Pokie Huang:

It’s 5:05 on Friday, June 16th. 2023. From the Sourced Podcast Network in New York City, this is your host, Pokie Huang. Stories in today’s episode come from Trac Bannon in Camp Hill, Pennsylvania, Edwin Kwan in Sydney, Australia, Hillary Coover in Washington, DC, Katy Craig in San Diego, California, Olimpiu Pop in Transylvania, Romania, Marcel Brown in St. Louis, Missouri. 

Let’s get to it.

Tracy Bannon: 

Over the past 24 hours, multiple US government agencies, including the Department of Energy, have been hit by a global cyber attack. There are early reports surfacing that data has been compromised, including information about defense related nuclear waste. Congress has been notified of the breach. 

Hello, this is Trac Bannon reporting from Camp Hill, Pennsylvania.

A global hacking campaign kicked off Thursday, June 15th, leveraging a vulnerability in widely used file transfer software called MoveIT. The security flaw was recently discovered by the makers of the MoveIT software, Progress Software. Unfortunately, for Progress Software, they have just discovered a second vulnerability and they are scrambling to fix it.

For US agencies breached, CISA is leaning in and helping, though they have not indicated which agencies. CISA is the US Cybersecurity and Infrastructure Security Agency. CISA Director Jen Easterly has stated that the hacks have not had significant impacts on federal civilian agencies. 

The attacks are not limited to US agencies. Johns Hopkins University, which conducts research for the Department of Defense, was hit as well as Johns Hopkins Health System. At a global level, energy giant Shell, the BBC and British airwaves have reported an attack as well, though they are reporting no impacts on core IT systems. 

Like many who have been attacked, they’re focusing on the users of MoveIT transfer tool and evaluating the type of data that may have been impacted.

Several hundred other companies could be affected, and there are growing reports of US state governments being compromised, including Minnesota and Illinois. 

The threat actor is known as CLOP, C L O P. Clop normally acts as a ransomware gang. They are one of many hacker gangs in Russia and Eastern Europe. No ransom demands have been made, yet. 

The Hacker group posted on a dark website, “If you are a government, city, or police service, do not worry. We erased all your data. You do not need to contact us. We have no interest to expose such information.” I don’t know about you, but I personally don’t put faith in a statement made on a dark website about my data that was compromised. We must assume ill intent. 

There is a growing sense of fear and trepidation. It is possible that other groups may now have access to software code and internal systems, and they’re waiting for the right time to conduct more disastrous attacks. We all need to be aware of this breaking story as it continues to unfold, given the immense footprint and massive variation on the types of assets that may have been stolen.

Something to noodle on.

Edwin Kwan: 

This is Edwin Kwan from Sydney, Australia. 

Sextortion is a form of blackmail where malicious actors threaten to publicly leak explicit images and videos of their targets. This scheme is resulting in millions of dollars in losses and normally involves the threat actor coercing or stealing the digital materials from the victims. In many cases, the threat actors do not have the compromising content and are instead pretending to have access to scare their victims into paying the extortion demand. 

A new scheme has recently become popular with the help of technological advancements. Sextortionists are now creating AI deep fakes using otherwise benign content posted online to produce sexually explicit images or videos. Even though the deep fakes aren’t genuine, they look very real and publishing it could still cause great personal and reputational harm to the victim. 

To protect yourselves, it is recommended that when posting images or videos online to restrict viewing access to a small private circles of friends to reduce exposure. Parents should monitor their children’s online activity and talk to them about the risks associated with sharing personal media online.

Katy Craig: 

CISA has issued a new binding operational directive, or BOD-2302, and it’s all about limiting access to the management interfaces of networking equipment. 

This is Katie Craig in San Diego, California. 

So what’s in the spotlight? We’re talking routers, switches, firewalls, VPN servers, proxies, load balancers, and even those snazzy out of band server management interfaces like iLo and iDRAC. They’re all on CISA’s radar. 

The BOD applies to various protocols from HTTPS to SSH, SMB, RDP and more. It’s a virtual guest list, but only for the internal networks. 

Federal agencies have been given a deadline, 14 days, to pull those management interfaces off the internet, making them accessible solely within their internal networks.

And here’s the kicker: CISA is going to inspect what they expect. They’ll be scanning the networks of federal civilian agencies for any devices with exposed management interfaces. Once they find them, they’ll be notifying administrators like your friendly cyber neighborhood watch. 

So federal agencies, keep an eye out for these notifications within the next 30 days. It’s time to batten down the hatches and secure the ship. 

This is Katie Craig. Stay safe out there.

Hillary Coover: 

It’s easy to get ruffled feathers when one considers how government and corporations utilize real-time social media analysis tools to gain insights and even feel a bit violated by it. But I’m here to provide an often overlooked, yet still crucial fact. 

The effectiveness of these tools really relies on the quality of the data that they analyze. And while these tools may boast competitive algorithms, the results are only as good as the realtime data they receive by scraping or pulling from public facing APIs. 

For the most part, these companies pull from public profiles and content, which is inherently limited. The technical methods used for data extraction are pretty restricted and becoming increasingly restricted over time.

So when companies claim to provide comprehensive social media insights, it’s important to understand that they often lack realtime access to the full breadth of user activity and profiles. 

There are companies that offer real-time access to managed personas on certain platforms with access to specific user groups but scalability there is a challenge. Companies relying on collections of managed personas or access to specific user groups, face limitations in their ability to scale and gather diverse data, which impacts the reliability and representativeness of their insights. 

In summary, I think we give these real-time social media monitoring analysis companies way too much credit. They are, for the most part, bound by limitations of public data access.

Olimpiu Pop: 

Open source counts for 90% of the code of every application. Besides the obvious supply chain security questions we should ask ourselves, that’s a huge stepping stone and a wealth of Lego blocks we can build on. Of course it would be even better to contribute as well, to give back, but that’s a whole different story. 

After log4shell and its younger brother spring4shell, the SBOM frenzy started. It was started by the wave of legislative changes coming to fill in the cyber hole that allowed keyboard attached villains to get away with what they were doing. The Ukraine war accelerated and spread the trend to the whole world.

The cyber war was coming. After the US debut, EU followed suit, but its cyber resilience is threatening the state of open source. That is somehow surprising as the EU has been proactive in promoting open source software and encouraging public administration to use and contribute to open source projects.

Initiatives like the European Commission’s Digital Single Market Strategy and the Joinup platform, aim to foster open source collaboration and knowledge sharing within the EU. 

Who is fighting back? Who are the freedom fighters? Open Forum Europe submitted an open letter to the EU Commission. The Eclipse Foundation, the Open Source Initiative, APELL, CNLL, and The OSB Alliance cosigned it. 

The other day, I spoke about Open infrastructure doing the same. They even open regional offices in the EU to be closer to the source of the problem. I am very optimistic that MEPs responsible will have a change of heart, especially in the light of the AI Act, which is a success in my opinion. Not only legislative, but also diplomatic. Unfortunately, there is no update since September, 2022. Let’s hope they’ll listen.

In the resources sections of 505updates.com, next to the transcript, you can find the link to the legislation together with the open letter signed by the above mentioned foundations. 

Reporting from Transylvania. This was Olimpiu Pop.

Marcel Brown: 

This is Marcel Brown, the most trusted name in technology, dropping some technology history for June 16th and 17th. 

June 16th, 1903. Henry Ford incorporates the Ford Motor Company with 10 investors and $28,000. Ford will begin building automobiles on Mac Avenue in Detroit, in a converted factory that previously produced wagons.

This was Ford’s third attempt at building a company that produced cars, and the investment was down to $300 before the first Ford was sold. Eventually, the Ford Model T would be largely responsible for popularizing the automobile to the general public, at one point representing half of all cars on the road. 

June 17th, 1980. Atari’s, asteroids and Lunar Lander become the first two video games to be registered with the US Copyright Office. This was an important step in the evolution of intellectual property rights for the emerging video game industry. 

June 17th, 1997. A group of users organized over the internet, cracked the data encryption standard, otherwise known as DES, the strongest legally exportable encryption software in the United States to that point, after only five months of work. 

The United States at the time banned the export of stronger encryption software out of the fear that it would be used by terrorists. But companies designing the software claimed such restrictions were worthless because foreign countries offered much stronger programs.

The US eventually relaxed certain restrictions. But to this day, still claims to exert authority over encryption technologies under the Commerce Clause. 

That’s your technology history for today. For more, tune in next week and visit my website ThisDayInTechHistory.com.

Pokie Huang:

That’s it for today’s open source and cybersecurity updates. For direct links to all stories and resources mentioned in today’s episode, go to 505Updates.com, where you can listen to our growing library of over 100 episodes. You can also download the transcript of all episodes for easy reference.

5:05 is a Sourced Networks Production with updates available Monday through Friday on your favorite audio streaming platform. Just search for “It’s 5:05!”. And please consider subscribing while you’re there. 

Thank you to Trac Bannon, Edwin Kwan, Hilary Coover, Katy Craig, Olimpiu Pop, Trac Bannon, Marcel Brown for today’s contributions.

The Executive Producer and the editor is Mark Miller. The sound engineer is Pokie Huang. Music for today’s episode is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by Captivate.fm. This is Pokie Huang. See you next Monday… at 5:05.