Open-source foundations have warned an elaborate, multiyear effort to sneak a backdoor into Linux’s xz data compression library may be the tip of the iceberg.

The Linux world narrowly avoided a potentially catastrophic security situation in late March, when developer Andres Freund discovered that a Linux contributor had snuck obfuscated code into two versions of xz Utils, a compression utility. The manipulated versions were designed to inject malicious functions into Secure Shell (SSH) protool operations.

A programmer using the name Jia Tan, who had made their first open-source contributions in 2021, joined the xz Utils project in 2023, courtesy of community discussions that in retrospect, appear to have been a social engineering pressure campaign. In February 2023, Tan committed malicious code deep in binary test files, which then made its way into development versions of some Linux distributions. Tan also advocated merging the changes into production versions of Ubuntu, Red Hat, and Debian, which would have compromised huge swathes of the Linux ecosystem.

Read more here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.

Not every employee can drop off their devices on the last day of work. So how can you get all that company gear back safely and securely?

Use Retriever. Just provide them with an address, and they'll handle employee device returns from beginning to end—no setup fees, recurring subscriptions, or contract required.

Retriever will send your employee an easy-to-pack padded laptop shipping box, a prepaid return label, instructions, and some gentle reminders along the way. Their no-fee Enterprise solution provides:

• volume discounts, API integration, and unlimited users
• bulk uploading + returns processing in under 30 seconds
• a dashboard to monitor and track the status of all device returns in real time
• data destruction and laptop disposal (no cost)

Data security a priority? Retriever places security as a top priority and is SOC2 Type2 compliant.

Never lose a laptop again.

The NSA has rolled out a Cybersecurity Information Sheet (CSI), advising organizations on the best ways to deploy “secure and resilient AI systems.” Companies should ensure they’re implementing “sound security principles” in an organization’s IT environment and its AI systems, which means “robust governance, a well-designed architecture, and secure configurations.”

The guide recommends professionals encrypt sensitive data related to AI, such as “AI model weights, outputs, and logs,” while storing the encryption keys “in a hardware security module (HSM) for later on-demand decryption.”

“I would say that I think that AI doesn’t necessarily create net new problems or challenges. What it does is it amplifies and accelerates challenges that are already there,” Dana Simberkoff, chief risk, privacy, and information security officer at AvePoint—a software company that provides SaaS and offers data management—told IT Brew.

Read more here.—AF

Do you work in IT or have information about your IT department you want to share? Email [email protected].

“It’s only a matter of time before an attacker attaches an explosive payload to a drone and drops it in the stands,” Red Sox VP of Technology Operations and Information Security Randy George said. “And I’m really frankly surprised it hasn’t happened at a major sporting venue yet.”

George’s comments came during an April 17 presentation when the team and intelligence security firm Centripetal officially announced their partnership. IT Brew reported on the deal in March, noting that the Red Sox need protection from threats against any number of activities, including e-commerce, ticketing, and private data.

“Enterprises are in that position where they’re at this fork in the road; the status quo isn’t going to work,” Centripetal COO Jonathan Rogers told the crowd at the event.

Team sport. Added help is essential. IT Brew reported in August 2023 about cloud security provider HYCU’s partnership with the Boston baseball team to protect its data. Simon Taylor, founder and CEO of HYCU, told IT Brew at the time that the sport lends itself to high amounts of data that need to be secured.

Keep reading here.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Lean, green, SaaS machine. Believe it or not, budgeting season is quickly approaching. That’s why BetterCloud designed a free guide to help IT leaders get a head start with SaaS savings. Learn how to unearth hidden expenses, minimize security risks, and analyze spend for smarter decisions. Grab your copy.