersecurity news

December 18, 2023

It's 5:05, December 18, 2023. TIme for your cybersecurity and open source headlines

In this Episode:

Marcel Brown: December 17th, 1903. Orville and Wilbur Wright make their famous first controlled and sustained flights with a heavier than air, powered aircraft. Orville made the very first flight, which lasted about 12 seconds.

Edwin Kwan: It’s been almost three years since the critical Log4j vulnerability was disclosed. Despite patches being available shortly after vulnerability disclosure, many organizations persistently use vulnerable versions. There are still approximately 38% of applications using vulnerable versions of the Apache Log4j library.

Katy Craig: A marketing company, CMG Local Solutions, recently claimed it could access people’s private conversations through their device microphones for targeted advertising. This claim raises some serious red flags.

Hillary Coover: China raised concerns about the potential compromise of sensitive data, particularly in crucial sectors like the military, due to the use of foreign geographic information software. The Ministry of State Security has urged security departments to conduct thorough investigations to prevent further breaches.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
38% of Apps Still Exposed to Log4J Vulnerability

Edwin Kwan, Contributing Journalist, It's 5:05 PodcastIt’s been almost three years since the critical Log4j vulnerability was disclosed, and there are still approximately 38% of applications using vulnerable versions of the Apache Log4j library.

This is Edwin Kwan from Sydney, Australia.

Despite patches being available shortly after vulnerability disclosure, many organizations persistently use vulnerable versions. Log4Shell, an unauthenticated remote code execution flaw, allows complete control over systems. A study, analyzing data from 3,866 organizations and 38,278 applications, found that 38% are still using insecure versions of Log4j. Furthermore, over 25% of Log4j downloads in the last 7 days were for the vulnerable versions.

The study also found that 78% of developers are reluctant to update third-party libraries after the apps have been released for fear of breaking functionality. Organizations need to have a Software Bill of Materials (SBOM) to understand their exposure and vulnerability management plan to address critical vulnerabilities within their applications.

Resources
– Sonatype: https://www.sonatype.com/resources/log4j-vulnerability-resource-center
– Bleeping Computer: https://www.bleepingcomputer.com/news/security/over-30-percent-of-log4j-apps-use-a-vulnerable-version-of-the-library/

 

Katy Craig
Is My Phone Spying on Me?

Katy Craig, Contributing Journalist, It's 5:05 PodcastA marketing company, CMG Local Solutions, recently claimed it could access people’s private conversations through their device microphones for targeted advertising.

This is Katy Craig in San Diego, California.

Let’s break down what CMG said about their “Active Listening” technique. They stated that they use AI to detect keywords in conversations, creating anonymized audience lists based on these keywords and buyer personas. CMG mentioned leveraging third-party vendor products, which draw data from social media and other applications.

However, this claim raises some serious red flags. First, CMG’s assertions were seen as exaggerated and vague. They didn’t clarify how they gained access to individuals’ devices without consent, or address the legal and ethical concerns of such technology.

After sparking widespread panic and confusion, CMG backtracked. They clarified that they don’t actually listen to conversations, or have access to any direct data from devices. Instead, they rely on third-party aggregated, anonymized, and fully encrypted datasets. CMG expressed regret over any confusion caused.

This story highlights the growing concerns over digital privacy and the fine line between innovative marketing techniques and invasive surveillance. It’s a reminder to stay aware of the potential privacy risks in our increasingly connected world. As consumers, we must be vigilant about the permissions we grant and the data we share.

This is Katy Craig, stay safe out there.

Resources
– Ars Technica: https://arstechnica.com/gadgets/2023/12/no-a-marketing-firm-isnt-tapping-your-device-to-hear-private-conversations/
– 404 Media: https://www.404media.co/cmg-cox-media-actually-listening-to-phones-smartspeakers-for-ads-marketing/
– Metro UK: https://metro.co.uk/2023/12/15/yes-right-smartphone-really-listening-19980334/

 

Hillary Coover
Foreign Geographic Software Poses National Security Threats

Hillary Coover, Contributing Journalist, It's 5:05 Podcast

China raised concerns about the potential compromise of sensitive data, particularly in crucial sectors like the military, due to the use of foreign geographic information software. The Ministry of State Security has urged security departments to conduct thorough investigations to prevent further breaches.

Hi, this is Hillary Coover in Washington DC.

The government’s WeChat public account disclosed the findings, emphasizing the serious threat posed to China’s national security by overseas geographic information system software. The article did not specify the entities responsible for the data access or identify Chinese firms affected.

According to the government, culprits are exploiting software to collect user data without constraints, incorporating pre-built backdoors for cyberattacks and data theft. The theft of high-precision geographic information data raises concerns about potential threats to transportation, energy, military, and other critical fields.

The government has called for the prompt elimination of any identified threats and the establishment of collaborative plans among security agencies to protect national data.

Resources
– Reuters: https://www.reuters.com/technology/cybersecurity/china-warns-geographic-info-data-breaches-affecting-transport-military-2023-12-13/

 

Marcel Brown
This Day, December 18, in Tech History

Marcel Brown, Contributing Journalist, It's 5:05 PodcastThis is Marcel Brown delivering some technology history for December 17th and 18th.

December 17th, 1903. Orville and Wilbur Wright make their famous first controlled and sustained flights with a heavier than air, powered aircraft. Orville made the very first flight, which lasted about 12 seconds. Three more flights were made that day by both brothers, with the most successful being the fourth and final flight, in which Wilbur flew for 59 seconds. The work done by the Wright brothers helped spawn the aviation industry.

December 18th, 1987. Larry Wall releases version 1.0 of Perl, a general-purpose programming language very commonly used as a Unix scripting language. Perl became very popular on the early World Wide Web, commonly being used to program CGI scripts for web applications. Perl’s flexibility and adaptability continues to make it a widely used programming language to this day.

December 18th, 1998. The Warner Bros. motion picture, “You’ve Got Mail,” starring Tom Hanks and Meg Ryan, is released to theaters. While mostly known as a romantic comedy, the film was chock full of technology symbolism. Primarily, I find interesting that the movie’s themes of business and technology was foreshadowing larger changes to come.

Starting with the obvious, the film’s title was the popular notification sound used by AOL for incoming email. This showed just how quickly the internet had become mainstream, with email and online dating starting to gain traction in the general population. At the time, AOL was the face of the internet to those just getting their feet wet. However, it also foreshadowed one of the biggest technology deals in history. Just a little over a year later, AOL would buy Warner Bros. parent company, Time Warner, forming one of the largest media companies in history. However, the dot-com bubble burst and the merged companies never quite meshed. AOL was 2009, having lost its status in a more tech evolved society.

Additionally, the main character’s choice of technology was telling. Tom Hanks character, the corporate businessman, used a Windows-based PC, an IBM no less, while Meg Ryan’s character, the small bookshop owner, used a Macintosh PowerBook. The common thinking at the time was that Windows PCs were for business, and Macintosh computers were for creative people. Of course, this was just a few years before the iPod was introduced and Apple re-revolutionized the technology industry in the 2000s. Apple is now the consumer face of technology, whereas Windows heyday is now considered past, even among many business professionals.

The book industry was highlighted, with the movie’s subplot exploring the struggle of small business against the expansion of large corporate chains. Yet, in the span of about a decade after the movie was released, large corporate bookstores were on the defensive against upstart companies doing business on the internet. For context, in 1998, after just 3 years in business, Amazon.com had yet to turn a profit, yet today, Borders is out of business. The rise of social media now gives small companies the ability to effectively market themselves directly to their customer base, giving them a way to compete with large corporations. All this, in a relatively short time after a movie, helped publicize a computer network.

That’s your technology history for today. For more, tune in tomorrow and visit my website, ThisDayInTechHistory.com.

Resources
This Day in Tech History: https://thisdayintechhistory.com/12/18

Contributors:

Comments:

Leave the first comment

Newsletter