June 7, 2023
KeePass Releases Vulnerability Fix, CISA Orders MOVEit Bug Patch, ChatGPT, Can I Trust You?
In this Episode:
KeePass Releases Fix for Master Password Compromise Vulnerability
CISA Orders Patch for MOVEit bug
Hey ChatGPT, can I really trust you?
This Day in Tech History
Hey, it’s 5:05 on Wednesday. June 7th, 2023. From the Sourced Podcast Network in New York City, this is your host, Pokie Huang. Stories in today’s episode come from Edwin Kwon in Sydney, Australia, Katy Craig in San Diego, California, Shannon Lietz in San Diego, California, Marcel Brown in St. Louis, Missouri.
Let’s get to it.
This is Edwin Kwan from Sydney, Australia. I previously reported on CVE-2023-3278, which is a KeePass vulnerability that makes it possible to recover the master password even when the password manager program is closed. There was a simple proof of concept tool that can be used to dump the master password from KeePass’s memory, and there was no fix available then. The fix is now available, it’s version 2.5.4, and it arrived sooner than expected. All users of the 2.x branch are strongly recommended to upgrade to this newer version. The newer version also introduces other security enhancements that will provide additional security from attacks that modify the KeePass configuration file.
The Cybersecurity and Infrastructure Security Agency or CISA for short, recently added a security bug from the popular Progress MOVEit Transfer managed file transfer solution to their list of known exploited vulnerabilities.
This is Katy Craig in San Diego, California.
The flaw in question, known as CVE-2023-34362, is a SQL injection vulnerability.
What you need to know is that this vulnerability allows unauthenticated attackers to remotely access MOVIEit Transfers database and execute any code they desire!
In a binding operational directive issued back in November 2022, federal agencies were ordered to patch this security vulnerability once it made its way onto CISA’s Known Exploited Vulnerabilities catalog. So, federal agencies are already on high alert. And even if you’re not a federal agency, it is highly recommended that private companies also prioritize securing their systems against this actively exploited flaw in MOVEit Transfer. Don’t let your guard down just because you’re not part of the government.
The good folks at Progress, the creators of MOVEit Transfer, are urging all their customers to patch their instances immediately. It’s the first line of defense against exploitation attempts and potential breaches. So, take their advice seriously, folks.
If you can’t apply the security patches right away, there’s still something you can do. You can temporarily disable all HTTP and HTTPS traffic to your MOVEit Transfer environments. This will help minimize the attack surface and reduce the risk of being targeted.
Remember, proactive measures are key to keeping your system secure. Don’t let these vulnerabilities sneak up on you. Stay vigilant, patch your systems, and keep those security defenses strong.
This is Katy Craig. Stay safe out there.
Hey, ChatGPT, can I really trust you.
This is Shannon Lietz reporting from San Diego, California.
Steven Schwartz found out the hard way citing cases in a legal briefing using ChatGPT technology and it full on hallucinated those court cases, about 6 actually. What I find remarkable is that somebody with a legal degree and who’s passed the bar would leverage technology that’s still unproven and hasn’t been widely accepted in the legal profession as being a useful tool yet. Now I can understand the productivity lure and I can understand the reason why you might wanna leverage something like this but there’s probably a lot of. Other things that we need to really study about ChatGPT before we would accept it for a research tool in things like legal profession, medical profession, or other.
What I find most interesting through my own research is that ChatGPT likes to create its own things… uh, for example, URLs of information that’s never once existed. It has assigned articles to researchers and reporters. And what’s really interesting about that is that those articles never existed, but somehow, and it tells me that it doesn’t have access to the internet, I find it really interesting that it assigns certain types of reporters to actual publications they’ve once published for. What makes it really more remarkable is that it’s really good at publishing fiction. It gets some things right and other things wrong. The things that you think that it should get right… and you should be able to rely on, it actually gets wrong. The things that you think you might not be able to rely on, it gets right.
What’s really interesting is we still have a lot of work to understand the use cases that can be supported by something like ChatGPT, and generative AI in general. What I find remarkable is that we like to trust things before we really understand what they’re gonna be able to do for us. And so I think it’s time for us to take a pause, research things like ChatGPT fully understand, and then apply them to the use cases that we have out there.
Until we take this type of approach, I think we’re gonna find that ChatGPT is gonna create a lot more problems than maybe it solves. What do you think?
This is Marcel Brown, the most trusted name in technology, serving up some tech history for June 7th.
June 7th, 1983. Michael Eaton is granted a patent for the AT Command Set for Modems, which had created a standard language for interacting with modems. Two years earlier, the rights for this command set were purchased by the Hayes Corporation and incorporated into the Hayes Smartmodem 300 as the “Hayes Command Set.”
The protocol will become an industry standard used for years to come.
In the early 90’s, needing to use modems so that I could connect to pre-internet bulletin board systems, I learned the AT command set. I then used in supported modems extensively for about 15 years, and occasionally still do. Because I worked with modems so much, I used to be able to speak the AT command set in my sleep. I know, it impresses the ladies.
June 7th, 2000. United States District Judge Thomas Penfield Jackson orders the breakup of Microsoft into two companies: one that will develop operating systems and one that will develop other applications. Microsoft immediately announces that it will file an appeal of the judgment. What would’ve been a monumental event in the history of technology industry never actually happens, however. The ruling is overturned. Just over a year later. Microsoft will still be sanctioned, but it stays one company.
That’s your tech history for today. For more, tune in tomorrow and visit my website ThisDayinTechHistory.com.
That’s it for today’s open source and cybersecurity updates. For direct links to all stories and resources mentioned in today’s episode, go to 505Updates.com, where you can listen to our growing library of over 100 episodes. You can also download the transcript of all episodes for easy reference.
5:05 is a Sourced Networks Production with updates available Monday through Friday on your favorite audio streaming platform. Just search for “It’s 5:05!”. And please consider subscribing while you’re there.
Thank you to Edwin Kwan, Katy Craig, Shannon Lietz, Marcel Brown for today’s contributions.
The Executive Producer and the editor is Mark Miller. The sound engineer is Pokie Huang. Music for today’s episode is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by Captivate.fm. This is Pokie Huang. See you tomorrow… at 5:05.