May 18, 2023
BurpGPT, Bad Bots, New Phishing Attacks, This Day in Tech
In this Episode:
New Phishing Attacks Using New .zip Top Level Domain
?? Edwin Kwan, Sydney, Australia ↗
New ZIP domains spark debate among cybersecurity experts
The Dangers of Google’s .zip TLD. Can you quickly tell which of the URLs… | by Bobbyr | May, 2023 | Medium
Google’s .zip Top Level domain is already used in phishing attacks – gHacks Tech News
Bad Bots on the Rise
BurpGPT Uses LLMs To Test Your Web App
This Day in Tech History
From the Sourced Network Productions in New York City, it’s 5:05 on Thursday, May 18th, 2023. This is your host Mark Miller calling in from White Rock, New Mexico. Stories in today’s episode come from Edwin Kwan in Sydney, Australia. Katy Craig in San Diego, California, Olimpiu Pop in Transylvania, Romania and Marcel Brown in St. Louis, Missouri. Let’s get to it
Today let’s delve into the 2023 Imperva Bad Bot Report and learn how to steal our defenses against the bot hoards.
This is Katy Craig in San Diego, California.
Bad bot traffic hit 30.2% in 2022 while good bots skewed web analytics. Your first move, get a solid bot management system to make informed decisions.
Evasive bad bots are getting craftier making up 66.6% of all bad bot traffic. Account takeover surged 155% between 2021 and 2022 fueled by data breaches. Our counter move, invest in AI-based security solutions to match their cunning.
APIs have a bullseye on their backs with 17% of API attacks from bad bots. To protect your APIs, combine strong authentication with rate limiting strategies. Fortify your defenses with multifactor authentication and good old password hygiene.
Lastly, bad bots aren’t picky about industries. So whether you’re in healthcare or gaming, arm your defenses and educate your teams. Remember, cybersecurity is a marathon, not a sprint.
Stay vigilant, stay proactive, and keep those bots at bay.
This is Katy Craig. Stay safe out there.
This is Edwin Kwan from Sydney, Australia.
Cybersecurity experts are raising concerns over Google’s new dot zip and dot mov internet domains. The zip domains are already being seen to be used in phishing attacks. Google released those top level domains recently, which means that anyone can register for a zip or mov domain.
The zip extension allows cyber criminals to run phishing campaigns and abuse the fact that zip is both a popular file name and also a top level domain. Domains such as office update dot zip and Microsoft-Office zip have already been used in phishing campaigns.
Researchers have also demonstrated how threat actors can make phishing URLs look like legitimate file downloads by using Unicode characters and the @ symbol in URLs.
Recommendation from the Sands Internet Storm Center is to disable access to zip domains entirely until the dust settles and the risks can be assessed.
OpenAI wrote history with fast adoption by the general audience. Nevertheless, it feels like we are on a hype roller coaster and I keep asking myself… when it’ll change direction. How steep will be the fall.
I know what you’re thinking, but it’s not that. BurpGPT combines Burp Suite for web application security testing with OpenAI’s GPT to perform passive scans to detect vulnerabilities and traffic based analysis.
In the words of Alexandre Teyar, it’s creator.
“The extension generates an automated security report that summarizes potential security issues based on the user’s prompt and real time data from Burp issued request.”
So, the tool allows customized web traffic analysis that adapts to each user’s demands. OpenAI acts as an augmenter of the human tester leveraging the capabilities of the Burp Suite. The free version available on GitHub requires Gradle to run. A pro version that promises to make things easier, is available too.
Like all the other tools, this can be a blessing or a curse, depends on how people use it.
The resources section contains more information on how to install and use the tool. Yes, you can find them on 505updates.com.
This was Olimpiu, G P T. Oh, sorry. This was Olimpiu Pop reporting from Sylvania, Romania.
This is Marcel Brown, the most trusted name in technology, delivering some technology history for May 18th.
May 18th, 1969. Apollo 10 launches from the Kennedy Space Center. It would be the final dress rehearsal flight to the moon before Apollo 11 would make the first moon landing two months later. NASA had considered making Apollo 10 the first moon landing, but mission planners decided that it would be best to have a practice flight where all systems and procedures were tested up to the point where the lunar module would actually make power dissent to the moon
Apollo’s 10 lunar module, given the call sign Snoopy, would make it to within 15 kilometers of the moon’s surface, taking pictures of the proposed Apollo 11 landing site and testing the lunar module’s landing radar. It would dock back with the command module given the call sign, Charlie Brown, after nearly eight hours in orbit.
Apollo 10 holds some interesting distinctions. It was the first mission to carry a color TV camera, so Earth viewers received the first color TV images of the planet. Apollo 10’s crew was the first to successfully shave in space. Apollo 10’s crew also set the record for the fastest speed any humans have traveled relative to earth.
Ultimately the thorough testing of systems, photographs of the moon surface, and data return from the Apollo 10 mission cleared the way for Apollo 11 to make the first human landing on the moon.
May 18th, 1998. The United States Justice Department and the Attorney Generals of 20 States plus the District of Columbia file an antitrust lawsuit against Microsoft.
The case focuses on Microsoft’s integration of the Internet Explorer Web browser into its Windows 98 operating system. The trial becomes one of the most famous events in tech history, eventually resulting in a settlement between the DOJ and Microsoft. In fact, the sanctions levied against Microsoft lasted until May of 2011, almost exactly 13 years after the suit was filed.
That’s your technology history for today. For more, tune in tomorrow and visit my website ThisDayInTechHistory.com.
That’s it for today’s open source and cyber security updates. For direct links to all stories and resources mentioned in today’s episode, go to 505updates.com where you can listen to our growing library of over 140 episodes. You can also download the transcripts for all episodes for easy reference.
It’s 5:05 is a Sourced Network Production with updates available Monday through Friday on your favorite audio streaming platform. Just search for “It’s 5:05”.
Thank you to Edwin Kwan, Katy Craig, Marcel Brown and Olimpiu Pop for today’s contributions.
This is Executive Producer, Mark Miller. The editor and sound engineer is Pokie Huang, music for today’s session is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by Captivate.fm.
We’ll see you tomorrow At 5:05.