Newsletter

open source and cybersecurity news

August 18, 2023

- CYBERSECURITY HEADLINES TODAY -

LinkedIn Account Takeover Campaign
Amazon's palm-scanning tech: A universe of possibilities?

POINT OF VIEW FRIDAY: THE CRA
CRA: Save Open Source!
CRA Impacts on Open Source
CRA: Why You Should Care

In this Episode:

Marcel Brown: August 19th, 2004. Google holds its Initial Public Offering, selling over 22 million shares at a starting price of $85. Google shares closed that day at $100.34, and the IPO created many instant millionaires and a few billionaires.

Edwin Kwan: Security Research Company, Cyberint, has observed an ongoing and successful hacking campaign targeting LinkedIn accounts. This has resulted in victims being pressured into paying to regain control of their account or facing permanent deletion.

Hillary Coover: Can Amazon’s palm scanning tech unlock an entire universe of identity possibilities? By the end of this year, Amazon’s biometric technology, known as Amazon One, will enable you to scan your palm at over 500 locations for payments and access.

Trac Bannon: The concept of crowdsourcing software development seems solid and altruistic at the surface. When open source is leveraged by for-profit corporations and commercial entities, who bears the burden for cyber resiliency?

Katy Craig: The European Union is currently advancing the Cyber Resilience Act (CRA). As the Act advances, it’s critical for the open source community to engage with policymakers to strike a balance between security measures and the principles that underpin open source collaboration.

Olimpiu Pop: Open source software is today’s boiler waiting to explode. Why do we care? Because we understand that open source, it’s so much more than some library for geeks to play in their free time. Because we understand that modern society relies on it, and part of most advancements are partly due to open source.

 

The Stories Behind the Headlines

 

Edwin Kwan
LinkedIn Account Takeover Campaign

There is currently an ongoing campaign by hackers to take over LinkedIn accounts. This has resulted in victims being pressured into paying to regain control of their account or facing permanent deletion.

This is Edwin Kwan from Sydney Australia.

Security Research Company, Cyberint, has observed an ongoing and successful hacking campaign targeting LinkedIn accounts. They all follow a consistent attack approach of using leaked credentials or brute-forcing attempts to gain access to those LinkedIn accounts. Should they be successful, they would change the associated email address to be one from the Rambler.ru service. They would also change the account password and enable two-factor authentication after hijacking the account. This makes the recovery process even more difficult. The attackers would demand a ransom for returning the account or would sometimes outright delete the accounts without making any demands.

For accounts that are protected by strong passwords and/or two-factor authentication, the multiple takeover attempts would result in a temporary lock imposed by LinkedIn on those accounts. The owners will be prompted to verify ownership by providing additional information before they are allowed to sign back in.

Resources
https://cyberint.com/blog/research/linkedin-accounts-under-attack-how-to-protect-yourself/
https://www.bleepingcomputer.com/news/security/linkedin-accounts-hacked-in-widespread-hijacking-campaign/

 

Hillary Coover
Amazon’s palm-scanning tech: A Universe of Identity Possibilities?

Can Amazon’s palm scanning tech unlock an entire universe of identity possibilities? By the end of this year, Amazon’s biometric technology, known as Amazon One, will enable you to scan your palm at over 500 locations for payments and access.

Hi, this is Hillary Coover in Washington, DC.

The hand-scanning system also serves as a loyalty program identifier and age verification tool, with potential future applications including office access, parking garages, gyms, and medical facilities.

Amazon’s pursuit of this biometric innovation aims to compete with Google and Apple in the digital wallet space, offering a universal digital identity solution that extends way beyond just payments. Amazon One’s recent expansion includes adoption at airports, sports arenas, Panera restaurants, and even Starbucks locations, underlining the broader purpose of becoming an identity provider rather than just a payment method.

While Amazon’s move into biometric payments and broader digital identity management presents potential benefits in terms of security and convenience, it also raises significant concerns related to privacy, data security, centralized control, and potential unintended consequences.

As this technology evolves, it’ll be important for Amazon and other companies to address these concerns and ensure that user data is handled responsibly and securely.

Resources
https://www.wsj.com/articles/amazon-wants-you-to-pay-with-your-palm-its-a-sneak-attack-on-apple-and-google-e8e417a

 

Marcel Brown
This Day, August 18 and 19, in Tech History

This is Marcel Brown serving you up some technology history for August 17th through the 19th.

August 17th, 1982. “The Visitors,” by ABBA, becomes the world’s first commercial music compact disc manufactured, pressed in Langenhagen, Germany by Polygram Records, a subsidiary of Royal Phillips Electronics. Phillips and Sony co-developed the CD standard, which was designed to be the successor to the phonograph record. By the time the CD went on sale in November of that year, about 150 titles had been produced.

August 18th, 1947. Hewlett-Packard is incorporated by William Hewlett and David Packard, nine years after they sold their first products from their garage in Palo Alto. Hewlett and Packard got their start in 1938 by producing oscillators used to test audio equipment. Since selling eight of their first oscillators to Disney for use in preparing movie theaters for the movie Fantasia, HP has grown to one of the largest technology companies in the world.

August 19th, 2004. Google holds its Initial Public Offering, selling over 22 million shares at a starting price of $85. Google shares closed that day at $100.34, and the IPO created many instant millionaires and a few billionaires.

That’s your technology history for today. For more, tune in next week and visit my website thisdayintechhistory.com.

Resources
http://thisdayintechhistory.com/08/18/

 

Hillary Coover
Introduction to “Point of View Friday”

It’s ‘Point of View Friday’ where our team of journalists give us their take on one of the week’s most important stories. Today, Trac Bannon, Olimpiu Pop and Katy Craig will explore Evaluating the Proposed Cyber Resilience Act, and how it could affect the open source community.

 

Trac Bannon
Cyber Resilience Act: Impacts on Open Source

I have long pondered the benefits and challenges of open source software. The concept of crowdsourcing software development seems solid and altruistic at the surface. When open source is leveraged by for-profit corporations and commercial entities, who bears the burden for cyber resiliency?

Hello, this is Trac Bannon reporting from Camp Hill, Pennsylvania.

Decades ago, scientists keen to foster a transparent approach to collaborative software began the open source movement. It was in the spirit of free shared knowledge. It’s with that lens I’m providing a few ideas and opinions for you to noodle on.

The European Union has penned the Cyber Resilience Act (CRA) as a means to improve cybersecurity. It follows a worldwide trend to regulate software. There are potential consequences for the open source community.

The CRA could impose a significant compliance burden on open source maintainers. The Act may require the open source projects to meet certain security and resiliency standards, which could be challenging for smaller projects with limited resources. This could potentially lead to a decrease in the number of open source projects available and limit innovation in the open source community.

Another concern is that the Act could lead to fragmentation within the open source ecosystem. The Act may require open source projects to comply with specific measures and certifications, potentially creating a barrier for collaboration and interoperability between different projects. This would hinder the ability of open source maintainers to freely share and build upon each other’s work, ultimately impacting the growth and development of the open source community.

The Cyber Resilience Act could also have implications for the sustainability of open source projects. The act may introduce additional costs and legal requirements for open source maintainers, potentially making it more difficult for them to sustain their projects. This could result in a decrease in the availability of open source software and limit the options for organizations and developers who rely on open source.

Could, might, may potentially… I am using these words because the CRA is still being molded. The potential hit to open source maintainers by CRA is immense. Policymakers and stakeholders must carefully consider the impact of such legislation on the open source community and ensure that the regulations strike a balance between security and the continued growth and innovation of open source.

The good news is that there is a short window to improve cybersecurity while enabling innovation.

Something to noodle on.

Resources
https://news.apache.org/foundation/entry/save-open-source-the-impending-tragedy-of-the-cyber-resilience-act
https://sifted.eu/articles/open-source-startup-founders-leaving-europe
https://ucsc-ospo.github.io/post/20230801/

 

Katy Craig
Cyber Resilience Act: Save Open Source!

The European Union is currently advancing the Cyber Resilience Act (CRA), a legislative measure that could spell trouble for the open source software community. This act aims to enhance software security, but might inadvertently endanger the ethos of open source development.

This is Katy Craig in San Diego, California.

The CRA’s intention to enforce industry best practices in software design, development, release, and maintenance has sparked concerns among open source proponents. The Act seeks to ensure software security through various means, including a self-certification process and mandatory certification and auditing for critical software.

The Act’s provisions could place a burden on open source projects, potentially leading to increased costs and complexities. Despite efforts to secure exemptions for open source software within the context of the community, these attempts haven’t been successful. This points to the EU’s intention to extend the CRA’s regulations to open source foundations.

While the EU recognizes the importance of open source in driving innovation and development, it also emphasizes the need for accountability and security. The requirement to certify the entire code stack, even if a significant portion is open source, could disproportionately impact small- and medium-sized businesses.

The open source community is sought to ensure exemptions for open source software that is used within open source projects. However, the EU’s stance indicates that the CRA scope is intended to extend across all types of software, including open source projects that are deployed in commercial environments.

The CRA, although aiming to enhance software security, raises questions about the future of open source development within the EU. As the Act advances, it’s critical for the open source community to engage with policymakers to strike a balance between security measures and the principles that underpin open source collaboration.

Of the CRA’s implementation could shape the landscape of open source software development in the EU for years to come.

This is Katy Craig. Stay safe out there.

Resources
https://news.apache.org/foundation/entry/save-open-source-the-impending-tragedy-of-the-cyber-resilience-act

 

Olimpiu Pop
Cyber Resilience Act: Why You Should Care

The explosion of Sultana steamship in 1865 killed more than 1,000 people. Up to that point, the boiler industry had regulations. After this event, American Boiler Manufacturers Association ( ABMA) was created with the intention to self-regulate the industry, surprisingly enough, not ABMA scratched this itch, but a group of five mechanical engineers.

Open source software is today’s boiler waiting to explode. Even though there are multiple initiatives around the globe to regulate the industry, it is up to you, to me, and to our fellow software craftsmen to help drive this important part of modern society in the right direction.

Why do we care? Because we understand that open source, it’s so much more than some library for geeks to play in their free time. Because we understand that modern society relies on it, and part of most advancements are partly due to open source.

A simple example? Android is probably the most well-known open source project around the globe. Its market share. 70.89%. Yes, the . 89% counts when we are talking about almost 12 billion mobile terminals worldwide.

What can you do? Understand what’s happening, and if you’re in Europe, make sure you understand the impact the Cyber Resilience Act can have on technology as we know it. After you understand, reach out to your European representative and tell her that you care. She or he has to care.

In the resources sections, you can find links to the full article from the Apache Software Foundation, one of those that are fighting our war for open source

Olimpiu Pop reporting from Southern Sardegna, Italy.

Resources
https://news.apache.org/foundation/entry/save-open-source-the-impending-tragedy-of-the-cyber-resilience-act

 

Contributors:

Comments:

Newsletter