Google launches GUAC
Back in October, Google announced a new open source initiative called Graph for Understanding Artifact Composition, or GUAC, in an effort to strengthen the software supply chain. The company now announced it launched GUAC v0.1. This serves to aggregate software security metadata, mapping it to a standard vocabulary and accessible through a GraphQL interface, as well as an API to develop on and integrate into security tools. The company hopes this will help the software development community in evaluating its security posture with a more holistic view. Google worked with Kusari, Purdue University, Citi, and community members to develop this initial version.
Barracuda gateways breached by zero-day
Barracuda issued a warning to customers that threat actors used a zero-day vulnerability to breach some Email Security Gateway appliances. The firm discovered a flaw in its email attachment scanning module on May 19th. It issued patches over the following two days. The company said it contacted breached customers directly about the issue. The breaches only impacted ESG appliances and did not impact corporate networks of customers or Barracuda’s other services.
Cyberattacks focus on Kenya’s Chinese debt
An investigation by Reuters, using several sources, its own technical analysis, and cybersecurity research reports, found that Chinese threat actors began targeting organizations in Kenya since at least 2019. Several sources say these attackers involved attempts to gain information on debt information Kenya owed to China. The attacks targeted eight ministries and government departments, including the president’s office. The Chinese embassy denied the attacks, while Kenya’s presidential office said it sees “frequent infiltration attempts from Chinese, American and European actors.
Intel proposes new microarchitecture
The x86 architecture offers a lot of benefits. One of the major ones is back compatibility with an almost inexhaustible amount of software. But keeping legacy support on these chips often opens them up to security vulnerabilities. With that in mind, Intel released a white paper outlining a new microarchitecture for its chips, called x86S. It eliminates 16-bit and 32-bit legacy support. Currently x86 chips support 16-bit, 32-bit and 64-bit operations.
While 32-bit software remains common, Intel points to virtualization filling the game with legacy support. A microarchitecture without legacy support definitely narrows the attack surface on these chips. It also leaves more room on the die for other features, improves power efficiency, speeds up boot times. Keep in mind this comes from a white paper, an actual product seems a long way off.
And now a word from our sponsor, Sonrai Security
Google opens Android app bug bounty
The search giant is no stranger to bug bounties. Since 2010 its offered one for its web apps, and last year it opened one specifically for its open-source security initiatives. This week it launched a bug bounty for its first-party Android apps called the Mobile Vulnerability Rewards Program. This includes apps from Google, Fitbit, Nest, Waymo, and Waze. Rewards range fro $750 up to $30,000 for a remote code execution bug that requires no user interaction.
I have no mouth and I must captcha
Like many services, Discord uses captcha challenges to verify humans logging on to its service. The company uses the service hCaptcha from Intuition Machines for the verification. Users report these challenges sometimes ask users to identify objects that don’t existing. One example asked a user to select a “yoko,” presenting a grid of clearly AI-generated objects. Other challenges ask for real objects, but present a slew of artificially generated images that don’t allow for verification. hCaptcha said some of the highlighted challenges were part of a small test. The company uses these captchas to help train machine learning systems and generative adversarial networks.
TikTok makes progress on Project Texas
This project marks TikTok’s attempt to ease US concerns about it sharing user data with China. This would see US user data stored domestically and overseen by the TikTok US Data Security Committee. In an update on this project, TikTok CEO Shou Zi Chew announced that Oracle began reviewing TikTok’s source code. Chew also said TikTok is “on track” to have all US user data hosted in the US. Oracle data centers are now the default destination for US user data, eventually the company will migrate existing US data there from its Singapore-based servers.
Microsoft Surface cameras stop working
The Verge confirmed user reports spotted on Reddit and Microsoft support forums that Microsoft’s Surface Pro X tablet suddenly cannot open camera apps. Attempting to do so results in a MediaCaptureFailedEvent, and reinstalling drivers does not fix it. Users report rolling back the date to May 22nd resolves the issue. This indicates an expired security certificate causing the issue. Since changing the date can cause issues with websites and services, particularly with authentication, this should only serve as a temporary fix. No word from Microsoft on the issue.