8min chapter

Surveillance Report cover image

Beware Of This Kind of Software - SR153

Surveillance Report

CHAPTER

Software Supply Chain Report and Recent Data Breaches

This chapter discusses the findings of the software supply chain report and warns about the misconceptions surrounding open source software. It also covers various data breaches affecting companies and government websites.

00:00
Speaker 1
And they found that only about 11% of projects were actively maintained. That means almost 90% are just not maintained. Quoting this in the ninth annual state of the software supply chain report published October 3rd, software supply chain management company, Sonatype assessed over 1 million projects and reported an 18% decline this year and actively maintain projects. And again, just 11% of those were receiving active maintenance. The report also found some new projects unmaintained in 2022, which are now being maintained and they have a lot of other stats in there as well. And I just wanted to quickly comment on the story. I think that for me, this is the highlight story because there is a common sentiment and as great as open source is, there's this common sentiment that just because something's open source, it must be better for your privacy and security. And you know, a lot of these projects might have security vulnerabilities that have been existed for years now and it could be actively exploited projects. So the same thing applies to proprietary projects. If there is a not actively maintained proprietary project, it's going to suffer the same exact issue. So this actually has nothing to do with whether or not something is open source. I just wanted to shine a light on this because I think a lot of people just download any open source software without checking to see when the last time it was updated. So personally, what I do, if I'm downloading an open source software, I'll normally check the GitHub or wherever the repos are hosted and just make sure there's some activity there. If I see there hasn't been anything done in two plus years, I just won't even touch it because I want something that's going to be actively maintained. I want to make sure they're going to be able to push security updates if there's an issue. And I just want to make sure it was an active developer that's still working on a project and that applies to proprietary projects as well. If you're using a proprietary software that hasn't received any kind of security updates or any kind of maintenance for years, think carefully before using it. With that out of the way, let's go into the data breaches. So there is a third Flagstar bank data breach since 2021, which affects 800,000 customers. So a data breach notification was sent to impacted customers that explains that Flagstar was indirectly impacted by Fizzerve, a vendor it uses for payment processing and a mobile bank services, which was a result of move it so everyone can take their shots. The types of data that were compromised are redacted in the sample data breach notification letters. However, the entry on Maine's data breach portal lists at least names and social security numbers as stolen by the threat actors. Next one, Air Europe at data breach. Customers warn to cancel their credit cards. So this is a Spanish airline and the country's third largest airline and a member of the Sky Team Alliance, which warned customers on Monday to cancel their credit cards after attackers access their card information in a recent data breach. The credit card details exposed in the breach include card numbers, expiration dates and the three digit CVV code on the back of the payment cards. And it is an unknown number of impacted customers. Next data breach is from shadow PC who's warned of a data breach as cyber criminals try to sell gamers information. For those who don't know myself included, shadow is a cloud gaming service providing users with high end Windows PCs streamed to their local devices, like PCs, laptops, smartphones, tablets and smart TVs, allowing them to run demanding AAA games on a virtual computer. This affected over 500,000 users and included date of births, addresses, full names, last four of the credit card, expiration date, IP connection log, email and more contains only customers and not all users. I'm now wondering if this is a way I can maybe play some games on Mac OS, but I doubt that next day to reach Indian state government fixes website bug that revealed at our numbers and fingerprints. I apologize if I mispronounced that a security researcher says a bug on an Indian state government website inadvertently revealed documents containing those numbers, identity cards and copies of people's fingerprints. The bug was fixed last week after the security researcher disclosed the bug to local authorities. Now they found the bug in the West Bengal government's E District web portal that allows state residents to access government services online, like obtaining birth and death certificates and building applications. They said the website bug meant it was possible to obtain land deeds, which contain records about the owners of a piece of land from the E District website by guessing sequential deed application numbers. It's not known if anyone else discovered this bug, so they don't know if it's been exploited in the wild or anything like that, but at least it's been caught now and fixed. And we're just going to keep on moving on to the companies. So Google had their events and we didn't actually throw this in the show notes, but we did cover this on Techler Talks. Google pixels are now going to have seven years of security updates, which is super cool. That's personally my big highlight from the Google event, but there is another big Google announcement, which is Google's making past keys, the default sign in for personal accounts. So this applies to all their services and platforms. This means that the next time you sign into your Google account, you'll start seeing prompts to create and use past keys simplifying your future sign in. It also means you'll see the skip password when possible option toggled on in your Google account settings. So just a big FYI for anyone curious about what's going on with past keys in the Google ecosystem. And also the next and final company news is from Brave, the browser company who's laid off 9% of its workforce. They didn't specify how many people this was, but it corroborated the development and said the decision was driven by the tough economic climate. And this did impact several departments, so they didn't just lay off a complete department. So we don't have many details, but maybe we'll get more updates on this as time goes on. So stay subscribed. Okay, so research, this is going to be a very technical thing, but it's actually extremely important. And you are dependent on this weather or not, you know it. So this is a new protocol vulnerability that will haunt the web for years. And just to tell you how much of a haunt it is, it is Halloween after all soon. But this actually impacted people like Google, Maison, Mazen, Microsoft and Cloudflare, like they've actually been battling this as well. So they revealed this week that they battled massive record setting DDoS attacks against their cloud infrastructure in both August and September. The recent attacks were particularly noteworthy because hackers generated them by exploiting a vulnerability in a foundational web protocol. This means that while patching efforts are well underway, fixes will need to essentially reach every web server globally before these attacks can actually stop. This is dubbed the HTTP to rapid reset. The vulnerability can only be exploited for DDoS attacks. I'll give some more analysis on this soon, but just to finish up the story. Another facet of the situation is where the vulnerability came from. Rapid reset isn't any particular piece of software, but in the spec for the HTTP to network protocol used for loading web pages. It works better than classic HTTP on mobile and uses less bandwidth. So it has been extremely widely adopted and they are currently developing HTTP three, but I am assuming most websites are going to be using version two. Unlike a Windows bug that gets patched by Microsoft or a Safari bug that gets patched by Apple in an OS update and not in a Safari update because Apple made some great decisions. A flaw in a protocol can't be fixed. I added that in. I'm not quoting the article when I said that. That's just my personal take on Apple's really silly decision to combo up Safari patches with an OS. But to continue back in the story, a flaw in a protocol can't be fixed by one central entity because each website implements the standard in its own way. When major cloud services and DDoS defense providers create fixes for their services, it goes a long way towards protecting everyone who uses the infrastructure. But organizations and individuals running their own web servers need to work out their own protections. This is not a great situation because there isn't just a simple, oh, we're just going to patch this protocol or patch this software or patch this one thing. And then everyone is now protected from that. This is one of those situations where we actually need to rely on a huge community effort to be able to patch this issue. So if you're someone who's listening to this and you're more technical and you might be developing things, make sure you educate yourself in this because you might have something if you have any servers or anything like that that might be dependent on this and there might be some things you can do to actually fix this issue and keep other people safe. And as part of the reason why we have obviously this podcast so we can educate all of you and spread the word. If you know anyone who might be impacted by this or they can do anything about it, definitely show this around.

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.
App store bannerPlay store banner

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode