Newsletter

open source and cybersecurity news

December 26, 2023

It's 5:05, December 26, 2023. TIme for your cybersecurity and open source headlines

In this Episode:

Marcel Brown:  December 25th, 1990. Tim Berners Lee, a British scientist working at the European Organization for Nuclear Research, otherwise known as CERN, along with his associate, Robert Kaliau, were operating the first web server, info.cern.ch, and first web browser/editor, World Wide Web, which were reportedly able to communicate over the internet by this date.

Edwin Kwan: A groundbreaking attack named Terrapin has been uncovered posing a significant threat to the security of the SSH secure shell protocol. What sets Terrapin apart is its ability to undermine cryptographic SSH protections that were previously considered to be immune to such attacks

Hillary Coover: Britain’s National Grid is taking steps to remove components provided by a subsidiary of China-backed Nari Technology from its electricity transmission network due to concerns about cybersecurity.

Olimpiu Pop: In 2023, cybersecurity and supply chain issues evolved significantly. Software supply chain attacks, especially targeting open source software libraries, saw a dramatic increase. The growing reliance on open source software, under the pressure of rapid development cycles, made these libraries prime targets for exploitation.

Ian Garrett: Cyber criminals in their quest to maximize disruption and ransom demands are evolving their strategies. A notable example is the ransomware group gang known as BlackCat, which recently employed a novel extortion tactic. This incident is the first of its kind, and likely a precursor to future trends in cyber extortion.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
Critical Vulnerability Threatens SSH Security

Edwin Kwan, Contributing Journalist, It's 5:05 PodcastA groundbreaking attack named Terrapin has been uncovered posing a significant threat to the security of the SSH secure shell protocol.

This is Edwin Kwan from Sydney, Australia.

SSH developed nearly 30 years ago to counter password sniffing attacks is widely used to secure connections in organizations and is a foundational element of secure communication on the internet.

Terrapin devised by researchers from Germany exploit vulnerabilities in SSH implementations, specifically targeting the integrity of the SSH handshake. To execute Terrapin, attackers need an active man-in-the-middle position, intercepting and manipulating communications between the administrators and the connected network.

What sets Terrapin apart is its ability to undermine cryptographic SSH protections that were previously considered to be immune to such attacks. The attack works by altering or corrupting information during the handshake, which is a crucial phase where encryption parameters are negotiated. It specifically targets two widely supported cipher modes, and those cipher modes are supported by 77 percent of Internet exposed SSH servers.

While the severity of the risk depends on various factors that are unique to each network, Terrapin has demonstrated its ability to impact the negotiation of security relevant protocol extensions, potentially leading to a compromise of confidentiality and integrity. The attack can impede countermeasures and enable advanced exploitation techniques, emphasizing the need for vigilance and updates in SSH implementations.

Developers of SSH software, including OpenSSH, have responded to the researchers recommendations, introducing an optional strict key exchange to prevent Terrapin. Organizations and users are advised to check for vulnerabilities, apply patches promptly, and stay informed of the evolving landscape of cryptographic protocols.

The Terrapin relevations challenges the assumption that certain attacks are not possible, and it underscores the importance of ongoing practical evaluations to identify and address security flaws in foundational internet protocols like SSH.

Resources
– Ars Technica: https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/
– The Register: https://www.theregister.com/2023/12/20/terrapin_attack_ssh/

 

Olimpiu Pop
2023 in Review: Cybersecurity and the supply chain

Olimpiu Pop, Contributing JournalistIn 2023, cybersecurity and supply chain issues evolved significantly. Software supply chain attacks, especially targeting open source software libraries, saw a dramatic increase, rising by 742 percent over three years. These threats emerged as a major concern due to their potential to impact a wide range of organizations and entire markets.

The growing reliance on open source software, under the pressure of rapid development cycles, made these libraries prime targets for exploitation. The broader cybersecurity landscape also expanded, driven by the increasing connectivity of devices through the Internet of Things. Persistent threats like ransomware and phishing continue to pose significant risks.

Emerging technologies such as quantum computing, 5G networks and edge computing introduced new challenges, including vulnerabilities in encryption and the need for advanced security measures in a more connected and complex ecosystem.

Supply chain breaches also increased, with a 25 percent rise in the average number of incidents reported.

The main challenges included difficulties in understanding and mitigating risks posed by third party vendors, emphasizing the importance of cyber security awareness across all business operations. Even if steps were made towards more resilient systems, we are still far from the point where we can sleep easily at night.

Olimpiu Pop, reported from Transylvania, Romania.

Resources

– Sonatype: https://www.sonatype.com/state-of-the-software-supply-chain/Introduction
– Info Security Magazine: https://www.infosecurity-magazine.com/news/software-supply-chain-attacks-soar/

 

Hillary Coover
National Grid Removes China-Based Supplier’s Components

Hillary Coover, Contributing Journalist, It's 5:05 Podcast

Britain’s National Grid is taking steps to remove components provided by a subsidiary of China-backed Nari Technology from its electricity transmission network due to concerns about cybersecurity.

Hi, this is Hillary Coover in Washington, DC.

This decision was made in April after seeking advice from the National Cybersecurity Center, a branch of the UK’s Signals Intelligence Agency, GCHQ. National grid has not provided specific reasons for terminating the contracts, but emphasized its commitment to infrastructure security. The components from NR Electric Company-U.K., a Nari subsidiary, play a role in grid control and blackout risk mitigation. The status of these components in the network remains unclear.

NR Electric Company-U.K., GCHQ, and the Chinese Embassy in London have not commented on the matter. The UK’s Department for Energy Security and NetZero has stated that it does not comment on individual business decisions but collaborates with the private sector to safeguard national security.

Resources
– VOA News: https://www.voanews.com/a/britain-national-grid-drops-china-based-supplier-over-cybersecurity-fears/7402133.html

 

Ian Garrett
Ransomware Evolves to Extortionware Threat

Ian Garrett, Contributing Journalist, It's 5:05 Podcast

Cyber criminals in their quest to maximize disruption and ransom demands are evolving their strategies. A notable example is the ransomware group gang known as BlackCat, which recently employed a novel extortion tactic. They attempted to weaponize the US Government’s new data breach disclosure rules against Digital lending provider MeridianLink by filing a complaint with the SEC for a non-disclosure of a data breach.

Hey folks, this is Ian Garrett in Arlington, Virginia.

This incident is the first of its kind, and likely a precursor to future trends in cyber extortion. Besides this approach, ransomware actors are increasingly adopting “double extortion” and even “triple extortion” tactics. These involve not only encrypting the victim’s data, but also threatening to publish stolen files and extending demands to victim’s associates, as seen in the MOVEit mass-hacks.

Understanding the distinction between ransomware and extortion is crucial. Ransomware traditionally involves compromising computer systems and demanding a ransom for data restoration. Extortion attacks, however, may not involve encryption but directly threaten to expose sensitive data. This difference is significant because the strategies to defend against these attacks vary greatly.

The shift from traditional ransomware to direct extortion raises new challenges for organizations. Protecting the entire data supply chain becomes essential, as any point can be vulnerable to data theft and extortion.

Authorities often discourage paying ransom demands, but the decision isn’t straightforward for affected businesses. While decrypting files might be an option in encrypt-and-extort attacks, there’s no assurance that hackers will delete stolen data in extortion-only attacks, as evidenced by the recent attack on Caesars Entertainment.

Ransomware experts Allan Liska and Brett Callow stress the need for better definition of ransomware. This will enable organizations to prepare and respond more effectively to ransomware attacks, whether occurring within their own network or a third party’s.

Resources
– TechCrunch: https://techcrunch.com/2023/12/18/why-extortion-is-the-new-ransomware-threat/

 

Marcel Brown
This Day, December 26, in Tech History

Marcel Brown, Contributing Journalist, It's 5:05 PodcastThis is Marcel Brown, bringing you some technology history for December 24th through 26th. December 24, 1994, seven years after introducing the GIF format, during which it became a de facto standard because of its efficient compression algorithm, CompuServe reaches a licensing agreement with Unisys over the use of the patented LZW method in the GIF specification.

CompuServe was not aware of the patent when it used the LZW technique in 1987 and Unisys was not aware that LZW was used in the GIF format until 1993. By the time the settlement was reached, the use of the GIF format had become widespread on the early World Wide Web. During the announcement of the licensing agreement with CompuServe, Unisys made it known that they expected all commercial services or software that used the GIF format, or the LZW method, to pay licensing fees.

While the arrangement would likely not have affected anyone who used GIF graphics on their websites, the announcement was generally met with outrage. Many people and organizations criticized Unisys for attempting to collect licensing fees on a format that was commonly considered to be freely available.

The most famous condemnation was the Burn All GIFs campaign by the League for Programming Freedom. The uproar over the GIF licensing arrangement led to the development of the patent free PNG format. The LZW patent expired worldwide during 2003 and 2004, so the GIF file format is now completely free to use.

December 25th, 1990. Merry Christmas, everyone. Tim Berners Lee, a British scientist working at the European Organization for Nuclear Research, otherwise known as CERN, along with his associate, Robert Kaliau, were operating the first web server, info.cern.Ch, and first web browser slash editor, World Wide Web, which were reportedly able to communicate over the internet by this date.

Running on a pair of Next workstations, the exact date that everything was truly functioning for the first time is lost to history, but according to Berners Lee, it was functional by the time the Christmas holiday came around that year. Interestingly enough, Berners Lee and his wife were also expecting their first child due on Christmas Eve.

The baby was not born until New Year’s Day, however. Regardless, in essence, Tim Berners Lee fathered two babies during the 1990 holiday season. December 26th, 1982. Time Magazine awards its Man of the Year award to the Personal Computer, calling it Machine of the Year, the first non human to receive the award since its creation in 1927.

Describing the personal computer as 1982’s greatest influence for good or evil, the article titled The Computer Moves In recognizes that the capabilities of the personal computer can be multiplied almost indefinitely by connecting it to a network of other computers, which can be used to access electronic database or send electronic mail.

The article stated that 80 percent of Americans expected that in the fairly near future, home computers will be as commonplace as television sets or dishwashers. beating out other candidates such as Ronald Reagan, Margaret Thatcher, and Steve Jobs. Time stated, there are some occasions, though, when the most significant force in a year’s news is not a single individual but a process, and a widespread recognition by a whole society that this process is changing the course of all other processes.

That is why, after weighing the ebb and flow of events around the world, Time has decided that 1982 is the year of the computer. 724, 000 personal computers were sold in 1980, and this figure doubled in both 1981 and 1982. Certainly, those who were paying attention at the time recognized that the personal computer was transforming society.

That’s your technology history for today. For more, tune in tomorrow and visit my website, ThisDayInTechHistory.com

Resources
This Day in Tech History: https://thisdayintechhistory.com/12/26

Contributors:

Comments:

Leave the first comment

Newsletter