open source and cybersecurity news

May 19, 2023

Apple Zero Day Fix, Apple App Store Transparency, Unmasking Cyber Resilience, Bounty for Russian Cybercriminal, FleeceGPT

In this Episode:

Episode Transcription:

Pokie Huang:

From the Sourced Network Production you New York city, it’s 5:05, on Friday, May 19th, 2023. This is your host, Pokie Huang. Stories in today’s episode come from Edwin Kwan in Sydney, Australia, Shannon Lietz in San Diego, California, Ian Garrett in Arlington, Virginia, Olimpiu Pop in Transylvania, Romania, Katy Craig in San Diego, California and Marcel Brown in St. Louis, Missouri. 

Let’s get to it. 

Edwin Kwan: 

This is Edwin Kwan from Sydney, Australia. 

Apple has just released software updates for its Macs, iPhones, iPads, Apple Watch, Apple Tv, and Safari browsers. The updates for the iPhone, Mac and iPads contain fixes for three zero day vulnerabilities. These vulnerabilities allow for code execution and also for breaking out of the web content sandbox. Combining those vulnerabilities allow an attacker to gain complete system access when the victim visits and malicious website. 

Apple has said that they are aware that those zero day vulnerabilities are currently being exploited in the wild. Apple has now released patches for six zero day vulnerabilities since the start of 2023.

Shannon Lietz: 

Hey folks. Check out this Bleeping Transparency for the Apple App Store. This is Shannon Lietz reporting from San Diego, California. 

Apple blocked 1.7 million apps in 2022 according to an article from BleepingComputer. It’s a big number when you consider that the store itself only has a few million apps in total according to Wikipedia and Statista.

Apple also terminated 400,000 developer accounts during this period for what they called “potential fraudulent activity”. And the velocity of reviews was quite interesting as well, with over a hundred thousand apps being submitted weekly and 90% of those being performed within 24 hours. Wow! 

From my point of view, these are all really significant numbers and it shows the sheer value of the Apple ecosystem. Apple built a tremendous amount of brand loyalty through its commitment to secure its ecosystem. 

What I find actually intriguing is that we aren’t hearing any details about whether some of these block submissions were actually from supply chain attacks on the apps being submitted. I sort of find hard to believe that all of these apps being blocked is from bad actor submissions alone. Versus say, victimized developers and potentially infected apps. You know, a supply chain issue. 

So hey, maybe you know Apple, you could request more details from the app submitters so we can determine if there’s a greater opportunity for the community to increase its software supply chain trust and its , software supply chain security defenses. I don’t know, just a thought.

If you’re interested in this information, check out the links and I’ll see you next time. Bye for now.

Ian Garrett: Are organizations truly as resilient against cyber threats as they claim to be? A recent study commission by Immersive Labs reveals a shocking truth. While most organizations have a cyber resilience program in place, the majority of them lack the necessary tools to assess their own resilience effectively.

In a world where cyber threats constantly evolve, it’s important to understand the reality behind cyber resilience and explore the critical gaps that leave organizations vulnerable. 

Hey folks, this is Ian Garrett in Arlington, Virginia.

Immersive Labs has released a recent study that sheds light on the state of cyber resilience in organizations. The study, conducted by Osterman Research, surveyed over 570 senior security and risk professionals from large organizations in the United States, United Kingdom, and Germany. The findings reveal a concerning gap between the existence of cyber resilience programs and the organization’s ability to assess their resilience effectively.

The study found that while 86% of organizations surveyed have a cyber resilience program in place, 52% of them lack a comprehensive approach to assessing their cyber resilience. This means that the organizations have strategies, plans, and infrastructure in place, but they struggle to measure and evaluate the effectiveness of the resilience efforts.

Furthermore, the study highlights a lack of proper metrics to assess cyber resilience with less than 6% of respondents utilizing informative metrics such as response times, intrusion rates, and incident rates of different data types. 

The survey also identified external threats and unreliable training as major concerns for organizations. Ransomware was the top concern for 63% of respondents followed by worries about supply chain attacks and code exploit based attacks. Interestingly, while organizations encourage industry certifications and training, there is a distrust in their effectiveness. Only 32% of respondents believe that industry certifications effectively mitigate cyber threats.

The frequency of training is also inadequate with only around 27% of respondents receiving monthly training. The study concludes that organizations need to prioritize cybersecurity efforts that focus on developing skills, knowledge and judgment across their workforce, while actively evaluating and addressing resilience levels and cybersecurity gaps.

This is Ian Garrett in Arlington, Virginia.

Olimpiu Pop: 

Summer is finally here. Sunny beaches, open sea, and cold cocktails should be the only target for the next month. If you’re in need of an alternative source of income to fuel these dreams, the United States government might have you covered. 

The US Department announced earlier on Tuesday, a reward offered under the Transactional Organized Crime Rewards program up to $10 million for information leading to the arrest and potential conviction of Mikhail Pavlovich Matveev.

 The Russian National has been charged and sanctioned for allegedly using three ransomware variants to conduct cyber attacks on critical US infrastructure. According to the Department of Justice’s press release, he was charged with:

1 – Conspiring to transmit ransom demands

2 – Conspiring to damage protected computers, intentionally managing protected computers

3 – Intentionally damaging protected computers 

Thousands in the US and across the world were targeted. The DoJ’s criminal division assistant, Kenneth A. Polite Jr mentioned, “From his home based in Russia, Matveev allegedly used multiple ransomware variants to attack critical infrastructure around the world, including hospitals, government agencies, and victims in other sectors. ”

According to one unsealed indictment obtained in the district of New Jersey, he allegedly participated in conspiracies using variants known as LockBit, Babuk and Hive, using each platform to transmit ransom demands.

The group conducted by Matveev made as much as $400 million in the ransom campaigns. While total victim ransom payments could amount to as much as $200 million between June, 2020 and May, 2022. 

So, just help the DoJ in their trial to ” impose consequences on the most egregious actors in the cyber crime ecosystem,” and you are on the way to the seaside. 

All the needed details can be found together with the transcript on 

this was Olimpiu Pope reporting from Transylvania, Romania.

Katy Craig: 

It seems that scam apps are emerging on Google Play and Apple’s App store promising a taste of OpenAI’s Chatbot service ChatGPT, for free. But soon after you’ve nibbled, they start charging subscription fees, nickeling and diming you to death. 

This is Katy Craig in San Diego, California. 

Called Fleeceware, this malware trickiness lies in its seeming innocence. The apps don’t behave like malware, making it hard to expel them. They’re sneaky submitting themselves for review to Apple and Google, without full disclosure on subscription pricing. After approval, they can change their tune without any adjustments to the apps engineering.

To combat these sneaky scammers, remember these four tips:

1 – Check your source. Download apps directly from trusted providers. In this case, it’s OpenAI’s website. 

2 – Free trials aren’t always free. Scrutinize the fine print before committing. Listen to That’s in my EULA, the podcast from the Source Media Network.

3- Vet app reviews. Not all reviews are genuine. Seek detailed reviews for the real scoop.

4 – Listen to your instincts. If it doesn’t feel right, it likely isn’t. 

Remember, OpenAI offers paid versions of GPT and ChatGPT, but also a free option on their own website. The scam artists are exploiting the gray area between public intrigue and understanding of this service, so don’t let them pull the wool over your eyes.

This is Katy Craig. Stay safe out there.

Marcel Brown: 

This is Marcel Brown, the most trusted name in technology, serving you up some technology history for May 19th and May 20th. 

May 19th, 1980. At the National Computer Conference in Anaheim, California, Apple Computer introduces the Apple 3. It is the company’s first attempt at a business computer, its first departure from the Apple two architecture, and it will also become Apple’s first real failure.

Apple expects the Apple 3 to be released in July, but in one of the worst cases of delay in tech history, the system wouldn’t reach stores until January. Once released, the Apple 3 will be plagued by component failures that would ultimately lead to large recalls. The Apple 3 never recovered from its original negative reception and was discontinued by Apple in 1984.

May 19th, 2001. Apple computer opens the first two locations of their new retail stores in McLean, Virginia and Washington, DC. In the first weekend of opening, the stores will attract 7,700 shoppers and will sell a combined $599,000. While ridiculed by many technology experts at the time, the Apple stores have been insanely successful and was one of the key reasons for Apple’s resurgence in the 2000s.

May 19th, 2006. Apple opens their second store in New York City, a 20,000 square foot shop at the underground concourse of the General Motors building at 767 5th Avenue. Open 24 hours a day, the shop is visible at street level through a 32 foot glass cube designed by Apple’s CEO, steve Jobs, at a cost of $9 million, people stood in line for hours prior to the store’s opening. 

May 20th, 1927. Aboard the Spirit of St. Louis monoplane, Charles Lindbergh takes off from Roosevelt Field in New York on his historic first solo flight across the Atlantic Ocean. He will arrive in France 33 and a half hours later. 

May 20th, 1932. Five years to the day after Charles Lindbergh took off on his historic first solo flight across the Atlantic, Amelia Earhart takes off from Newfoundland. While her original destination was France, weather and mechanical problems force her to land in Ireland, nearly 15 hours after she took off. She became the first woman and second person to fly solo across the Atlantic Ocean. 

That’s your technology history for today. For more, tune in next week and visit my website

Pokie Huang: 

That’s it for today’s open source and cybersecurity updates. For direct links to all stories and resources mentioned in today’s episode, go to, where you can listen to our growing library of over 100 episodes. You can also download the transcript of all episodes for easy reference.

5:05 is a Sourced Networks Production with updates available Monday through Friday on your favorite audio streaming platform. Just search for “It’s 5:05!”. And please consider subscribing while you’re there. 

Thank you to Edwin Kwan, Shannon Lietz, Ian Garrett, Olimpiu Pop, Katy Craig and Marcel Brown for today’s contributions. 

The Executive Producer and the editor is Mark Miller. The sound engineer is Pokie Huang. Music for today’s episode is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by This is Pokie Huang. See you next Monday… at 5:05.



Leave the first comment