Cybersecurity Today: GitHub's NPM Lockdown, Deep Fake Threats, and Yellowknife's Cyber Incident
In this episode of 'Cybersecurity Today', host Jim Love discusses GitHub's response to widespread supply chain attacks in the NPM ecosystem, the alarming rise of deep fake attacks as highlighted by Gartner, and the remarkable handling of a cyber incident by the city of Yellowknife. Tune in for the latest updates on cybersecurity threats, expert analysis, and the steps organizations are taking to combat these sophisticated attacks. Plus, discover Jim's sci-fi romance adventure audiobook 'Elisa: A Tale of Quantum Kisses' now available on major platforms.
00:00 Introduction and Sponsor Message
00:55 GitHub's Response to NPM Supply Chain Attacks
03:19 Gartner's Warning on Deep Fake and AI Attacks
06:03 Yellowknife's Cyber Incident and Response
08:20 Conclusion and Final Thoughts
Episode Transcript
Cybersecurity today is brought to you thisweek by Elisa, a Tale of Quantum Kisses.
It's a sci-fi romance adventure set inthe very near future, and this week.
It launched the audiobook narrated by yours.
Truly find it on Amazon, Audible,Kobo, and more just search for
(00:24):
or Google ELISA, E-L-I-S-A.
That's Alyssa and Jim Love.
You'll find it cSA issues an alertas GitHub locks down NPM after
widespread supply chain attacks.
Gartner sounds the alarm on deepfake attacks, and Yellowknife
(00:44):
contains a cyber incident with fastaction and wonderful transparency.
This is cybersecurity today.
I'm your host, Jim Love.
The US Cybersecurity and infrastructuresecurity agency or CSA has issued an alert
warning of a widespread compromise in thenode package manager or NPM ecosystem,
(01:09):
the world's largest software registry.
At the center is a self-replicatingworm known as Shai-Hulud that
has already infected morethan 500 JavaScript packages.
We covered this last week,but the threat continues.
The worm spreads by stealing NPMaccess tokens during installs, and
(01:33):
then publishing itself into otherpackages from that same developer.
That makes it a huge supply chain problem.
And once a developer's environmentis touched, the infection can ripple
out into anything they publish.
Attackers have gone afterprolific developers directly
using social engineering toseize control of their packages.
(01:57):
In response, GitHub, which owns NPM,has announced three major changes,
two-factor authentication willbe mandatory for publishing.
Long-lived tokens are being killedoff in favor of short-lived granular
credentials and trusted publishing willbe rolled out, eliminating the need
(02:18):
to store tokens in build pipelines.
In addition, legacy tokens arebeing deprecated and stronger
hardware-based 2FA will be required.
GitHub has acknowledged the impacton developer workflows saying,
we recognize that some of thesecurity changes we are making may
require updates to your workflows.
(02:40):
We're going to roll these changesout gradually to ensure we minimize
disruption while strengtheningthe security posture of NPM.
Security experts say thisraises the bar, but it's not a
silver bullet as Black Ducks.
Mike McGuire put it, the real solutionrequires deeper supply chain checks
(03:01):
across the software development lifecycle.
What's clear is that package registrieshave become critical attack vectors.
CISA intervention highlights.
This isn't just a developer issue,it's a national infrastructure concern.
A new study from Gartner shows thatgenerative AI attacks are on the increase.
(03:25):
Over the past year, 32% of organizationsreported attacks against their
Gen AI application infrastructure.
And 62% said they've suffereddeep fake incidents tied to
social engineering or automation.
The most common were deep fakeaudio calls hitting 44% of companies
(03:47):
with video close behind at 36%.
These fakes aren'thumorous or embarrassing.
They're used to impersonate executivesand others to take real action like
rerouting payments or launchingother fraudulent activities.
They may not fool someone's spouseor closest friend, but they can and
(04:10):
do fool coworkers and subordinates.
And attackers often pair themwith classic social engineering.
Things like playing a convincing clip,claiming you have connection issues,
then switching to text to keep the targetoff guard and push the scam forward.
And these aren't just videos,they're interactive, real time fakes.
(04:35):
Researchers have documented livefake techniques being used to pose
as remote gig workers a tactic oftenlinked to North Korean operatives
who mask their identities, landjobs, and gain access to systems.
I watched one of these real time livefakes demonstrated in a forum I visit.
They are astonishingly good.
(04:58):
And then there's attacks on AIsystems, mostly prompt injection,
where malicious instructions are hiddeninside inputs to trick AI models.
Nearly a third of respondentssay they've seen this in action.
And this is not just theory.
Researchers have also uncoveredmal terminal, an early strain of
(05:18):
malware embedding GPT-4 in it.
Mal terminal could dynamicallygenerate ransomware or reverse shells.
While other campaigns usedhidden HTML prompts in phishing
emails to bypass AI filters.
. In one case, these hidden HTML promptsallowed a PDF file to get past all
(05:40):
the defenses carrying a payload.
Gartner's advice is blunt.
Don't wait for a perfect solution.
Strengthen your core security.
Add targeted defenses for AI risks,
and train your people to beaware, to detect and respond
before an attack can take hold.
(06:03):
Last week we reported on a cyber attack onthe city of Yellowknife, and the city now
says its cybersecurity incident is over.
Services like debit and creditpayments at recreation centers and
library computers are back online.
Only a few tools like the CityExplorer map and something
they call click and fix yk.
(06:24):
I gotta find out what that is.
Remain offline.
Now what's striking isn't justthat the city recovered quickly,
but how it did it, , we often talkabout cybersecurity as the perfect
storm, and sometimes there's almost.
If not perfect, near perfect teamwork.
(06:44):
It started with somebody in Yellowknifeon the IT team who noticed something
was off in the middle of the night.
They raised the alarm andthe team sprang into action.
They took down systems on the network tocontain the intrusion, and they reached
out to experts for additional help.
That early response appears tohave contained the attack before it
(07:09):
could escalate into something worse.
Equally notable.
Has been Yellowknife's opennessthrough this whole thing.
While they're struggling with theattack, officials have kept local
media and residents updated and arenow saying clearly that they found no
evidence of personal data being stolen.
(07:29):
But they do promise to notifypeople directly if that changes.
Are they perfect?
Nah, probably not, , but they'vedone a hell of a good job.
And you know something, I thinkthey're gonna be the biggest critics
looking at what they can do better.
In this world, we can't celebrate,at least not for too long.
(07:50):
We're all targets,
but for a relatively small municipalityof about 20,000 people in Canada's
Northwest Territories, to those whowere listening and caught me last
time, I got it right this time.
They not only contained an incidentquickly, but they also showed a level of
transparency that we could all learn from.
(08:13):
And even if it's just temporary,sometimes the good guys win.
Thumbs up guys.
and that's our show for today.
If you do get a copy of my book, Elisa,and you like it, please leave a review
.I'm not trying to make a fortune.
I just wanna reach as manypeople as I can with a book
(08:35):
that I struggled with and love.
And speaking of reaching, youcan reach me with tips, comments,
and even constructive criticism,and sometimes a geography lesson.
I'm your host, Jim Love.
Thanks for listening.
(08:56):
I.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.