Newsletter

open source and cybersecurity news

December 27, 2023

It's 5:05, December 27, 2023. TIme for your cybersecurity and open source headlines

In this Episode:

Marcel Brown:  December 27th, 1968. Apollo 8 splashes down in the Pacific Ocean, ending the first manned orbit of the moon. When the spacecraft hit the water, the parachutes dragged it over and left it upside down. Because they were being buffeted by 10 foot swells, astronaut Frank Borman actually got sick and vomited. Welcome back to Earth, Frank.

Edwin Kwan: A critical remote code execution vulnerability in the Apache Struts 2 framework is reportedly being ignored by developers, leaving approximately 80 percent of recent Strut downloads exposed to the flaw. The severity of the vulnerability, rated as 9. 8 out of 10 in CVSS, arises from a logic bug in the File Upload feature.

Hillary Coover: Quantum computers operate on subatomic particle properties, enabling them to perform complex calculations and process information at unparalleled speeds compared to today’s computers. However, a current challenge is the instability of qubits, the key processing units in quantum computers, which limits their ability to decrypt substantial amounts of data.

Olimpiu Pop:  In 2023, the European Union made significant strides in AI legislation with the introduction of the EU AI Act. This groundbreaking legislation, agreed upon on December 9, 2023, is the world’s first dedicated law on AI and sets a global precedent.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
Developers Ignore Critical Flaw in Apache Struts 2 Framework

Edwin Kwan, Contributing Journalist, It's 5:05 PodcastA critical remote code execution vulnerability in the Apache Struts 2 framework is reportedly being ignored by developers, leaving approximately 80 percent of recent Strut downloads exposed to the flaw.

This is Edwin Kwan from Sydney, Australia.

The severity of the vulnerability, rated as 9. 8 out of 10 in CVSS, arises from a logic bug in the File Upload feature. When exploited, attackers can save unauthorized documents on a remote server, potentially leading to data theft , malware infections, or network intrusions.

Despite a simple fix available through updated versions of Strut the majority of downloads between December 7th and December 18th were still for vulnerable versions. The slow adoption for secure releases contrasts with the fast response to the Log4j flaw in 2021. Security researchers have attributed this lag to developers failing to address the critical vulnerability promptly. While experts believe the risk of exploitation is lower compared to previous strut vulnerabilities, they emphasize the importance of upgrading to the latest version to mitigate potential threats.

Researchers note that successful exploitation often requires specific preconditions, making widespread attacks less likely. However, the ease of automating attacks on vulnerable endpoints and the challenge in scanning for these endpoints heighten the importance of swift action in addressing the strut two vulnerability.

The situation underscores the need for vigilant maintenance of open source software. and emphasizes the importance of having a software bill of materials and doing regular scan for vulnerabilities like Strut 2 core.

Resources
– The Register: https://www.theregister.com/2023/12/21/apache_struts_vulnerable_downloads/

 

Olimpiu Pop
2023 in Review: AI Legislation

Olimpiu Pop, Contributing JournalistIn 2023, the European Union made significant strides in AI legislation with the introduction of the EU AI Act. This groundbreaking legislation, agreed upon on December 9, 2023, is the world’s first dedicated law on AI and sets a global precedent.

The EU AI Act is designed to ensure the safety, legality, trustworthiness and respect for fundamental rights in AI systems. It categorizes AI applications based on risk levels, such as unacceptable, high, and low, with strict compliance requirements for high risk sectors like healthcare and transport. This wide applicability means that any data driven system deployed in the EU must comply, affecting a broad range of sectors.

There will be a two year grace period for compliance starting from when the final form of the law is available. It will be a really interesting period to observe as on one side we have Italy, which banned ChatGPT initially, and on the other pole we have France, which introduced legislation and systems to allow surveillance of individuals during 2023 and 2024 sports events.

Other countries, including the US and the UK, are also developing their AI frameworks, emphasizing standards for AI security, reliability, ethical considerations, and data privacy. The US through the National Institute of Standards and Technology is focusing on creating standards that enhance AI security and reliability. The UK is working on frameworks, addressing data privacy , AI ethics, and accountability.

Additionally, the ISO/IEC 42001:2023 standard, published in December, 2023, provides guidelines for establishing and maintaining an artificial intelligent management system within organizations, ensuring responsible development and use of AI systems.

Olympic Pop reported from Transylvania, Romania.

Resources
-Technology Review: https://www.technologyreview.com/2023/12/11/1084942/five-things-you-need-to-know-about-the-eus-new-ai-act/

 

Hillary Coover
The Quantum Computing Revolution and Global Security

Hillary Coover, Contributing Journalist, It's 5:05 Podcast

Prepare for ‘Q-Day,’ a global cybersecurity event with the potential to expose our most sensitive information.

Hi, this is Hillary Coover in Washington, DC.

The arrival of Q-Day will revolutionize how we perceive digital privacy, placing confidential information at risk. The timeline for this event is a subject of debate among cybersecurity experts. Some anticipate it occurring around mid-century, while others believe it could happen much sooner- possibly by 2025, as suggested by Tilo Kunz, the Executive Vice President of Quantum Defen5e, a Canadian cybersecurity firm.

Quantum computers operate on subatomic particle properties, enabling them to perform complex calculations and process information at unparalleled speeds compared to today’s computers. However, a current challenge is the instability of qubits, the key processing units in quantum computers, which limits their ability to decrypt substantial amounts of data.

Major global powers like the United States and China are heavily investing in quantum research to prepare for Q-Day. North America, led by companies like IBM, Amazon, Intel, and Google, is at the forefront of quantum computing development. In 2022, the United States allocated $1.8 billion to quantum research. Canada is also making significant investments, exceeding $15 billion in quantum computing, making it the world’s leading investor in this field, as per McKinsey Company.

The race to quantum supremacy carries far-reaching implications for global security, with uncertainty surrounding which country will achieve it first.

Resources
– Business Insider: https://www.businessinsider.com/q-day-2025-cybersecurity-quantum-computing-data-security-privacy-china-2023-12

 

Marcel Brown
This Day, December 27, in Tech History

Marcel Brown, Contributing Journalist, It's 5:05 PodcastThis is Marcel Brown bringing you some tech history for December 27th.

December 27th, 1968. Apollo 8 splashes down in the Pacific Ocean, ending the first manned orbit of the moon. When the spacecraft hit the water, the parachutes dragged it over and left it upside down. It took six minutes for the spacecraft’s inflatable bag uprighting system to turn the capsule upright.

In that time, because they were being buffeted by 10 foot swells, astronaut Frank Borman actually got sick and vomited. Welcome back to Earth, Frank. Maybe the fact that the Apollo 8 crew was chosen as Men of the Year by Time Magazine made him feel better.

December 27th, 1999. Amazon founder Jeff Bezos is named Person of the Year by Time Magazine. It took another two full years before Amazon turned a profit.

That’s your technology history for today. For more, tune in tomorrow and visit my website, thisdayintechhistory. com.

Resources
This Day in Tech History: https://thisdayintechhistory.com/12/27

Contributors:

Comments:

Leave the first comment

Newsletter