Edwin Kwan: 40% of Ubuntu cloud workloads are affected by two easy-to-exploit privilege escalation vulnerabilities. Ubuntu has an approximate user base of over 40 million.

Olimpiu Pop: The Cyber Resilience Act, a significant piece of legislation, has caused a stir among the foundations backing open source software. The endorsement from the Industry, Research, and Energy Committee of the EU has only added fuel to the fire.

Katy Craig:  Phishing attacks are getting sneakier, my cyber-savvy friends. The bad guys have found a new trick by exploiting the newly introduced ‘.ZIP’ Top-Level Domain. You know, those final bits of a website, address like ‘.COM,’ or ‘.ORG.’

Hillary Coover:  Connected cars can gather a wealth of information through free built-in apps, sensors, and cameras, raising concerns about who controls this data. Do you know how valuable you are as a product or how your data is being used?

Marcel Brown: July 31st, 1971. Using the battery-powered Lunar Roving Vehicle, Astronaut David Scott of the Apollo 15 mission becomes the first person to drive a vehicle on the Moon.

From Sourced Network Productions in Washington DC, It’s 5:05. I’m Hillary Coover. Today is Thursday, July 31st, 2023. Here’s the full story behind today’s cybersecurity and open source headlines.

 

Edwin Kwan: Easy to Exploit Vulnerabilities Affecting 40% of Ubuntu Systems

This is Edwin Kwan from Sydney, Australia.

40% of Ubuntu cloud workloads are affected by two easy-to-exploit privilege escalation vulnerabilities. Ubuntu is one of the most widely used Linux distribution based on Debian and composed mostly of free and open-source software. It has an approximate user base of over 40 million.

The two flaws, CVE-2023-2640 and CVE-2023-32629, were found in the OverlayFS module. OverlayFS is a widely used Linux file system that became highly popular with the rise of containers. It is also an attractive attack surface, with a history of having numerous logical vulnerabilities that were easy to exploit.

The vulnerability only affects Ubuntu systems due to the custom changes that were made to the OverlayFS module by Ubuntu. The risk of exploitation is considered to be imminent, as proof of concepts and weaponized exploits for the two flaws have been publicly available for a long time.

Ubuntu fixed the vulnerabilities on July 24th, 2023, and all users should update their kernels to the latest version.
Resources
– GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
– https://ubuntu.com/security/notices/USN-6250-1
– https://ubuntu.com/security/CVE-2023-2640
– https://ubuntu.com/security/CVE-2023-32629
– Almost 40% of Ubuntu users vulnerable to new privilege elevation flaws

 

Olimpiu Pop: CRA Moves Into Negotiations With The Council

The Cyber Resilience Act, a significant piece of legislation, has caused a stir among the foundations backing open source software. The endorsement from the Industry, Research, and Energy Committee of the EU has only added fuel to the fire.

Nevertheless, the act is highly needed and long overdue. Lead MEP, Nicola Danti, couldn’t say it better: ” With ever-increasing interconnection, cybersecurity needs to become a priority for industry and consumers alike. Europe’s security in the digital domain is as strong as its weakest link. Thanks to the Cyber Resilience Act, hardware and software products will be more cyber secure, vulnerabilities will get fixed, and cyber threats to our citizens will be minimized.”

The act’s purpose is to create clarity, feasible timelines, and distribute responsibilities equitably. It’s about evaluating products based on cyber risk. Everyday items like password managers, smart home assistance, and smartwatches could be assessed based on the cybersecurity risk they pose. Moreover, the act demands our digital products autonomously install security updates separate from functionality ones. It encourages professional development in cybersecurity with proposed educational programs.

Still, good intentions sometimes lead us to unintended destinations. The act now awaits the full house’s approval. The initiation of negotiation with the committee has been approved, as well. The next phase aims to align industry and legislative leaders. We all strive for a more secure supply chain and mutual trust is key.

This is a rapidly evolving story that we’ll follow closely. For the latest updates on this and more, follow us on 505updates.com.

Olimpiu Pop, reporting from Transylvania, Romania.

Resources
– Cyber Resilience Act: MEPs back plan to boost digital products security | News | European Parliament

 

Katy Craig: Hackers unleash ZIP Domains

Phishing attacks are getting sneakier, my cyber-savvy friends. The bad guys have found a new trick by exploiting the newly introduced ‘.ZIP’ Top-Level Domain. You know, those final bits of a website, address like ‘.COM,’ or ‘.ORG.’

This is Katy Craig in San Diego, California.

These new Top-Level Domains offer more personalized web addresses, but they also create a golden opportunity for phishers. Since ‘.ZIP’ is commonly used for compressed files, it adds an air of authenticity to their malicious sites. Picture this, an innocent user thinks they’re downloading a file, but they’re unwittingly stepping into a trap.

So how can we defend against this crafty new tactic? Here are some strategies:

1) Block, ‘.ZIP’ domains at the firewall level using web filtering services. This stops network users from accessing these sites, but beware it might also block legitimate ones.

2) Use browser extensions or web filters to analyze the safety of websites. Some tools can warn users about potentially dangerous sites.

3) Educate and raise awareness. Teach everyone about the risks of ‘.ZIP’ domains and how to double check URLs before clicking, especially if they’re from unsolicited sources.

Remember, there’s no one-size-fits-all approach to cybersecurity. Combining these strategies and tailoring them to your specific needs is the way to go. Stay vigilant and together we’ll outsmart those sneaky phishers.

This is Katy Craig. Stay safe out there.
Resources
– Hackers unleash .zip domains – Gadget
– https://www.msn.com/en-us/money/other/hackers-unleash-zip-domains/ar-AA1ep5lR?ocid=msedgdhp&pc=U531&cvid=87248ce6393745219d9fb8136a4dbe15&ei=8

 

Hillary Coover: Smart Car Data

Connected cars can gather a wealth of information through free built-in apps, sensors, and cameras, raising concerns about who controls this data. Do you know how valuable you are as a product or how your data is being used?

Hi, this is Hillary Coover reporting from Washington, DC.

The California Privacy Protection Agency, the only privacy regulator in the US dedicated solely to privacy issues, has announced its first enforcement action to review the privacy practices of connected automobiles. The agency will examine the data collected by smart vehicles and assess whether the practices of companies collecting that data comply with state law.

Automobile data has significant commercial potential and can be used by various entities like automakers, in-car navigation, or infotainment systems providers, satellite radio companies, insurance companies, and data brokers. The data can be utilized in determining insurance rates, evaluating risk, urban planning, traffic studies, real estate decisions, economic forecasting, and so much more.

However, even when stripped of personal information, location data can still be used to infer people’s identities.

This is valuable data, folks. To demonstrate how valuable it is, companies are competing for ownership of this data, even going to lengths like removing compatibility with Apple CarPlay and Android Auto.

This year, GM announced it was imposing its own infotainment and navigation products to new customers. Customers were outraged and despite the inevitable growing pains, GM is pressing forward because of just how valuable this data will be.

Resources
– https://www.wsj.com/articles/california-privacy-agency-opens-probe-into-private-data-collected-by-cars-d17ec917?page=1
– Future GM EVs to Remove Support for Apple CarPlay, Android Auto | PCMag

 

Marcel Brown: This Day, July 30 & 31 in Tech History

This is Marcel Brown with your technology history for July 30th and 31st.

July 30th, 1979. Apple begins work on the Lisa, which would become the world’s first commercial computer with a graphical user interface. Originally intended to sell for $2,000 and ship in 1981, the Lisa is delayed until 1983 and sells for nearly $10,000, which would be over $30,000 in today’s money. Utilizing technology that is ahead of its time, the high cost, relative lack of software, and some hardware reliability issues ultimately sink the success of the Lisa. However, much of the technology introduced by the Lisa influenced the development of the Macintosh, as well as other future computer and operating system designs.

July 31st, 1971. Using the battery-powered Lunar Roving Vehicle, Astronaut David Scott of the Apollo 15 mission becomes the first person to drive a vehicle on the Moon. The LRV was used during the last three missions of the Moon, Apollo 15, 16, and 17. The three LRVs used during the mission still remain on the surface of the Moon.

That is, unless you believe the Moon landings were a hoax. Which then I guess if they ever find these things on the Moon, we’ll prove that they did. So, we’ll see.

That’s your tech history for today. For more, tune in tomorrow and visit my website thisdayintechhistory.com.
Resources
– http://thisdayintechhistory.com/07/30

Resources
–http://thisdayintechhistory.com/07/31

 

Hillary Coover

That’s our update for today, July 31st, 2023. I’m Hillary Coover. We’ll be back tomorrow at 5:05.