May 29, 2023
PyPI 2FA, CSO's Blues, Volt Typhoon
In this Episode:
Mandatory 2FA Coming to PyPI
?? Edwin Kwan, Sydney, Australia ↗
Securing PyPI accounts via Two-Factor Authentication – The Python Package Index
CSO’s Blues
?? Tracy (Trac) Bannon, Camp Hill, Pennsylvania↗
Former Uber CSO Joe Sullivan and lessons learned from the infamous 2016 Uber breach | CSO Online
Majority of US IT Pros Told to Keep Quiet About Data Breaches
Guilty verdict in the Uber breach case makes personal liability real for CISOs | CSO Online
Volt Typhoon in US Critical Infrastructure
?? Katy Craig, San Diego, California ↗
Volt Typhoon targets US critical infrastructure with living-off-the-land techniques | Microsoft Security Blog
This Day in Tech History
?? Marcel Brown, St. Louis, Missouri ↗
http://thisdayintechhistory.com/05/27
http://thisdayintechhistory.com/05/28
http://thisdayintechhistory.com/05/29
Episode Transcription:
Pokie Huang:
Hey, it’s 5:05 Monday, May 29th. 2023. From the Sourced Podcast Network in New York City, this is your host, Pokie Huang. Stories in today’s episode come from Edwin Kwon in Sydney, Australia, Trac Bannon in Camp Hill, Pennsylvania, Katy Craig in San Diego, California, Marcel Brown in St. Louis, Missouri.
Let’s get to it.
Edwin Kwan:
This is Edwin Kwan from Sydney, Australia.
The Python package Index has announced that all accounts that manages at least one project will need to have two factor authentication enabled by the end of the year. The index is a software repository for packages created in the Python programming language.
The repository has been popular with threat actors looking for a way to distribute their malware. It had suffered rampant malware uploads, package impersonation, and resubmission of malicious code using hijacked accounts in the past month. This resulted in the repository having to temporarily suspend. New user registrations and project creations last week.
The repository index said that one of their key security promise is that when you’re downloading something from their repository, only the people associated with that project will be able to upload, delete or otherwise modify their project. Requiring two factor authentication will allow them to keep that promise.
Account owners can enable two factor authentication for their account by either using a security device or an authentication app, and by also switching to using either trusted publishers or API tokens to upload to their repository.
Tracy Bannon:
The CSO community was first rocked in October of 2022 with the conviction of Joe Sullivan. They were rocked a second time on May 4th, 2023 with his sentencing. Joe is the highly successful US attorney turned CSO for a number of major tech firms, including eBay and Facebook. He was also the CSO for ridesharing giant Uber during their 2016 breach. That breach threatened to expose the data of 600,000 drivers and the personal information, PII, for nearly 57 million riders, and Joe was the highest ranking security expert with Uber.
The charges over the breach were dropped. Then what was Joe Sullivan convicted of?
Hello, this is Trace Bannon reporting from Camp Hill, Pennsylvania.
The trial of Joe Sullivan focused on his discussions and lack of disclosure to the FTC. The core of the prosecution is his failure to report a felony crime, receiving three years probation for felony obstruction and misprision for not reporting the 2016 breach.
The term misprision means to deliberately conceal the knowledge of a felony. The CSO community has begun to fear facing legal penalties for doing their jobs. This case should be a wake up call for improving controls and processes. So why the CSO Blues?
Because the role of CSO is difficult.
Breaches and breach responses are very dynamic. There’s a lack of clear federal guidelines for reporting breaches. The question remains, who is liable for handling the breaches? Will this case and the outcomes cause CSO to become more concerned about protecting themselves than protecting the organization?
We certainly want CSOs to be focused on managing victim risk rather than risk to their careers. Senior security leaders are forced to consider at what point in the breach might they be held liable for the consequences.
There are many details of this case that still need to be discussed. Why was the CSO held liable when a paper trail shows that Joe Sullivan had set up an incident tracker for the response team? Why was Joe accused of a coverup when he informed and deferred to Uber’s CEO Travis Kalanick?
The bottom line is that our executive security leaders are unclear what the future will bring. They are singing the blues.
This will give us all something to noodle on.
Katy Craig:
Microsoft has uncovered some sneaky, targeted malicious activity going on. And guess who’s behind it? Volt Typhoon, a state-sponsored actor from China. These guys are no amateurs. They’re known for their espionage and information gathering skills, and this time they’ve got their site set on critical infrastructure organizations in the good old US of A. Their goal? To disrupt critical communications infrastructure between the United States and Asia during future crises.
The Volt Typhoon crew has been up to no good since mid 2021, targeting critical infrastructure organizations in Guam and other parts of the US, and they’re not picky.
Volt Typhoon is all about stealth. They love their living off the land techniques, doing everything on the down low. They’re collecting data, snatching credentials from local and network systems, and staging it all for exfiltration. They’re using stolen, valid credentials to keep their access going undetected.
These guys are masters of blending in. They route their traffic through compromised small office and home office network equipment like routers, firewalls, and VPN hardware. Talk about going incognito. To stay under the radar even further, they’ve got their own version of open source tools for that extra stealthy command and control action.
Microsoft’s blog has tons of details and lots of specific recommendations, settings, configurations, and queries for you to use to search for and block these bad guys in your own systems.
This is Katy Craig. Stay safe out there.
Marcel Brown:
This is Marcel Brown, the most trusted name in technology, bringing you some technology history for May 27th, 28th, and 29th.
May 27th, 1988. Microsoft releases two versions of Windows 2.1. One for 286 computers and one four 386 computers. Do you remember this version of Windows? Not many people do. It wasn’t until version three that Windows had any sort of appreciable user base.
May 28th, 1929. The Warner Brothers film, On with the Show, the first talking movie that is in all color, debuts at New York City’s Winter Garden Theater. The film uses two color Technocolor and Vitaphone sound. It was the first modern color movie.
May 28th, 1987. CompuServe releases the graphics interchange format standard as a new computer graphics file format.
Due to color limitations, the GIF format is unsuitable for reproducing color photographs, but it is well suited for more simple images, such as graphics or logos with solid areas of color. This made it probably the most popular graphics format for the early internet until the famous GIF licensing controversy soured many designers to its use.
The PNG format was developed in response as an alternative to GIF, to get around the licensing issues. However, all relevant patents have since expired and the GIF format may now be freely used. Today it still sees widespread use, especially when simple animations are needed.
And I pronounce it GIF because it’s graphics interchange format, not something with a j.
May 29th, 1992. At the Consumer Electronic Show in Chicago, Apple Computer CEO John Scully, first announces the coming release of the Newton Personal Digital Assistant to a group of reporters explaining that the Newton is nothing less than a revolution. Although there was not a fully functioning prototype available, the Newton technology is demonstrated, including how to order a pizza by moving topping icons onto a pie, and then faxing the order from the device.
The Newton is Apple’s first major new product line since the Macintosh was released eight years earlier. The Newton unveiling generates a media buzz, but due to several factors, Scully’s announcement will ultimately be considered a major mistake.
The announcement itself tipped the company’s hand to its competitors in wildly inflated customer expectations. The Newton’s release was delayed until August of 1993, and when it was released, it was not as user friendly as expected. Specifically, the core handwriting recognition feature was widely criticized as buggy and inaccurate. While the technology was greatly improved in subsequent revisions, the Newton never gained much commercial success.
Shortly after his return, Steve Jobs discontinued the Newton in 1998.
May 29th, 1999. The Space Shuttle Discovery completes the very first docking with the International Space Station.
And that is your technology history for today. For more, tune in tomorrow and visit my website ThisDayInTechHistory.com.
Pokie Huang:
That’s it for today’s open source and cybersecurity updates. For direct links to all stories and resources mentioned in today’s episode, go to 505Updates.com, where you can listen to our growing library of over 100 episodes. You can also download the transcript of all episodes for easy reference.
5:05 is a Sourced Networks Production with updates available Monday through Friday on your favorite audio streaming platform. Just search for “It’s 5:05!”. And please consider subscribing while you’re there.
Thank you to Edwin Kwan, Trac Bannon, Katy Craig, Marcel Brown for today’s contributions.
The Executive Producer and the editor is Mark Miller. The sound engineer is Pokie Huang. Music for today’s episode is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by Captivate.fm. This is Pokie Huang. See you tomorrow… at 5:05.