Malware found in the NuGet repository, a warning to lock down web applications and more.
Welcome to Cyber Security Today. It’s Friday, March 24th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
I’ve reported on malicious open-source packages found in the NPM and PyPI repositories. A new report says they can also be found in Microsoft’s NuGet repository. It’s used for developers creating .NET apps. Researchers at JFrog Security found bad packages with similar names to legitimate packages that developers look for on the NuGet site. It’s a tactic called typosquatting. These packages had a PowerShell script that would trigger the download of a second-stage piece of malware. Developers who take code from any source need to ensure it’s tested and safe.
Another warning has gone out to developers to keep their applications locked down. This comes after the discovery by researchers at Sucuri that the Authorize.net payment gateway used by an online company had been compromised to skim the credit card data of customers. Authorize.net, a service of Visa, is used to process payment cards online. The injected code copies and encrypts data, then puts it in an image file for downloading. Sucuri warns that web applications have to be checked for modified files.
Do you use the Windows Snipping Tool for taking and editing screenshots? It has a serious vulnerability to worry about if what you’ve captured is personally identifiable information. The bug has been dubbed Acropalypse. Information in an image that a user attempts to cover up by drawing over it, like a face, a driver’s licence number or a car licence plate, can be exposed even after the altered image has been saved. A similar bug was found last week in Google Pixel devices. At the time this podcast was recorded Microsoft reportedly had fixed the bug in the Windows 11 version of the Snipping Tool, but not in Windows 10. To see this tool hold down the Windows logo key, Shift and the letter “S”.
Is your organization thinking of using an AI tool to create videos or voice clones? The U.S. Federal Trade Commission issued a reminder this week that American federal law prohibits not only using a deceptive tool, but making one as well. Take all reasonable precautions before a product hits the market to prevent it from being misused.
OpenAI, the developer of ChatGPT, has moved quickly to close a bug in the chatbot. Bloomberg news reported that some users found they could see in their chat history the titles of other people’s conversations. The conversations themselves weren’t visible, but the problem was serious enough that access to the app was temporarily closed. In a tweet OpenAI CEO Sam Altman said the problem was “in an open-source library.”
Finally, Cisco Systems this week published its semi-annual security updates for products using its IOS and IOS XE operating systems. The latest releases plug holes in 10 vulnerabilities
That’s it for now. But later today the Week in Review will be available. Guest commentator Terry Cutler of Montreal’s Cyology Labs will join me to discuss penetration tests, cyber expertise in the boardroom and more.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon