Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Cybersecurity Today is brought to you by
0:02
the generous support of our sponsor, Boseron
0:04
Security. You can get their 2024 State
0:07
of Cybersecurity Awareness Report at boseronsecurity.com,
0:10
and there's a link you can
0:12
follow in the show notes. Cyber
0:18
authorities remind developers to
0:20
switch to memory-safe coding
0:22
languages. Welcome to
0:24
Cybersecurity Today. It's Friday, June 28,
0:27
2024. I'm
0:29
Howard Solomon, contributing reporter
0:32
on Cybersecurity for technewsday.com.
0:39
Cyber authorities in the U.S.,
0:41
Canada, and Australia have again
0:43
reminded application developers to only
0:45
use memory-safe coding languages in
0:48
their work. In
0:50
a report released this week, the government
0:52
experts say just over half of the
0:54
172 open-source
0:56
projects they examined had code
0:59
written in a
1:01
memory-unsafe language like C, C++,
1:04
and Assembly. 55% of
1:08
the total lines of code for all
1:10
projects were written in a memory-unsafe language.
1:14
Most critical open-source projects
1:16
analyzed, even those written
1:18
in a memory-safe language
1:20
like C-sharp, Rust, Python,
1:23
or Java, potentially
1:25
contain memory-unsafe vulnerabilities, the
1:27
report adds. Sometimes
1:30
it's impossible right now to use
1:32
a memory-safe language entirely. The
1:35
report gives as examples the
1:37
Linux kernel and the Chromium
1:39
project. Still, it
1:41
urges software developers to find
1:43
ways to standardize on memory-safe
1:46
programming languages. A
1:49
U.S. grand jury has named and
1:51
indicted a Russian citizen with conspiring
1:54
with that country's military intelligence to
1:56
hack into and destroy computer systems
1:58
in your work. Ukraine just
2:00
before Russia's invasion in 2022. The
2:05
U.S. Rewards for Justice program is
2:07
offering a reward of up to
2:09
$10 million for information on
2:12
the location of Amin Timavich
2:14
Stigal. FORTRA
2:17
has issued an update for
2:19
a critical SQL injection vulnerability
2:21
in its File Catalyst workflow,
2:23
a Web Portal for
2:26
large file transfers. An
2:28
attacker could use a script to
2:30
execute malicious SQL commands, like deleting
2:33
a database. Users
2:35
should be running version 5.1.6, build 139, or newer.
2:43
If you can't update, then vulnerable
2:45
servlets have to be disabled. Attention
2:49
developers of solutions using the open
2:52
source VANA AI library
2:54
for simplifying SQL database
2:56
queries. Researchers have
2:59
discovered a vulnerability that has
3:01
to be addressed. According
3:03
to JFrog, VANA.ai helps
3:06
generate SQL queries using
3:08
large language models. The
3:11
problem is, VANA AI is open to
3:13
an integrated prompt injection
3:16
attack. The code
3:18
maintainer has added a hardening guide
3:20
for developers to prevent similar attacks.
3:25
Attribution of a cyber attack is the
3:27
last thing on the minds of IT
3:29
and security leaders when their organization has
3:31
been hit. Recovering from
3:33
damage is job one. Attribution
3:36
comes later, and is often left
3:38
to others, like researchers
3:41
at Sentinel Labs and Recorded
3:43
Future, who said this week they looked
3:45
at a bunch of ransomware attacks between 2021 and
3:47
2023. They
3:51
suspect a Chinese group, dubbed
3:53
Shamul Gang, is behind government
3:55
and infrastructure compromises in India
3:58
and Brazil. The report says
4:00
the research highlights the strategic
4:03
use of ransomware by cyber
4:05
espionage actors for financial gain,
4:07
disruption, or as a tactic
4:10
for distraction or misattribution. It's
4:13
interesting reading. Designed
4:16
Receivable Solutions, a
4:19
California debt collection agency for
4:21
healthcare providers, has increased
4:23
the number of victims it calculated
4:25
from a January data breach. The
4:28
original estimate given to Maine's Attorney General's office
4:30
was just over 498,000 people. It now says
4:33
the number is over 585,000 people. Luxury
4:41
retailer Neiman Marcus Group is notifying over
4:43
64,000 people of a data theft. The
4:48
data was held on a
4:50
platform used by the company
4:52
and included names, dates of
4:54
birth, contact information, and Neiman
4:57
Marcus or Bergdorf Goodman gift
4:59
card numbers. The
5:02
Ambulatory Surgery Center of Westchester, New
5:04
York is notifying over 21,000 people
5:06
that their personal
5:09
information may have been copied after
5:11
an employee's email account was hacked.
5:14
The incident happened last fall. Data
5:17
stolen could have included names,
5:20
social security numbers, driver's license
5:22
or state identification numbers, dates
5:24
of birth, and medical
5:27
information. That's
5:30
it for now, but late tonight the
5:32
Week in Review will be released for
5:34
weekend reading and weekend
5:36
listening. My guest this
5:39
week is Terry Cutler of
5:41
Sciology Labs. We'll talk
5:43
about the latest move it vulnerability, a
5:46
report on recruiting cybersecurity pros,
5:48
and how an API coding
5:50
error is being blamed for
5:52
a large cyber breach in
5:55
Australia. Links to details
5:57
about news mentioned in this podcast episode are
5:59
in the description. in the text version at
6:02
technewsday.com, follow
6:04
Cybersecurity Today on Apple
6:07
Podcasts, Spotify, or
6:09
add us to your Flash briefing on your
6:11
smart speaker. Thanks
6:13
for listening, I'm
6:15
Howard Solomon.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More