Pokie Huang:

From Sourced Network Production in New York city. “It’s 5:05”. I’m Pokie Huang. Today is Friday, July 7th. Here is the full story behind today’s cyber security and open source headlines.

Edwin Kwan: 

This is Edwin Kwan from Sydney Australia. 

A proof of concept program has been recently published that exploits an unresolved security vulnerability in Microsoft Teams. The program which was released by the US Navy’s red team allows the bypass of Microsoft Teams file sending restraints to deliver malware from an external account. This exploit is possible because the application can be tricked into treating an external user as an internal one simply by changing the ID in the post request of the message. 

The program is written in Python and is called TeamsPhisher. 

” Give the program an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender’s SharePoint, and then iterate through the list of targets.”

TeamsPhisher requires that users have a Microsoft business account, so your personal Hotmail and Outlook accounts won’t work. They must have a valid Teams and SharePoint license. While the program is meant for security researchers, threat actors can also leverage it to deliver malware to target organizations.

 Currently, there is no fix for this available. Organizations are strongly advised to disable communications with external tenants if not needed, or create an allow-list with trusted domains to limit the risk of exploitation. 

Olimpiu Pop: 

Technology was always the space of speed, but nothing compares with the speed at which the generative AI ecosystem evolves. If before we were moving at the speed of sound, now we are moving at the speed of light. With the same speed, new cybersecurity threats emerge. Luckily, OWASP moves fast too. 

In late May, they initiated the Top 10 Security Risks for LLM applications project. Version 0.5 was released this week and they are aiming to release version 1.0 by the end of the month. 

So, let’s see the list:

1) Prompt injections. Using crafty input leads to undetected manipulations. The impact ranges from data exposure to unauthorized actions.

2) Insecure output handling. This occurs when plugins or apps accept LLM output without scrutiny. By using cross-site scripting, privilege escalation, or remote code execution, this could enable agent hijacking attacks.

3) Training data poisoning. AI prompts are as good as their training dataset. Having it spoiled, it could lead to misinformation. 

4) Denial of service. Keeping the prompt busy would cause degrading service quality to others. 

5) Supply chain. LLMs are not immune to vulnerabilities. This could lead to biases, breaches, or system failures. 

6) Permission issues. Lack of authorization tracking between plugins could enable privilege escalation, confidentiality loss, or even remote code execution. 

7) Data leakage. It was already the case, so you wouldn’t want to feed it sensitive data. 

 8) Excessive agency. When interfacing with other systems, unrestricted agency may lead to undesirable operations and actions. 

9) Overreliance. Dependency, in general, leads to the wrong output. 

10) Insecure plugins. If the plugins connecting the LLMs to the outside world can be exploited, they could enable malicious requests or RCEs.

Obviously, this is an evolving list. Some of the attacks changed from the last version. But while reading through it, it felt more like reading a social engineering risk rather than a risk associated with the software system.

So persuasion is becoming more and more a hacking skill. Stay tuned, we’ll keep an eye on this evolving project. Make sure you follow 505updates.com.

Olympiu Pope reported from Transylvania, Romania.

Katy Craig: 

In a thought-provoking blog post, Mark Curphy challenges the effectiveness of shifting left in software security. In fact, he says that shifting left is a myth. 

This is Katy Craig in San Diego, California. 

Curphy examines the historical phases of AppSec tools. Initially, security teams handled everything resulting in limited adoption and minimal impact on software security. As tools advanced, they were introduced to developers, but widespread adoption remained rare, offering only marginal improvements. 

While recent progress has been made with integrating security tools into DevOps pipelines, Curphy argues that the notion of shifting left is flawed. Simply reducing friction and implementing security measures early in the development life cycle is not enough.

Instead, Curphy proposes building security features into developer tools. By addressing developers’ pain points and integrating security as a natural side effect, we can achieve mass adoption and significantly improve software security. 

He highlights the success of software composition analysis tools like Dependabot, which primarily function as developer tools that automatically update dependencies indirectly resolving vulnerable library security issues.

Curphy suggests prioritizing developer-centric solutions over standalone security tools. Leveraging existing developer tools such as Playwright and ESLint, showcase the potential of merging security with developer workflows. 

Curphy urges us to challenge the myth of shifting left in software security. Instead, let’s focus on building developer tools with integrated security features for widespread adoption and substantial improvements. What do you think? Is shifting left a myth? 

This is Katy Craig, stay safe out there.

Hillary Coover: 

Hi, this is Hillary Coover reporting from Washington DC.

In-flight wifi is a convenience, but also potentially a vulnerability to flight safety. According to CSOOnline, commercial airliners are more vulnerable to cyber threats originating from in-flight internet access systems than from avionics.

Avionics, which include the instrumentation, telemetry, and communication system used by pilots and flight crew are inherently harder to hack due to their architecture, limited functions and closed operating environments. But research has shown that physical access to a small aircraft’s wiring could enable an attacker to inject false data into avionic systems, potentially leading to emergency landings or worse loss of control. Again, while this is all possible and very scary, it is highly unlikely because it requires physical manipulation to perform. 

In contrast, in-flight internet access systems are just as vulnerable as ground-based networks are. We need enhanced cybersecurity measures to protect both avionics and in-flight internet access systems, considering the increasing digitization of the aviation industry. 

While the aviation industry players publicly dispute the severity of the vulnerabilities, the cooperation between researchers, airlines, and the government is promising. They share the common goal of responsibly disclosing vulnerabilities as a model for addressing cyber threats.

Marcel Brown: 

This is Marcel Brown bringing you some technology history for July 7th and 8th.

July 7th, 1936. Several US patents are issued for the Phillips head screw and screwdriver to inventor Henry F. Phillips. Phillips founded the Phillips Screw Company to license his patents.

One of the first customers was General Motors for its Cadillac assembly lines. By 1940, 85% of US screw manufacturers had a license for the design. 

July 8th, 1957. Control Data Corporation. An early pioneer in the field of supercomputers is incorporated. CDC’s most notable employee was Seymour Cray, who during the 1960s developed for CDC, the fastest computers in the world at the time.

However, in 1972, Seymour Cray left CDC to form his own company, Cray Research, which then took the title of Creating the World’s Fastest Computers. 

This was your technology history for today. For more, tune in next week and visit my website ThisDayinTechHisotry.com.

Pokie Huang:

That’s our updates for today, July 7th. I’m Pokie Huang. We’ll be back next Monday… at 5:05.