Friday Five 9/23
Experts are growing worried that the next cyber attack could come from an unlikely source, like an open source component or even your web browser’s spell checker. Read about this news and more in this week’s Friday Five!
1. DATA SCIENTISTS DIAL BACK USE OF OPEN SOURCE CODE DUE TO SECURITY WORRIES BY ROBERT LEMOS
Vulnerabilities found in open source components have caused nearly 40% of a recent survey's respondents to cut back on their use of such components, according to Anaconda's 2022 State of Data Science report released this past week. According to Anaconda's CEO, Peter Wang, "We see a tremendous portion of people who are at organizations where IT has created a very strict posture around open source and Python," he says. "These are not expert developers. ... They are data scientists and machine learning people who may not be very seasoned developers at all, using whatever they could download to do their analysis, and then they handed that over that to IT." Read the full story from Robert Lemos at Dark Reading to find out why some data scientists are becoming concerned, why software companies aren't scaling back on their use of open-source components, and why there appears to be a disconnect between the two sides.
2. HACKING GROUP FOCUSED ON CENTRAL AMERICA DUMPS 10 TERABYTES OF MILITARY EMAILS, FILES BY AJ VICENS
A hacking group known as Guacamaya released a 10-terabyte dump of records from military and police agencies in Chile, Colombia, El Salvador, Mexico, and Peru, including emails and other materials. This marks the group’s fourth data dump since this past March. To learn more about the hack and what type of information was leaked, read AJ Vicens' story.
3. GOOGLE, MICROSOFT CAN GET YOUR PASSWORDS VIA WEB BROWSER'S SPELLCHECK BY AX SHARMA
Concerns have been raised about the security of data transmitted through web browsers’ spell-check features, with Google Chrome and Microsoft Edge most recently coming under the magnifying glass. While their basic spell-check features aren’t said to raise any red flags, Chrome’s Enhanced Spellcheck and Microsoft Editor both transmit form data—which could include PII or passwords—leaving many concerned about their data privacy and a potential security incident in the future. Read the full, in-depth report from Ax Sharma at BleepingComputer to find out more about how this potential privacy issue was discovered and how these spell-check features can be toggled on and off.
4. THE RECORD-SETTING DDOSES KEEP COMING, WITH NO END IN SIGHT BY DAN GOODIN
In a statement this past Monday, Imperva reported that they defended a customer against a DDoS attack with over 25 million requests, peaking at more than 3.9 million requests per second. According to Imperva, "[The] attackers used HTTP/2 multiplexing, or combining multiple packets into one, to send multiple requests at once over individual connections. This technique can bring servers down using a limited number of resources, and such attacks are extremely difficult to detect." This attack is only one example of a quickly growing DDoS arms race. Read the full story from Dan Goodin at Ars Technica to find out more about this attack and others from recent months.
5. BITDEFENDER RELEASES FREE DECRYPTOR FOR LOCKERGOGA RANSOMWARE BY BILL TOULAS
Cybersecurity firm Bitdefender recently released a decryptor that can be used by those locked out of their systems by LockerGoga ransomware. The decryptor is said to work both on individual machines as well as entire networks. In the wake of the arrest of 12 threat actors tied to LockerGoga, the ransomware’s source code was never released. This decryptor will allow those that refused to pay the ransom to recover their files for free.