July 19, 2023

Spike in Attacks Using Infected USB Drives
European Spyware Banned
Just - a language-agnostic build automation tool written in Rust
ChatGPT has an evil twin? WormGPT
This Day, July 19, in Tech History

In this Episode:

Episode Transcription:

From Sourced Network Productions in Washington DC, it’s 5:05. I’m Hilary Coover. Today is Wednesday, July 19th, 2023. Here’s the full story behind today’s cybersecurity and open source headlines.

Edwin Kwan: Does using USB drivers as an initial infection vector still work today? Well, what is old is new again. Security researchers at Mandiant have observed a threefold increase in the number of attacks using infected USB drives to steal secrets.

Hillary Coover: The Biden administration has taken a significant step to address global concerns over digital privacy and security. It’s added two foreign technology companies, Intellexa and Cytrox, to its export prohibition list.

Olimpiu Pop: Just do it! And this is exactly what Just does. It executes commands. Just is a command runner tool that is designed to save and run project specific commands stored in files called “justfile”.

Tracy Bannon: If you have used the wildly popular ChatGPT, you may have run into different rules and guardrails that can be frustrating. As someone who researches cybersecurity and the impact of AI on the software industry, ChatGPT sometimes classifies my questions as off limits. What if there was a large language model with no guardrails and no restrictions?

Katy Craig: Let’s talk cyber stickers. Get ready to see shiny new Shield logo on your routers and IoT devices starting in 2024. The White House and the FCC are rolling out the US Cyber Trust Mark, a voluntary cybersecurity labeling program that screams, “pick me, I’m secure.”

Marcel Brown: July 19th, 2000. Apple introduces the G4 “Cube” Power Macintosh. At the time of introduction, it was one of the smallest desktop computers ever produced. While not considered a commercial success, it did find a small, dedicated following, and it was a foreshadowing of future Apple designs.

Edwin Kwan: Spike in Attacks Using Infected USB Drives

This is Edwin Kwan from Sydney, Australia.

Do using USB drivers as an initial infection vector still work today? Well, what is old is new again. Security researchers at Mandiant have observed a threefold increase in the number of attacks using infected USB drives to steal secrets.

The increase is attributed to two USB-based cyber espionage campaigns. The SOGU malware infection targets across industries and locations and the SNOWYDRIVE malware infection targets oil and gas organizations in Asia.

While USB drive attacks require physical access to the target machines to achieve infection, they have unique advantages that keep them both relevant and trending. Advantages include being able to bypass security mechanisms, stealth, initial access to corporate networks, and the ability to infect air-gapped systems isolated from unsecured networks.

The security researchers have identified local print shops and hotels as potential hotspots for infection. It is recommended that organizations prioritize implementing restrictions on access to external devices such as USB drives, or at the very least, scan these devices for malicious files and code before connecting them to their internal networks.

Hillary Coover: European Spyware Banned

Hi, this is Hillary Coover reporting from Washington, DC.

The Biden administration has taken a significant step to address global concerns over digital privacy and security. It’s added two foreign technology companies, Intellexa and Cytrox, to its export prohibition list. This move aims to regulate the spyware industry, which profits from selling powerful surveillance tools to law enforcement and intelligence agencies worldwide.

Why should you care?

The use and abuse of these tools have far-reaching implications for the general population. While vendors argue that they’re crucial for tracking criminals and national security threats, there are alarming reports of misuse by both authoritarian and democratic governments. Journalists, political opponents, human rights advocates, and others not suspected of wrongdoing often become targets.

While there are valid concerns about the misuse of these tools, there’s an important argument against prohibiting their use solely for national security purposes.

1) National security agencies need sophisticated tools to stay ahead of evolving threats. Restricting their use could hamper the ability to gather intelligence and effectively respond to emerging threats.

2) Cyber intrusion tools also assist law enforcement agencies in investigating and preventing serious crimes. Access to such tools enables them to identify and apprehend criminals engaged in activities like human trafficking, drug smuggling, and organized crime. Limiting the availability of these tools could compromise public safety.

3) Restricting the use of cyber intrusion tools for offensive purposes doesn’t necessarily mean completely prohibiting their use. These tools can play a vital role in testing and strengthening defenses against cyber threats. By allowing responsible and controlled use, security professionals can better understand vulnerabilities and develop effective countermeasures to enhance overall cybersecurity infrastructure.

Bottom line, it is essential to strike a balance between addressing the legitimate privacy concerns and preserving the necessary tools for national security.

A comprehensive approach that includes responsible use, strict oversight, and international collaboration could help mitigate these risks while preserving the benefits of these tools for legitimate purposes.

Olimpiu Pop: Just – a language-agnostic build automation tool written in Rust

Just do it! And this is exactly what Just does. It executes commands. Just is a command runner tool that is designed to save and run project specific commands stored in files called “justfile”, of course. You can call it versatile. It manages shell commands, multiple recipe formats, and parameters. It accepts command line arguments and auto loads .env..

It also offers common line completion scripts and handles environment variables. With its discriptive error messages and ability to handle task dependencies. It’s easier to use an npm scripts. What’s more, it allows recipes to be written in various languages, including Python and NodeJS, but it also has a DSL language.

Not being a build system, it avoids many of the complexities and idiosyncrasies associated with make. It supports MacOS, Windows, and a bunch of Linux distros with no additional dependencies. Its multiple operating system support comes with the ability to customize the Shell setting too.

The tool itself is written in Rust, and the project is released under the Creative Common Zero license. The repo itself seems to be quite popular with 12K stars and a bit more than 300 forks. Now it has 100 contributors.

So if Just another build tool is what you need in your life, go ahead and grab it. Probably the easiest way to do it is via homebrew. In the resources section of 505updates.com, you can find the link to the site and GitHub repo. Listen to the full episode on any of your favorite podcast platforms.

Olimpiu Pop reporting from Transylvania, Romania.

Tracy Bannon: ChatGPT has an evil twin? WormGPT

If you have used the wildly popular ChatGPT, you may have run into different rules and guardrails that can be frustrating. As someone who researches cybersecurity and the impact of AI on the software industry, ChatGPT sometimes classifies my questions as off limits. What if there was a large language model with no guardrails and no restrictions? It may sound like a good thing for me, but imagine what a wonderland it is for the malicious actors.

Hello, this is Trac Bannon reporting from Camp Hill, Pennsylvania.

Just days ago, an email security service named SlashNext reported that a new cybercrime tool called WormGPT is being advertised. Yes, I did say advertised. Underground forums are awash with the news.

WormGPT is scaled for the masses to use and lets users do what they please. Nefarious actors and cyber criminals can use this to design exceptionally realistic fake emails and worse – generate malicious code. There are some prompts that will let ChatGPT outline the steps to creating malicious code, however, it has become increasingly difficult. Enter WormGPT. It’s not illegal to log in and to use WormGPT, making it attractive to the good guy, when it comes to cybersecurity research and protecting the public good. It is, however, illegal to launch the resulting malicious code or phishing schemes.

WormGPT is not the only option for enabling criminals with modified large language models. An open source model called GPT-J-6B assists with spreading disinformation and has been uploaded to the public repository called Hugging Face. This is an example of large language model supply chain poisoning. This technique even has a name now: PoisonGPT.

One thing is for certain, both the good guys and the bad guys benefit from emerging technology. Industry and the US government are attempting to put some policy and help into place to protect us, including a call for an AI Bill of Materials to identify the provenance of AI models.

For now, we all need to be vigilant both at work and at home. If something seems fishy and too good to be true, it probably is. If you receive an email from a friendly name out of the blue, go ahead and double check it’s from them through another medium.

For resources about today’s WormGPT news, see the resource page for this episode at 505updates.com.

Something to noodle on.

Katy Craig: US Cyber Trust Mark

Let’s talk cyber stickers. Get ready to see shiny new shield logo on your routers and IoT devices starting in 2024.

This is Katie Craig in San Diego, California.

The White House and the FCC are rolling out the US Cyber Trust Mark, a voluntary cybersecurity labeling program that screams, “pick me, I’m secure.” This labeling program will help consumers effortlessly identify devices that meet a set of cybersecurity criteria. All the good stuff, like unique and strong default passwords, security updates, user data protection, and limited access to their management interfaces.

Guess who’s already signed up to play?

We’ve got big names like Amazon Best Buy, Google, LG, Logitech, and Samsung ready to ship and sell devices with this Cyber Trust Mark, assuming they pass the cyber health check.

So who’s going to define these cybersecurity standards, you ask? NIST has been tasked with creating security requirements for consumer-grade routers. Meanwhile, the Department of Energy is concocting cybersecurity labeling requirements for smart meters and power inverters.

But hang on. Doesn’t that mean there’s a risk of unscrupulous vendors sticking this shiny Cyber Trust Mark on their products without actually meeting the criteria? Indeed. But the White House is one step ahead. The FCC is set to create a national registry of certified devices, and along with the Department of Justice, they’ll make sure anyone playing fast and loose with the Cyber Trust Mark logo gets their just desserts.

This is Katy Craig. Stay safe out there.

Marcel Brown: This Day, July 19, in Tech History

This is Marcel Brown delivering you some technology history for July 19th.

July 19th, 1961. Trans World Airlines introduces regularly scheduled in-flight movies during a transcontinental trip of a Boeing 707 between New York City and Los Angeles. The first movie to be shown as part of that new service was “By Love Possessed.” The screening of the movie was only available for those passengers in the First Class cabin. David Flexer, a film buff who owned a small chain of movie houses, came up with the idea. He was quoted, “Air travel is the most advanced form of transportation and the most boring.” Flexer and his team spent three years of experimentation and an investment of $1 million to come up with a projector and related equipment weighing less than 100 pounds. That would allow a film to be shown on a single reel to avoid any switchover of reels in the tighter than usual space of a plane.

Flexer created a new company, InFlight Motion Pictures, which then partnered with TWA to create the very first regularly scheduled in-flight movie service.

July 19th, 2000. Apple introduces the G4 “Cube” Power Macintosh. At the time of introduction, it was one of the smallest desktop computers ever produced. While not considered a commercial success, it did find a small, dedicated following, and it was a foreshadowing of future Apple designs.

That’s your technology history for today. For more, tune in tomorrow and visit my website thisdayintechhistory.com.