Edwin Kwan: Popular open source software, Moq, has broken user trust by quietly making changes that collect user email addresses. The popular software has been downloaded over 476 million times.

Katy Craig: Soon passwords could be history. With passwordless tech, logging in will be safer and simple. Say goodbye to forgotten passwords, email phishing campaigns, and hello to a better online world.

Hillary Coover: What role will AI play in cybersecurity? The Defense Advanced Research Projects Agency, DARPA, will award a cumulative $18.5 million in prizes to winning teams and will fund up to seven small businesses with up to $1 million each to compete.

Ian Garrett: A recent report shows a rapid growth of identity-based security threats. Cyber criminals are evolving their tactics, making them harder to detect by gaining legitimate access to target systems.

 

The Stories Behind the Headlines

 

Edwin Kwan: Popular Open Source Software Breaks Users’ Trust

Popular open source software, Moq, has broken user trust by quietly making changes that collect user email addresses. The popular software is distributed on the NuGet Software Registry and has been downloaded over 476 million times.

The change was made in early August and included a dependency called SponsorLink. SponsorLink is closed source and contains obfuscated code, which collects hashes of user email addresses. Those emails are sent to SponsorLink’s servers. The change was made from version 4.20.0.
In reaction, developers threatened to discontinue use of Moq in favor of alternatives and looking at building tools that would detect and block any projects that run SponsorLink. Even AWS, which sponsored the project in the past, has taken steps to distance itself from the project.

The controversial change to Moq has been rolled back in version 4.20.2. However, user trust has already been broken. There remains a possibility of future reintroduction of similar functionality.

Resources
– https://www.bleepingcomputer.com/news/security/popular-open-source-project-moq-criticized-for-quietly-collecting-data/
– https://www.bleepingcomputer.com/news/security/amazon-aws-distances-itself-from-moq-amid-data-collection-controversy/

 

Katy Craig: Goodbye Passwords

Let’s talk about passwords. We all know them, but they’re not the safest. They can easily be hacked or stolen. Tech wizards are working on something better- passwordless authentication. This means no more complicated passwords and less chances of getting phished.

This is Katy Craig in San Diego, California.

A company called Axiad did a survey about this new way of logging in. They asked over 375 Chief Security Officers- 92% of them worry about their passwords getting stolen. That’s a lot. 82% of them want to use passwordless authentication soon.

You might wonder how this works. There’s a group called the FIDO Alliance. They set the standards for passwordless logins. Their idea is simple- use your phone or some special hardware to prove it’s you. It’s super secure and easy. Even big companies like Apple and Google use it.

Another cool capability is pass keys. These are like magic keys for your online accounts. They work on phones and computers and are quickly rising in popularity, but not every website uses them yet.

There’s more to learn and some challenges to fix, but soon passwords could be history. With passwordless tech, logging in will be safer and simple. Say goodbye to forgotten passwords, email phishing campaigns, and hello to a better online world.

This is Katy Craig. Stay safe out there.

Resources
– https://www.axiad.com/newsroom/axiad-and-esg-survey-82-of-respondents-indicate-passwordless-authentication-is-a-top-five-priority/
– https://www.csoonline.com/article/649083/10-passwordless-authentication-solutions.html

 

Hillary Coover: DARPA Wants to Know What Role AI will Play in Cybersecurity

What role will AI play in cybersecurity? The Defense Advanced Research Projects Agency, DARPA, is investing in cybersecurity innovation by sponsoring a two-year competition aimed at fostering AI innovation for cybersecurity tools.

Hi, this is Hillary Coover reporting from Washington, DC.

DARPA has launched the AI Cyber Challenge, also known as AIxCC, a two-year competition aimed at fostering AI innovation for cybersecurity tools.

The announcement was made during BlackHat, highlighting the growing threat landscape due to the expanding attack surfaces created by software- especially in critical infrastructure. DARPA is collaborating with companies like Anthropic, Google, Microsoft, and OpenAI with guidance from the Open Source Security Foundation to develop AI-driven systems addressing cybersecurity issues.

The AIxCC competitions will take place at DEFCON and BlackHat, consisting of a semi-final and final phases held in 2024 and the following year. DARPA will award a cumulative $18.5 million in prizes to winning teams and will fund up to seven small businesses with up to $1 million each to compete.

For details about the competition, visit AICyberChallenge.com.

Resources
– https://www.darpa.mil/news-events/2023-08-09

 

Ian Garrett: Rapid Growth in Attacks Against Identity-based Security

Identity-based security solutions are getting popular, but with it comes an unsurprising issue. A recent report shows a rapid growth of identity-based security threats. Cyber criminals are evolving their tactics, making them harder to detect by gaining legitimate access to target systems.

Hey folks, this is Ian Garrett in Arlington, Virginia.

A recent report from the endpoint security and threat intelligence experts at CrowdStrike sheds light on the alarming reality. According to the report, attackers armed with legitimate identity information are posing the most dangerous cybersecurity threat at the moment.

Interactive intrusions where attackers actively pursue malicious goals on a victim system has seen a significant shift towards strategies involving compromised identity information for system access. In the past year, nation state backed and organized crime hacking groups have elevated their game with improved phishing techniques and social engineering tactics.

An astonishing revelation from the report is that approximately 80% of attacks now involve identity and compromised credentials.

These credentials can be acquired through traditional means, such as email phishing, or can be purchased on the dark web, opening the door for cybercriminals to exploit their newfound access. Once inside a target system, cyber criminals are employing a range of techniques to achieve their nefarious goals.

The report highlights the rising use of remote monitoring and management software which helps threat actors operate under the radar of security tools. It’s important to ensure users are aware of the new tactics or else they’ll be particularly susceptible when attacks look different from what they’re used to.

Resources
– https://www.csoonline.com/article/648894/identity-based-security-threats-are-growing-rapidly-report.html