Here’s something hackers don’t get every day: an open invite to crack a military satellite.

On June 5, the Aerospace Corporation, Space Systems Command, and the Air Force launched Moonlighter, a roughly 11-pound CubeSat, into low Earth orbit on board a SpaceX rocket. Moonlighter’s mission, the Register reported, is simple: taking offensive and defensive cyber exercises for space systems into the actual environment those systems will be based in. At DEF CON 2023 in August, five teams of hackers will compete for a grand total of $100,000 in prize money to breach Moonlighter’s defenses.

Cyberdefense for space assets is notoriously underdeveloped, if only because they haven’t historically been targets for hackers. That changed in 2022, when hackers working for the Russian military targeted Viasat’s KA-SAT network amid its invasion of Ukraine. While the attack was aimed at ground assets rather than the satellites themselves, the incident served as a wake-up call for the space sector.

While Moonlighter is an actual satellite, the hackers will actually be targeting a simulated flight computer hosted in an onboard sandbox alongside the real one. That’s because screwing with any of the satellite’s actual control systems could lead to catastrophe for Moonlighter.

“If you’re doing a hacking competition, or any sort of cyber activity or exercise with a live vehicle, it’s difficult because you’re potentially putting that vehicle’s mission at risk,” Aaron Myrick, the project leader at Aerospace Corporation, told the Register. “And that’s not a good option when you’ve spent a lot of engineering hours and a lot of money to get this launched. So we said if we want to do this right, we have to build this from the ground up.”

Read more here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.

Are you looking to accelerate your organization’s growth without the associated pains? Want to scale quickly and avoid typical hiccups, slowdowns, and challenges? Get ready to meet your solution.

Rocket Software understands the challenges that come with modernizing and scaling your business. That’s why they’ve developed modernization solutions that enable your business to grow seamlessly and effortlessly.

Their modernization solutions are designed to help you transition smoothly from where you are to where you want to be—with ease. Uncover insights, streamline your infrastructure, and boost performance while reducing costs, giving your business the competitive edge it needs.

Partner with Rocket Software today to grow without the growing pains.

Microsoft is charging some of its largest customers up to 40% more to test AI features in its Office 365 productivity suite, although it’s still unclear whether those features, or price jacks, are coming to all its business clients.

The Information reported that more than 600 large Office 365 customers are “expected to test” the AI-powered Copilot features, while 100 or more are already paying flat fees of $100,000 per year for up to 1,000 users, citing a “person with direct knowledge of the pilot program.” According to The Information, that’s a 40% price premium over the classic version.

While The Information couldn’t determine if all participants in the trial are paying the same fees or how much it costs the tech giant to run AI server farms to power them—but at $100k a pop, a test involving 600 customers would generate $60 million in revenue. As the site noted, Microsoft has not made any hard revenue projections for AI-assisted office software. (Its rollout of early AI features in Bing is another story; Microsoft estimated it would pocket $2 billion for each 1% of search share it gains.)

“Microsoft is not disclosing the cost or terms of the Microsoft 365 Copilot Early Access Program externally,” Microsoft spokesperson Hanna Williams told IT Brew via email.

Read more here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.

Even age-old enterprise security threats get an update—like iPhones, the Fast and Furious films, and podcast files labeled “V2_final_FINAL.”

Business email compromise (BEC), or defrauding a company via its inbox, has reached “3.0” status, according to Jeremy Fuchs, a researcher at the email-security company Avanan.

Some of today’s BEC phishing scams dodge filtering systems because they’re coming from legitimate email addresses—meaning a lot of the defenses will rely on employees being properly cautious and skeptical.

“I think what makes this challenging is that there’s so many services that these attacks can be launched from,” Fuchs told IT Brew. “It’s literally any site that you can send something from, which is pretty much any site on the internet.”

How it works:

• BEC 3.0 uses a site’s legitimate services—say, PayPal—to share a file. A hacker creates an account and an invoice, maybe with a phone number to fire up some over-the-phone fraud. “The phone number is where the scam actually starts,” Fuchs said.
• Another example, found and shared by Avanan in March, used the comments featured in Google Workspace to send malicious redirects.

While typical advice for business email compromise includes watching out for spoofed email domains, a 3.0 tactic uses familiar, legitimate, not-spoofed domains.

“They’re literally accounts that have been open, from things that you would have,” said Phil Quitugua, a director at tech advisory ISG, citing subscriptions or common invoice services.

Keep reading here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Today’s top IT reads.

Stat: 92%. That’s the percentage of US-based developers who have used AI coding tools, according to a survey released this week. (GitHub)

Quote: “Will AI take over the world? No, this is a projection of human nature on machines.”—Yann LeCun, professor and chief AI scientist at Meta, on the future of AI (BBC)

Read: Why European leaders want to shore up cybersecurity at power companies. (Reuters)

Stay fresh: Insecurely sharing company logins puts your business (and employees) at risk for cyberattacks, stopped operations, and even lost revenue. Refresh your company’s security with NordPass’ end-to-end encrypted password manager. Get a 14-day free trial.*

Keep it safe: As the digital health industry expands, businesses are scrambling to balance growth with protecting sensitive patient info. Join Thoropass’ virtual event to hear experts discuss privacy, fraud mitigation, and automating your compliance process.*

^{*This is sponsored advertising content.}