open source and cybersecurity news

April 5th, 2024

In this Episode:

It’s April 5th, 2024, and time for your weekly cybersecurity and open-source news updates. We have news updates from Trac Bannon in Camp Hill, Pennsylvania, Julie Chatman in Washington, DC, Katy Craig in San Diego, California, Edwin Kwan in Sydney, Australia, and Olimpiu Pop in Transylvania, Romania. We’ll start with Julie Chatman

Julie Chatman
GitHub Supply Chain Attack

Julie Chatman, Contributing Journalist, It's 5:05This is Julie Chatman in Washington, DC. Today, we rely on digital tools for everything from banking, shopping, communicating with family and friends, to healthcare, work, and entertainment. These digital tools are built by software, so the safety and reliability of software is critical.

GitHub is a platform that about 100 million software developers use to support the work they do to build those digital tools, which means the recent cyber attack against GitHub is noteworthy.

This attack was clever. Imagine GitHub as a busy marketplace where developers share and collaborate on software recipes. Cyber criminals infiltrated this marketplace, posing as legitimate contributors. They tampered with the recipes by adding harmful ingredients, which enabled them to steal information from anyone that used the software recipe.

If you encounter this story in the news, you will see terms like “supply chain attack,” “malicious code,” and “typosquatting.” Think of “supply chain attack” as sneaking a bad apple into a batch of good ones, and “malicious code” as adding hidden traps to the software. Finally, typosquatting is setting up a fake shop with a sign similar to a trusted or known shop to trick customers into entering that shop.

Have you seen the movie “Coming to America” with Eddie Murphy? Eddie’s character had a love interest named Lisa. Her father ran McDowell’s, which was a McDonald’s knockoff. That’s the concept with typosquatting. Online, this would look like adjusting a web address in a very subtle way to create a website name that’s very similar to a popular one, hoping that users will accidentally visit the bad website when they make a typo in the web address.

This attack wasn’t just a one-off event. It targeted a tool called Colorama. Colorama is used by millions of developers and programmers to support their work. The end goal was to steal sensitive information, things like passwords, personal messages, or cryptocurrency wallets from unsuspecting software developers and users.

Thanks to the quick actions of some vigilant community members, the immediate threat was neutralized. However, this is a great reminder of the ongoing battle between cybersecurity professionals and cyber criminals. For the creators of digital tools, it’s a wake-up call to double down on security measures. For users, it’s a reminder to be cautious about the software that we trust.

Let’s keep sharing knowledge and staying alert so we can all stay safe out there.

Edwin Kwan
A new type of phone scam

Edwin Kwan, Contributing Journalist, It's 5:05 PodcastAttention smartphone users! A new type of phone scam is on the rise and it exploits the latest technology, eSIMs. eSIMs are digital SIM cards embedded in your phone, eliminating the need for a physical card. While convenient, they’ve opened a door for cyber criminals.

Hackers are now targeting eSIMs to steal phone numbers. They hacked into your mobile account, likely using stolen passwords, and initiate a port request to transfer your number to a new eSIM. in their device. This can be done by generating a QR code through your compromised account. Once they have your number, they can access your online accounts, especially those using SMS two-factor authentication, like banks and messaging apps.

This can lead to financial losses and even further scams where they impersonate you to trick others. Experts warn that these attacks are becoming more common, with hundreds of attempts reported recently.

So, how can you protect yourself? Use strong and unique passwords for your mobile carrier account. Enable two-factor authentication if available, especially for sensitive accounts like banking. And lastly, consider using physical security keys or authenticator apps for extra protection on crucial accounts.

By staying vigilant and taking these precautions, you can help prevent your phone number from becoming the key to a criminal scheme.

Remember, if something seems suspicious about your phone account, contact your carrier immediately.

Hillary Coover
Google’s Incognito Settlement

Hillary Coover, Contributing Journalist, It's 5:05 PodcastGoogle has agreed to a significant settlement in response to a class action lawsuit filed in 2020, which accused the tech giant of misleading users about the privacy of its ” Incognito” browsing mode in Chrome. The lawsuit argued that despite users believing their web activities were private while using Incognito mode, Google was, in fact, tracking their web browsing history. Under the terms of the settlement, Google will destroy billions of data points that improperly collected over the last 16 years. And it’ll update its disclosures about data collection in private browsing mode. Additionally, it’ll offer users the option to disable third-party cookies in Incognito mode.

This is Hillary Coover reporting from Washington, DC.

This legal action, highlighted a widespread misconception among users, fueled by Google’s marketing, that Incognito mode offers more privacy than it actually does. In fact, in a podcast I recorded last November, I discussed this very issue, explaining that Incognito mode doesn’t provide the level of privacy many users think it does. Instead of making substantial claims to how private browsing functions, Google is now adding disclaimers to clarify that Incognito mode is not as private as its branding suggests.

This move, while a step toward transparency, does not address the core of the misleading perception. The settlement does not provide for damages to individual users directly, but allows for claims to be filed with already 50 claims submitted in California state court. The lawsuit and et settlement Marcus, significant moment emphasizing the need for honesty and accountability from technology companies, especially those with as much influence as Google. This case also comes at a time when Google is facing various legal challenges related to its dominance in the search and advertising markets, further scrutinizing its practices and impact on user privacy.

Thanks for listening to Point of View Friday. If you like what you heard, please subscribe to “It’s 5:05″ on your favorite podcast platform. ” It’s 5:05″ is a Sourced Network Production based in New York city. This is your host, Hillary Coover. Have a great weekend.