open source and cybersecurity news

July 10, 2023

Mastodon Addresses TootRoot Hijacking Vulnerability; Natural Language the sharpest weapon to attack LLM Backed AIs?; Truebot Malware; This Day in Tech History

In this Episode:

Episode Transcription:

Pokie Huang:

From Sourced Network production in New York City. It’s 5:05. I’m Pokie Huang. Today it’s Monday, July 10th. Here’s the full story behind today’s cyber security and opensource headlines.

Edwin Kwan: 

This is Edwin Kwan from Sydney, Australia. 

Mastadon, the free and open source software for running self-hosted social networking services has recently patched for vulnerabilities. One of those vulnerabilities is the TootRoot vulnerability, which has a critical severity rating and is tracked as CVE-2023-36460.

Attackers can exploit the vulnerability by using media files on Toots to perform attacks like denial of service and arbitrary remote code execution. 

Mastadon has around. 8.8 million users across 13,000 server instances. They are a Twitter alternative, and the decentralized social networking platform is managed by volunteers across many federated communities.

That critical vulnerability, along with the other three that were recently patched, were discovered in an independent audit of Mastadon’s code at Mozilla’s request.

Olimpiu Pop: 

The whole technology space seems to suffer from the Fear of Missing Out (FOMO). We all run to board the post ChatGPT AI train, but are we forgetting something? Integration tools like Langchain open the door to building more complex systems. Stitching together AI virtual assistants, agents, tools, models, and storage. Even if it seems odd, natural language is the primary means of attack for LLM powered AI systems. It can be used to attack components throughout the stack. 

AI assistants are our butlers. All technological chores are on them, but in order to impersonate us, they’ll need to know everything about us. 

Losing access to this would be catastrophic. Imagine your worst enemy getting top secret information about yourself from somebody that knows everything about you like your mother. Agents will be the ones doing the jobs delegated by the assistant. Each of them will have a different role, perspective, and purpose. Hacking them would allow attackers to do actions that they shouldn’t be allowed to. 

 Tools made our lives easier, and they’re making the agent’s life easier too. Gaining access to different tools would allow an attacker to actually do the job you wouldn’t want her to do. 

Models are the foundation of AI, the way we teach them about the world. Feeding the wrong information to them will give the AI a biased perspective, like manipulating humans. 

 As nice as they are, running the infrastructure needed by AI is expensive, crazy expensive, both financially and environmentally. Storage is the place where you can put more information, but cheaper. The problem is that this one is also open to intrusion. As mentioned before, through pure persuasion we can hack the system in multiple ways. You just need to drop the bomb on it and it will detonate somewhere across the system.

The field is still young and we will understand it as we go. You can find diagrams in more extensive content in the resources section of 

Olimpiu Pop, reporting from Transylvania, Romania, 

Katy Craig: 

US and Canadian cybersecurity agencies have issued a joint alert warning about the resurgence of Truebot malware. 

This is Katie Craig in San Diego, California. 

Operated by the Silence cybercrime group, Truebot serves as an initial infection point for delivering secondary payloads on compromised systems. Put another way, this malware is used to conscript your computer for the botnet in future malware campaigns. 

The latest variants are distributed through phishing campaigns with malicious redirect hyperlinks. The Silence gang also exploits an RCE vulnerability (CVE-2022-31199) in Netwrix Auditor software for installation.

These campaigns mainly target North American organizations. Authorities have released Indicators of Compromise (IoC) and detection rules to strengthen defenses against these tactics. The alert comes from prominent cybersecurity organizations, including CISA, FBI, MS-ISAC, and CCCS. 

True-bot compromised systems have been exploited by the CLOP cybercrime cartel for unauthorized access, data theft, and CLOP ransomware deployment, including the MOVEit and GoAnywhere campaigns throughout 2022.

This is Katie Craig, stay safe out there.

Marcel Brown: 

This is Marcel Brown bringing you some technology history for July 9th and 10th. 

July 9th, 1981. The game that launched two of the most famous characters in video game history is released for sale. Donkey Kong was created by Nintendo, a Japanese playing card and toy company turned fledgling video game developer who was trying to create a hit game for the North American market.

Unable at the time to acquire a license to create a video game based on the Popeye character, Nintendo decides to create a game marrying the characteristics and rivalry of Popeye and Bluto. Donkey Kong is named after the game’s villain, a pet gorilla gone rogue. The game’s hero is originally called Jumpman, but is retroactively renamed Mario once the game becomes popular, and Nintendo decides to use the character in future games 

Due to the similarity between Donkey Kong and King Kong, Universal Studios sued Nintendo claiming Donkey Kong violated their trademark. The word Kong, however, is common Japanese slang for guerrilla. The lawsuit was ruled in favor of Nintendo.

The success of Donkey Kong helped Nintendo become one of the dominant companies in the video game market. 

July 9th, 1997. Apple Computer announces the resignation of Gil Emilio as CEO. Having been ousted by the board of directors, Emilio’s departure paved the way for Steve Jobs to retake the helm of Apple.

Ironically, it was Emilio who brought back Jobs into the fold of Apple by purchasing Job’s company, Next, to use as the basis for the next Mac operating system. 

July 10th, 1962. The world’s first experimental international communication satellite, Telstar One is launched into orbit. Built by Bell Labs, and launched by NASA, Telstar One was a collaboration between the US, Britain and France. 

Telstar One introduced the world to transatlantic video feeds and ushered in a new era of communication. For example, in August of that year, Telstar One became the first satellite to synchronize time between the UK and the usUS bringing them to within one microsecond of each other, where 2000 microseconds had been the previous most accurate effort.

Telstar One was also the first satellite to send data between two computers doing so in October of that year, between two IBM 1401 s in Endicott, New York, and La Gaude, France. For all its technological achievements, Telstar one was damaged by high levels of radiation in the Van Allen radiation belts primarily due to high altitude nuclear bomb testing by both the United States and the Soviet Union in 1962.

It went out of service in November of that year, only four months after its launch. It was able to be restarted in January of 1963, but in late February it failed again and was not able to be placed back in service. 

Telstar Two was launched a few months later in May of 1963 using radiation resistant transistors and launched at a higher altitude to reduce the amount of time in the Van Allen radiation belts.

Telstar Two stayed in operation for two years. The success of the two Telstar satellites, along with other experimental satellites launched in the few years after 1962 helped pave the way for the first commercial geosynchronous communication satellite ,Intelsat One, in 1965. 

Both Telstar One and Two, although no longer in service, still orbit the Earth to this day.

That’s your technology history for today. For more, tune in tomorrow and visit my website

Pokie Huang:

That’s our updates for today. July 10th. I’m Pokie Huang. We’ll be back tomorrow… at 5:05.



Leave the first comment