0:00

Cybersecurity Today is brought to you by

0:02

the generous support of our sponsor, Boseron

0:04

Security. You can get their 2024 State

0:07

of Cybersecurity Awareness Report at boseronsecurity.com,

0:10

and there's a link you can

0:12

follow in the show notes. Cyber

0:18

authorities remind developers to

0:20

switch to memory-safe coding

0:22

languages. Welcome to

0:24

Cybersecurity Today. It's Friday, June 28,

0:27

2024. I'm

0:29

Howard Solomon, contributing reporter

0:32

on Cybersecurity for technewsday.com.

0:39

Cyber authorities in the U.S.,

0:41

Canada, and Australia have again

0:43

reminded application developers to only

0:45

use memory-safe coding languages in

0:48

their work. In

0:50

a report released this week, the government

0:52

experts say just over half of the

0:54

172 open-source

0:56

projects they examined had code

0:59

written in a

1:01

memory-unsafe language like C, C++,

1:04

and Assembly. 55% of

1:08

the total lines of code for all

1:10

projects were written in a memory-unsafe language.

1:14

Most critical open-source projects

1:16

analyzed, even those written

1:18

in a memory-safe language

1:20

like C-sharp, Rust, Python,

1:23

or Java, potentially

1:25

contain memory-unsafe vulnerabilities, the

1:27

report adds. Sometimes

1:30

it's impossible right now to use

1:32

a memory-safe language entirely. The

1:35

report gives as examples the

1:37

Linux kernel and the Chromium

1:39

project. Still, it

1:41

urges software developers to find

1:43

ways to standardize on memory-safe

1:46

programming languages. A

1:49

U.S. grand jury has named and

1:51

indicted a Russian citizen with conspiring

1:54

with that country's military intelligence to

1:56

hack into and destroy computer systems

1:58

in your work. Ukraine just

2:00

before Russia's invasion in 2022. The

2:05

U.S. Rewards for Justice program is

2:07

offering a reward of up to

2:09

$10 million for information on

2:12

the location of Amin Timavich

2:14

Stigal. FORTRA

2:17

has issued an update for

2:19

a critical SQL injection vulnerability

2:21

in its File Catalyst workflow,

2:23

a Web Portal for

2:26

large file transfers. An

2:28

attacker could use a script to

2:30

execute malicious SQL commands, like deleting

2:33

a database. Users

2:35

should be running version 5.1.6, build 139, or newer.

2:43

If you can't update, then vulnerable

2:45

servlets have to be disabled. Attention

2:49

developers of solutions using the open

2:52

source VANA AI library

2:54

for simplifying SQL database

2:56

queries. Researchers have

2:59

discovered a vulnerability that has

3:01

to be addressed. According

3:03

to JFrog, VANA.ai helps

3:06

generate SQL queries using

3:08

large language models. The

3:11

problem is, VANA AI is open to

3:13

an integrated prompt injection

3:16

attack. The code

3:18

maintainer has added a hardening guide

3:20

for developers to prevent similar attacks.

3:25

Attribution of a cyber attack is the

3:27

last thing on the minds of IT

3:29

and security leaders when their organization has

3:31

been hit. Recovering from

3:33

damage is job one. Attribution

3:36

comes later, and is often left

3:38

to others, like researchers

3:41

at Sentinel Labs and Recorded

3:43

Future, who said this week they looked

3:45

at a bunch of ransomware attacks between 2021 and

3:47

2023. They

3:51

suspect a Chinese group, dubbed

3:53

Shamul Gang, is behind government

3:55

and infrastructure compromises in India

3:58

and Brazil. The report says

4:00

the research highlights the strategic

4:03

use of ransomware by cyber

4:05

espionage actors for financial gain,

4:07

disruption, or as a tactic

4:10

for distraction or misattribution. It's

4:13

interesting reading. Designed

4:16

Receivable Solutions, a

4:19

California debt collection agency for

4:21

healthcare providers, has increased

4:23

the number of victims it calculated

4:25

from a January data breach. The

4:28

original estimate given to Maine's Attorney General's office

4:30

was just over 498,000 people. It now says

4:33

the number is over 585,000 people. Luxury

4:41

retailer Neiman Marcus Group is notifying over

4:43

64,000 people of a data theft. The

4:48

data was held on a

4:50

platform used by the company

4:52

and included names, dates of

4:54

birth, contact information, and Neiman

4:57

Marcus or Bergdorf Goodman gift

4:59

card numbers. The

5:02

Ambulatory Surgery Center of Westchester, New

5:04

York is notifying over 21,000 people

5:06

that their personal

5:09

information may have been copied after

5:11

an employee's email account was hacked.

5:14

The incident happened last fall. Data

5:17

stolen could have included names,

5:20

social security numbers, driver's license

5:22

or state identification numbers, dates

5:24

of birth, and medical

5:27

information. That's

5:30

it for now, but late tonight the

5:32

Week in Review will be released for

5:34

weekend reading and weekend

5:36

listening. My guest this

5:39

week is Terry Cutler of

5:41

Sciology Labs. We'll talk

5:43

about the latest move it vulnerability, a

5:46

report on recruiting cybersecurity pros,

5:48

and how an API coding

5:50

error is being blamed for

5:52

a large cyber breach in

5:55

Australia. Links to details

5:57

about news mentioned in this podcast episode are

5:59

in the description. in the text version at

6:02

technewsday.com, follow

6:04

Cybersecurity Today on Apple

6:07

Podcasts, Spotify, or

6:09

add us to your Flash briefing on your

6:11

smart speaker. Thanks

6:13

for listening, I'm

6:15

Howard Solomon.