Cyber authorities remind developers to switch to memory-safe coding languages.
Welcome to Cyber Security Today. It’s Friday June 28th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
Cyber authorities in the U.S., Canada and Australia have again reminded application developers to only use memory-safe coding languages in their work. In a report released this week government experts say just over half of the 172 open-source projects they examined had code written in a memory-unsafe language like C, C++ and Assembly. Fifty-five per cent of the total lines of code for all projects were written in a memory-unsafe language. Most critical open source projects analyzed — even those written in memory-safe languages like C#, Rust, Python and Java — potentially contain memory safety vulnerabilities, the report adds. Sometimes it’s impossible right now to use a memory-safe language entirely. The report gives as examples the Linux kernel and the Chromium project. Still, it urges software developers to find ways to standardize on memory-safe programming languages.
A U.S. grand jury has named and indicted a Russian citizen with conspiring with that country’s military intelligence to hack into and destroy computer systems in Ukraine just before Russia’s invasion 2022. The U.S. Rewards for Justice program is offering a reward of up to US$10 million for information on the location of Amin Timovich Stigal.
Fortra has issued an update for a critical SQL injection vulnerability in its FileCatalyst Workflow, a web portal for large file transfers. An attacker could use a script to execute malicious SQL commands, like deleting a database. Users should be running version 5.1.6 build 139 or newer. If you can’t update, then vulnerable servlets have to be disabled.
Attention developers of solutions using the open-source Vanna.ai library for simplifying SQL database queries: Researchers have discovered a vulnerability that has to be addressed. According to JFrog, Vanna.ai helps generate SQL queries using large language models. The problem is Vanna.ai is open to an integrated prompt injection attack. The code maintainer has added a hardening guide for developers to prevent similar attacks.
Attribution of a cyberattack is the last thing on the minds of IT and security leaders when their organization has been hit. Recovering from the damage is job one. Attribution comes later and often has to be left to others. Researchers at SentinelLabs and Recorded Future said this week they looked at a bunch of ransomware attacks between 2021 and 2023. They suspect a Chinese group dubbed ChamelGang is behind government and critical infrastructure compromises in India and Brazil. The report says the research highlights the strategic use of ransomware by cyberespionage actors for financial gain, disruption, or as a tactic for distraction or mis-attribution. It’s interesting reading.
Designed Receivable Solutions, a California debt collection agency for healthcare providers, has increased the number of victims it calculated from a January data breach. The original estimate given to Maine’s attorney general’s office was just over 498,000 people. It now says the number is over 585,000 people.
Luxury retailer Neiman Marcus Group is notifying over 64,000 people of a data theft. The data was held on a data platform used by the company and included names, dates of birth, contact information and Neiman Marcus or Bergdorf Goodman gift card numbers.
The Ambulatory Surgery Centre of Westchester, N.Y. is notifying over 21,000 people their personal information may have been copied after an employee’s email account was hacked. The incident happened last fall. Data stolen could have included names, Social Security numbers, drivers’ licence or state identification numbers, dates of birth and medical information.
That’s it for now. But late tonight the Week in Review will be released for weekend reading. My guest this week is Terry Cutler of Cyology Labs. We’ll talk about the latest MOVEit vulnerability, a report on recruiting cybersecurity pros and how an API coding error is being blamed for a large cyber breach in Australia.
Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.