open source and cybersecurity news

April 19, 2023

Australians Losses Increased, CryptoClippy, Radical Transparency, CyberSecurity Benchmarks

In this Episode:

Episode Transcription:


Hey, it’s 5:05. Thanks for being here on Wednesday, April 19th, 2023 from the Sourced podcast Network in Camp Hill, Pennsylvania. This is your host, Bob Bannon. Stories in today’s episode, come from Edwin Kwan in Sydney, Australia. Katy Craig in San Diego, California. Shannon Lietz in San Diego, California, Derek Weeks in Bethesda, Maryland and Marcel Brown in St. Louis, Missouri. Pokeys on vacation. I have the controls. Let’s get to it.

[00:00:00] Edwin Kwan:

This is Edwin Kwan from Sydney, Australia.

The Australian Competition and Consumer Commission( ACCC), says Australians lost a record $3.1 billion to scams in 2022. This is an 80% increase over the total losses recorded in the previous year. Investment scams accounted for the most losses at 1.5 billion.

This is followed by remote access scams at 229 million and payment redirection scams at 224 million. This is based off data collected by the ACCC’s ScamWatch, ReportCyber, the Australian Financial Crimes Exchange (AFCX), IDCARE, and various other government agencies.

It was noted that the most significant driver was true data breaches, which had a record year in Australia in 2022. There were hundreds of reports of scammers Impersonating government departments and businesses to carry out identity theft and remote access scams in the weeks after a data breach.

[00:01:36] Katy Craig:

Today’s news might make you clip your nails a bit shorter. Unit 42 has discovered a new malware campaign that’s targeting Portuguese speakers and stealing cryptocurrency from unsuspecting users.

This is Katy Craig in San Diego, California.

The malware aptly named CryptoClippy, uses a sneaky tactic called cryptocurrency clipping to replace the user’s wallet address with the attacker’s address in the victim’s clipboard. This leads to users accidentally sending their hard-earned crypto to the wrong place.

To spread its evil tentacles, the malware uses Google ads and traffic distribution systems to redirect victims to fake WhatsApp web applications that look legit, but are really just a bunch of zeros and ones hiding CryptoClippy.

And who’s at risk you ask? Well, victims have been found in a range of industries from manufacturing to IT services to real estate. So keep your eyes peeled and your clipboards clean folks. And remember, always be on the lookout for sneaky cyber criminals trying to get their hands on your cryptocurrency.

This is Katy Craig. Stay safe out there.

[00:02:59] Shannon Lietz:

It’s time to shine a light on radical transparency efforts being made in the community. Google announces new open source transparency tools.

This is Shannon Lietz from San Diego, California.

Last week, Google took a bold step forward by introducing its api. According to CISO online, this API aims to provide vulnerability transparency on 5 million open source components. No small feat.

Google also states that more than 50 million open source versions are included. That’s a huge number, right? As part of this announcement, they also snuck in a little other effort that they’ve contributed to the community.

Google released its OSS Assurance Service that aims to provide a Google curated repository for Python and Java developers.

This is an amazing change because curating components isn’t an easy task. This aims to help a software developer when they need it most during their early parts of their creation process and value creation for their customers.

Kudos and hats off to Google and its community contributors.

[00:04:19] Derek Weeks:

Today’s focus is on cybersecurity benchmarks. I’ll start with a simple question of who wins.

Option 1: Your cybersecurity team reduced the time it takes to update known vulnerable software components in production by 50%. It now takes seven days to get updates into production following a zero-day announcement.

Option 2: Nation state threat actors take two days to weaponize proof of concept exploits, following zero-day announcements in these same known vulnerable software components. If you guessed option two, you’re right.

I’m Derek. Weeks reporting from Bethesda, Maryland.

Security Week is just out with an article about the Iranian advanced persistent threat actor named Mint Sandstorm. They previously went by names like Magic Hound, Ajax Security Team, Charming Kitten, and Newscaster. According to the Microsoft researchers featured in the article, the threat actor is quickly adopting proof of concept code for exploiting known vulnerabilities.

Remember the ManageEngine vulnerability and a Java dependency back in January of this year? It allowed for remote code execution without authentication in a third party depend, XML security for Java. Mint Sandstorm began exploiting it the same day the proof of concept exploit was available. had warned at the time that there were 3000 vulnerable ManageEngine products exposed to the internet.

Now, let’s go back to our benchmarks and apply them to a race.

You are in Lane 1. You’re one of the 3000 organizations with ManageEngine exposed to the internet. It takes you three days to get the known safe version of XML security for Java into production. Mint Sandstorm, the advanced persistent threat actor from Iran is in Lane 2. They are armed with automated exploit code in under 24 hours.

Who wins? Yes, Mint Sandstorm. They’ve been in your environment for 48 hours with remote code execution capabilities.

Want another chance? Mint Sandstorm had automated exploit code available for a YAML deserialization flaw within five days back in early February. It was tied to IBM Aspera Faspex.

Even better than Mint Sandstorm? Threat hunters saw exploit attempts from others within 24 hours of the vulnerability being announced. Those same threat hunters saw indicators of compromise only two days later.

So when it comes to cybersecurity benchmarks, is it more important to measure your success against internal or external metrics?

[00:07:33] Marcel Brown:

This is Marcel Brown, the most trusted name in technology delivering your technology history for April 19th.

April 19th, 1947. The first public demonstration of a prototype Zoomar lens is conducted inside Studio 3H at NBC’s Rockefeller Plaza headquarters in New York City. Invented by Dr. Frank G. Back and promoted by investor, film and television producer Jerry Fairbanks, the Zoomar lens would become the first commercially successful zoom lens.

A version for film cameras would first be used by Paramount later that year to cover the 1947 World Series for newsreel production. The ability to use zoom lenses allowed for less expensive TV productions and also made television sports broadcasts more interesting and feasible.

By the end of the decade, Zoomar lenses were in use in nearly one third of television stations in the United States at the time. As new TV stations were popping up quickly during this era, the fact that by 1957 more than half of the TV stations then in operation owned Zoomar lenses was even more impressive.

April 19th, 1965. Electronics Magazine publishes an article by Gordon Moore, head of Research and Development for Fairchild Semiconductor and future co-founder of Intel, on the Future of Semiconductor components. In the article, Moore predicts that transistor density on integrated circuits will double every 18 months for at least the next 10 years.

This theory will eventually come to be known as Moore’s Law and has largely held true to this day. There is controversy over whether Moore’s law is still applicable. However, time will tell just how long Moore’s law will continue to hold true.

That’s today’s tech history. For more, tune in tomorrow and visit my website


That’s it for today’s Open Source cybersecurity update. The links to all stories and resources mentioned in today’s episode are available at 5:05, where you can download the transcripts for easy reading or listen to our ever-growing library of more than 100 episodes. 5:05 is a sourced network production with updates available Monday through Friday on your favorite audio streaming platform. Just search for it’s 5:05. Also while you. Please subscribe. Thanks to Edwin Kwan, Katy Craig, Shannon Leitz, Derek Weeks, and Marcel Brown. For today’s contributions, the executive, producer and editor is Mark Miller. The sound engineer is Bob Bannon. Music for today’s episode is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by This is Bob Bannon. See you again at 5:05.



Leave the first comment