Newsletter

open source and cybersecurity news

June 22, 2023

Apple releases a patch addressing three zero-day vulnerabilities, BlackCat (ALPHV) just won’t leave reddit alone, Part 3 - What You Should Know About Location Records, Edge Browser, This Day in Tech History

In this Episode:

Episode Transcription:

Pokie Huang:

It’s 5:05 on Thursday, June 22nd, 2023. From the source podcast network in New York city. This is Pokie Huang. Stories in today’s episode come from Edwin Kwan in Sydney, Australia, Katy Craig in San Diego, California, Hillary Coover in Washington, DC, Olimpiu Pop in Transylvania, Romania and Marcel Brown in St. Louis, Missouri.

Let’s get to it!

Edwin Kwan: 

This is Edwin Kwan from Sydney, Australia. 

Mark Miller covered the iOS triangulation cyber attack earlier this month. It’s a zero interaction vulnerability that is delivered by iMessage, which allows a attackers to steal data from your device. The stolen data could include microphone recordings, photos from instant messenger and geo location data.

Apple has just released a patch which addresses three new zero day vulnerabilities, exploited in attacks installing the triangulation spyware. Since the start of this year, Apple has released fixes for a total of nine zero day vulnerabilities that were exploited in the wild. The fixes are available for Macs, iPhones, iPads and Apple watches. If you own any of those devices, make sure you get them patched immediately.

Olimpiu Pop: 

If you think that now is one of those moments when should be happy that you have chosen to use a Microsoft product, Edge in this case, dream no more. You need to update it too. 

 Microsoft Edge browser uses Google Chromium open source web browser engine, so it is affected by any of the zero day vulnerabilities Google Chrome was affected. On June 6th, Microsoft stated on edge security site, “Microsoft is aware of the recent exploits existing in the wild. We are actively working on releasing a security patch.” 

Vulnerability CVE-2023-3079 was patched in version 114.0.1823.41. This was the second security update from June released by Microsoft.

The other three patches are a security feature bypass vulnerability, a privilege escalation vulnerability, and an information disclosure vulnerability. So in the end, Edge needs to be updated too, and not just for the type confusion, zero-day discovered the other day. 

Links to the release notes and the vulnerabilities description are provided in the resources section of 505updates.com 

Olimpiu Pop reported from Transylvania, Romania.

Katy Craig: 

Today we’re diving into a cyber show down between hackers and reddit. The BlackCat ransomware gang, also known as ALPHV, that’s A L P H V, is behind this heist and they’re demanding four and a half million dollars from reddit. 

This is Katy Craig in San Diego, California. 

BlackCat promises to delete the stolen data for the ransom and for reddit to reverse its API price hikes. Reddit confirmed the cyber incident, but they’re tightlipped about the details. 

The hackers targeted employee info and internal documents in a clever phishing attack. Reddit CTO Christopher Slowe (aka KeyserSosa) assured users that personal data like passwords weren’t stolen. 

BlackCat claims to have reached out to Reddit twice, got no response, and now they’re ready to leak the stolen data. In their ominous post titled, “The Reddit Files”, BlackCat made it clear they won’t back down. 

And this isn’t their first rodeo.

BlackCat also hit Western Digital, grabbing 10 terabytes of customer data. They even took a shot at Ring, Amazon’s video surveillance company. 

What’s next for reddit? Will they pay up or stand tall? Stay tuned as this high stake cyber show down unfolds. Until then, keep your guard up and your password strong.

This is Katie Craig. Stay safe out there.

Hillary Coover: 

Hi, this is Hillary Coover bringing you Part 3, covering the open source Data Implications considered by Washington State for their new privacy initiative. Let’s dig into the consent piece that allows companies to collect and sell sensitive information on consumers, particularly in the healthcare space.

When you download an app on your phone to improve your health, track, your cycle, or something of that nature, you are forced to accept the terms and conditions the company puts forward. There’s usually no opt-out option or if it is there, it’s hidden in fine print far below and the process to achieve that opt out is pretty complicated.

These terms and conditions almost always contain tons of legal jargon and fine print, and most consumers don’t actually read this or pay attention to this. They just say, accept and move on. So companies get away with collecting and selling your data to buyers that can almost certainly de-anonymize it or sell it to someone that can de-anonymize it because you provided consent.

The consumer is forced to choose between convenience, especially in the case of healthcare apps and privacy. So be wary of all apps, especially free ones. They are not actually free. They are selling your information.

Marcel Brown: 

This is Marcel Brown serving up some technology history for June 22nd. 

June 22nd, 1675. King Charles II of Britain decrees the establishment of an observatory at Greenwich for the purpose of finding better ways of determining the longitudinal locations of ships at sea.

The prevailing theory at the time was that accurate star charts combined with a table of the moon’s position would help navigators establish how far east or west of Greenwich they were located. Ironically, this method did not prove reliable enough, and eventually a time-based method was developed when clockmaker John Harrison created spring driven time pieces that could keep accurate enough time on ships.

It took nearly 100 years after the establishment of the Royal Observatory at Greenwich for Harrison’s method to be accepted as a reliable standard. British mariners would set at least one chronometer on their ships to Greenwich meantime in order to calculate their precise longitude. 

By 1884, 72% of global commerce used nautical charts based on Greenwich, and in that year it was established as the prime meridian of the world which also led to Greenwich mean time becoming the international time standard 

in the 1970s coordinated universal time, UTC, would become the world time standard using GMT as its base time zone. Unix and UNIX based operating systems keep time by using UTC and applying an offset for the local time zone.

Notably, only the Windows operating system uses local time as the assumptive basis for your computer’s clock. In fact, Unix-based operating systems define the current time by the number of seconds which have passed since midnight UTC on Thursday, January 1st, 1970, otherwise known as the Unix epoch.

So for those of you still following along, a decree by a king in 1675 is the basis for how much of our technology of today keeps track of time.

June 22nd, 1946. In a demonstration of the capabilities of jet air aircraft, army Air Corps pilots, Kenneth Chilstrom and Robert Baird, transport mail in a Lockheed P-80 Shooting Star, thus making the very first delivery of mail by jet aircraft. 

That’s your technology history for today. For more, tune in tomorrow and visit my website ThisDayInTechHistory.com.

Pokie Huang:

That’s it for today’s open source and cybersecurity updates. For direct links to all stories and resources mentioned in today’s episode, go to 505Updates.com, where you can listen to our growing library of over 100 episodes. You can also download the transcript of all episodes for easy reference.

5:05 is a Sourced Networks Production with updates available Monday through Friday on your favorite audio streaming platform. Just search for “It’s 5:05!”. And please consider subscribing while you’re there.

Thank you to Edwin Kwan, Katy Craig, Hillary Coover, Olimpiu Pop, Marcel Brown for today’s contributions.

The Executive Producer and the editor is Mark Miller. The sound engineer is Pokie Huang. Music for today’s episode is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by Captivate.fm. This is Pokie Huang. See you tomorrow… at 5:05.

Contributors:

Comments:

Leave the first comment

Newsletter