Plus: A Microsoft cloud leak exposed potential customers, new IoT security labels come to the US, and details emerge about Trump’s document stash.

As Russia’s war in Ukraine drags on, Ukrainian forces have proved resilient and mounted increasingly intense counterattacks on Kremlin forces. But as the conflict evolves, it is entering an ominous phase of drone warfare. Russia has begun launching a series of recent attacks using Iranian “suicide drones” to inflict damage that is difficult to defend against. With Russian president Vladimir Putin escalating his rhetoric about the potential for a nuclear strike, and NATO officials watching closely for any signs of movement, we examine what indicators are available to the global community in assessing whether Russia is actually preparing to use nuclear weapons.

Meanwhile, an unrelenting string of deeply problematic vulnerabilities in Microsoft's Exchange Server on-premises email hosting service has left researchers to raise the alarm that the platform isn't getting the development resources it needs anymore, and customers should seriously consider migrating to cloud email hosting. And new research examines how Wikipedia's custodians ferret out state-sponsored disinformation campaigns in the crowdsourced encyclopedia's entries.

If you're worried about the ongoing threat of ransomware attacks around the world, researchers pointed out this week that middle-of-the-pack groups like the notorious gang Vice Society are maximizing profits and minimizing their exposure by investing very little in technical innovation. Instead, they simply run the most sparse and unremarkable operations they can to target under-funded sectors like health care and education. If you're looking to do something for your personal security, we've got a guide to ditching passwords and setting up “passkeys” on Android and Google Chrome.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Officials in the United States have long warned of a potential national security threat because the wildly popular social video platform TikTok is owned by a Chinese company, ByteDance. But TikTok has always maintained that it is firewalled between ByteDance and its US userbase. But materials seen by _Forbes_ indicate that an internal ByteDance review board, the “Internal Audit and Risk Control department,” planned to direct TikTok to track the location of some specific US users. The group typically focuses on internal, employee issues, but the US-based individuals were reportedly not affiliated with TikTok or ByteDance. “In at least two cases, the Internal Audit team also planned to collect TikTok data about the location of a US citizen who had never had an employment relationship with the company, the materials show. It is unclear from the materials whether data about these Americans was actually collected,” _Forbes_ wrote.

Microsoft said this week that a misconfiguration exposed the data of some prospective customers of its cloud services. Researchers from the threat intelligence firm SOCRadar disclosed the leak to Microsoft on September 24, and the company quickly closed the exposure. SOCRadar said in a report that the exposed information stretched back to as far as 2017 and up to August of this year. The researchers linked the data to more than 65,000 organizations from 111 countries. Microsoft said the exposed details included names, company names, phone numbers, email addresses, email content, and files sent between potential customers and Microsoft or one of its authorized partners. Cloud misconfigurations are a longstanding security risk that have led to countless exposures and, sometimes, breaches.

There are no easy answers to improve the longstanding security dumpster fire created by cheap, undefended internet of things devices in homes and businesses around the world. But after years of problems, countries like Singapore and Germany have found that adding security labels to internet-connected video cameras, printers, toothbrushes, and more. The labels give consumers a better understanding of the protections built into different devices—and give manufacturers an incentive to improve their practices and get a gold seal. This week, the United States took a step in this direction. The White House announced plans for a labeling scheme that would be a sort of EnergyStar for IoT digital security. The administration held a summit with industry organizations and companies this week to discuss standards and guidelines for the labels. “A labeling program to secure such devices would provide American consumers with the peace of mind that the technology being brought into their homes is safe, and incentivize manufacturers to meet higher cybersecurity standards, and retailers to market secure devices,” National Security Council spokesperson Adrienne Watson said in a statement.

Sources told _The Washington Post_ this week that sensitive information related to Iran‘s nuclear program and the United States’ own intelligence operations in China were included in documents seized by the FBI this summer at former President Trump‘s Mar-a-Lago estate in Florida. “Unauthorized disclosures of specific information in the documents would pose multiple risks, experts say. People aiding US intelligence efforts could be endangered, and collection methods could be compromised,” the _Post_ wrote. The information could also potentially motivate retaliation by other countries against the US.

TikTok’s Security Threat Comes Into Focus

Ubuntu Security Notice 5695-1 - It was discovered that the SUNRPC RDMA protocol implementation in the Linux kernel did not properly calculate the header size of a RPC message payload. A local attacker could use this to expose sensitive information. Moshe Kol, Amit Klein and Yossi Gilad discovered that the IP implementation in the Linux kernel did not provide sufficient randomization when calculating port offsets. An attacker could possibly use this to expose sensitive information.

    ==========================================================================Ubuntu Security Notice USN-5695-1October 21, 2022linux-gcp vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systemsDetails:It was discovered that the SUNRPC RDMA protocol implementation in the Linuxkernel did not properly calculate the header size of a RPC message payload.A local attacker could use this to expose sensitive information (kernelmemory). (CVE-2022-0812)Moshe Kol, Amit Klein and Yossi Gilad discovered that the IP implementationin the Linux kernel did not provide sufficient randomization whencalculating port offsets. An attacker could possibly use this to exposesensitive information. (CVE-2022-1012, CVE-2022-32296)Duoming Zhou discovered that race conditions existed in the timer handlingimplementation of the Linux kernel's Rose X.25 protocol layer, resulting inuse-after-free vulnerabilities. A local attacker could use this to cause adenial of service (system crash). (CVE-2022-2318)Roger Pau Monné discovered that the Xen virtual block driver in the Linuxkernel did not properly initialize memory pages to be used for sharedcommunication with the backend. A local attacker could use this to exposesensitive information (guest kernel memory). (CVE-2022-26365)Roger Pau Monné discovered that the Xen paravirtualization frontend in theLinux kernel did not properly initialize memory pages to be used for sharedcommunication with the backend. A local attacker could use this to exposesensitive information (guest kernel memory). (CVE-2022-33740)It was discovered that the Xen paravirtualization frontend in the Linuxkernel incorrectly shared unrelated data when communicating with certainbackends. A local attacker could use this to cause a denial of service(guest crash) or expose sensitive information (guest kernel memory).(CVE-2022-33741, CVE-2022-33742)Oleksandr Tyshchenko discovered that the Xen paravirtualization platform inthe Linux kernel on ARM platforms contained a race condition in certainsituations. An attacker in a guest VM could use this to cause a denial ofservice in the host OS. (CVE-2022-33744)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   linux-image-4.15.0-1137-gcp     4.15.0-1137.153~16.04.1   linux-image-gcp                 4.15.0.1137.131   linux-image-gke                 4.15.0.1137.131After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5695-1   CVE-2022-0812, CVE-2022-1012, CVE-2022-2318, CVE-2022-26365,   CVE-2022-32296, CVE-2022-33740, CVE-2022-33741, CVE-2022-33742,   CVE-2022-33744

Ubuntu Security Notice USN-5695-1

Software makers and customers will be able to query graph database for information about the security and provenance of components in applications and codebases.

A new open source initiative Google announced this week could move the needle forward on industrywide efforts to address software supply chain security issues.

The project is called GUAC, or Graph for Understanding Artifact Composition. Once available, GUAC will give developers, security teams, auditors, and other enterprise stakeholders a central source for information about the security, provenance, and overall trustworthiness of the individual components in their applications and codebases.

GUAC will collect and synthesize all the information needed for such analysis — such as software bill of materials, known vulnerability information and signed attestations on how a particular software might have been built — from multiple sources. Users will be able to query GUAC for information on the most-used critical components in their software, associated dependencies and any potential weaknesses, and vulnerabilities in them. 

According to Google, GUAC will also let software and security teams determine if an application they are about to deploy meets organizational polices, and if all binaries in production can be tracked back to a secure repository.

**Multiple Use Cases**

In addition to being useful from a proactive security and operational security standpoint, GUAC will also help organizations respond more effectively to identified threats, Google said. For instance, when a new vulnerability is disclosed, organizations will be able to use GUAC to determine which parts of their software inventory might be affected. Similarly, if an open source component has been deprecated, GUAC can help development and security teams quickly assess the impact on their environment.

Brandon Lum, senior software engineer on Google's Open Source Security team, says organizations will be able to deploy GUAC internally or use it as an external source for vetting their software metadata. 

"GUAC will pull from a variety of sources, including GitHub, Sigstore, and open source package managers," Lum says. "If run in an organization, GUAC can be configured to pull from internal sources and will be able to include organization or vendor specific assertions or certifications."

Many of these are capabilities that mainly large organizations have begun implementing in response to growing concerns over vulnerabilities and risks in the software supply chain. Attacks on companies like SolarWinds and Codecov showed how threat actors could compromise organizations on a mass scale by planting malware in software updates from trusted vendors. 

More recently, threat actors have begun planting malicious code in widely used public code repositories with the goal of tricking development teams and automated build tools to download the malware into their organizations.

**Heightened Concern**

The trend is driving organizations to pay closer attention to the security of their software components. It is heightening focus on practices such as generating or requiring a software bill of materials (SBOM) for their software and to using security frameworks such as Supply chain Levels for Software Artifacts (SLSA) to protect against tampering and vulnerable components. An executive order signed by President Biden in May 2021 explicitly requires all federal civilian executive branch agencies to maintain SBOMs for software they develop internally and requires them for any software they procure from an outside vendor or contractor.

Much of the information required for organizations to vet their software supply chain already exists in various forms. GUAC will bring all the data together in a standard form and democratize its availability, according to Google. 

Anyone will be able to use GUAC, Lum says. "GUAC is designed to run \[both\] as a public service or internally in an organization," he says. "For example, an organization can run GUAC internally for their proprietary software and query a public instance for vendor or open source software."

Nigel Houghton, director of marketplace and ecosystem development at ThreatQuotient, says there are several processes and tools associated with software supply chain security, such as those for generating SBOMs or for checksums and signatures that can be used to validate a particular piece of software. 

"There are many such sources of information but no real way to consolidate that information into one place," Houghton says. "\[GUAC\] is an attempt to do that and is desperately needed in the industry."

Houghton sees GUAC as benefiting both consumers and producers of software by enabling greater visibility into the security of the software supply chain. 

"It gives vendors the chance to show the security of their software supply chain and also gives them the visibility into their own supply chain security that they can better manage it," he says. "But, ultimately, the consumer benefits the most as it means they can also validate the supply chain for the software they are purchasing or using."

**GUAC Prototype**

GUAC is a good start to solving a hard problem, says Scott Gerlach, co-founder and CSO at API security testing vendor StackHawk. The trick will be to get open source developers to participate in this kind of program. 

"What is their incentive?" Gerlach asks. "Most often, these are people who work on projects out of a passion for problem-solving and deep curiosity. Incentivizing OSS devs to participate will be the key to GUAC's success." 

That's a viewpoint that Houghton holds as well. "The biggest challenge here is going to be adoption by the software industry as a whole," he says. But since GUAC is a project that comes under the OpenSSF, it should have a good chance of adoption at least for Linux-based projects, he says.

Mike Parkin, senior technical engineer at Vulcan Cyber, sees other issues. "Consolidating and normalizing the vast amount of data they plan to ingest will be the first challenge," he says. The other is finding a way to visualize the data in a manner that's both useful and usable. 

"If they can accomplish that, then getting people to accept it and use it will be considerably easier," he says.

Google has developed a prototype version of GUAC in collaboration with researchers at software supply chain security start-up Kusari, Citi, and Purdue University. The company is currently seeking contributors to the effort.

Google's GUAC Aims to Democratize Software Supply Chain Security Metadata

At the Authenticate Conference, Google and Microsoft demonstrated their passkey prototypes. Apple, meanwhile, already launched its version in iOS 16.

Apple, Google, and Microsoft are in the early stages of delivering on their plan to provide passkeys based on the FIDO Alliance's new passwordless authentication standard. But eliminating passwords won't happen overnight.

The three leading device and platform providers in May collectively announced they would incorporate the new passkeys into their respective platforms. Passkeys are based on the FIDO2 standard, which consists of World Wide Web Consortium's (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance's Client-to-Authenticator Protocol (CTAP).

**Passkeys Start to Roll Out**

As expected, Apple became the first provider to provide passkeys with its iOS 16 release late last month, giving millions of iPhones and iPads the ability to use passkeys. Mac users will also be able to implement passkeys when Apple releases its newest operating system update, macOS Ventura, which is due to arrive this month. Last week Google released passkey betas for Android and Chrome.

Once a user sets up a passkey on one Apple device, it can synchronize with any other supported Apple client or service using iCloud Keychain. Also, when a user enrolls one device with a passkey, they can automatically enroll any other Apple device and service that supports them.

Google's passkey beta lets users create and use passkeys on their Android devices and securely sync them via Google Password Manager. Google software engineer Arnar Birgisson explained in a blog post that passkeys in Google Password Manager are always encrypted end to end.

"When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user's own devices," Birgisson noted. "This protects passkeys against Google itself, or e.g. a malicious attacker inside Google. Without access to the private key, such an attacker cannot use the passkey to sign-in to its corresponding online account."

**Demonstrating the Future**

Google and Microsoft demonstrated their implementations of passkeys to hundreds of identity and security experts at this week's Authenticate 2022 conference in Seattle. Google identity and security product manager Christiaan Brand demonstrated how to sign into an account with passkeys, which will appear in an Android update by December. Brand said anyone could sign up for the developer beta in the Google Play Services channel.

"The moment you sign up for this with a particular Google account, you will be able to get the latest updates on your device within a couple of minutes," Brand said. Passkeys for Chrome OS are on the road map for release next year, he added.

Brand and other identity and security experts at the conference emphasized that authenticating with passkeys is considerably more secure than passwords because they aren't vulnerable to phishing attacks or other compromises. Passkeys are also easier to use because they consist of cryptographic keys that can run on supported devices and cloud services.

Although Microsoft doesn't plan to offer passkeys in Windows until next year, the company demonstrated its implementation and shared various observations. For example, Microsoft would like to run passkeys alongside the company's Authenticator app, according to senior program manager for identity Scott Bingham.

"Passkeys are multidevice, FIDO credentials that are a really compelling solution," Bingham said. "It can be synced through a platform cloud and available to use on all your devices when you sign into the same platform account." 

While Windows Hello provides biometric authentication for unlocking a PC's OS screen, it will also enable the new passkeys.

**Integrating Online Services and Apps**

For passkeys to take off, websites and enterprises that use usernames and passwords for authentication must add support for passkeys. Thousands of organizations worldwide have deployed or are deploying FIDO authentication, enabling them to support passkeys, according to FIDO Alliance executive director Andrew Shikiar, in his opening remarks at the conference.

Among them is PayPal, which last year hired a founding member of the FIDO Alliance, Marcio Mello, as head of product for the PayPal Identity Platform. Mello said PayPal plans to offer support for passkeys in the US for a limited number of customers.

Using an iPhone with the new iOS 16, Mello demonstrated how to create a passkey with PayPal. He then explained that when using iCloud Keychain on a Mac with the updated OS, the passkey is available automatically. When using a device that doesn't yet support passkeys, if the user had already created one, they could access it by generating a QR code.

"This provides that amazing combination we've been waiting for, both convenience and security," Mello said. "Something that's absolutely required for us to be able to reach the large-scale consumer deployment that we'd be looking for worldwide."

While passwords remain the most common credentials for authentication, they are costly to organizations, according to the FIDO Alliance's Online Authentication Barometer, published this week. The study found that 59% of respondents give up accessing online accounts when they can't remember their password, and roughly 40% abandon purchases for the same reason. The survey also found that 39% are familiar with passkeys.

**Adoption Will Be Slow**

Throughout the conference, organized by the FIDO Alliance, there appeared to be widespread optimism among identity and security experts that the standardized cryptographic keys promise to pave the way to a future of passwordless authentication to devices, online services, and applications.

"Passkeys stand to take passwords out of play for hundreds of millions of consumers immediately," Shikiar said. How immediately passkeys replace passwords remains to be seen, but it will likely be years before they become mainstream, as some people signaled in their presentations.

The widespread adoption of passkeys is promising because users can reuse their credentials among different vendor ecosystems, says Gartner analyst Paul Rabinovich. Because passkeys registered on one device can complete authentication from another device, "we'll finally see wide adoption of software-based roaming authenticators" embedded as mobile apps or within operating systems, he says.

Passkey Demos Hint at What's Ahead for Passwordless Authentication

Auth. Stored Cross-Site Scripting (XSS) in Pop-Up Chop Chop plugin <= 2.1.7 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**OVERVIEW**

Pop-Up Chop Chop plugin brings unlimited pop-ups with easily customizable professional templates. Each template comes in **two sizes** (big and small). The pop-ups are **fully responsive** and work with any WordPress theme.

With Pop-Up Chop Chop 2.0 you can create **any number** of input fields and collect your visitors’ emails, names, phone numbers…

Pop-Up Chop Chop is a perfect solution to capture the audience’s attention in the right time and place to build your mailing list.

**CUSTOMIZATION**

Pop-Up Chop Chop allows you to build elegant and professional pop-ups in a couple of minutes. Create attractive content and the pop-ups matching your website’s design. Preview your changes live while editing the content in our custom visual editor. Decide when the visitors see your pop-up – set the time and display the pop-up exactly when and where you want to.

**Features:**

*   Unlimited pop-up number
*   Multiple input fields (drag & drop ordering)
*   Neat designs
*   6 elegant and professional pop-up templates
*   Two pop-up sizes (big and small)
*   Responsive pop-up themes
*   Retina-friendly
*   Quick and easy pop-up setup
*   User-friendly interface
*   Smooth and swift admin panel
*   Highly customizable content
*   Email notifications
*   Turn on/off the pop-ups on mobile devices

**Using The WordPress Dashboard**

1.  Navigate to the ‘Add New’ in the plugins dashboard
2.  Search for ‘pop-up’
3.  Click ‘Install Now’
4.  Activate the plugin on the Plugin dashboard
5.  Go to PopUp in the left menu to manage the pop-ups

**Uploading in WordPress Dashboard**

1.  Navigate to the ‘Add New’ in the plugins dashboard
2.  Navigate to the ‘Upload’ area
3.  Select pop-up from your computer
4.  Click ‘Install Now’
5.  Activate the plugin in the Plugin dashboard
6.  Go to PopUp in the left menu to manage the pop-ups

**Using FTP**

1.  Download ‘pop-up’
2.  Extract the ‘pop-up’ directory to your computer
3.  Upload the ‘pop-up’ directory to the ‘/wp-content/plugins/’ directory
4.  Activate the plugin in the Plugin dashboard
5.  Go to PopUp in the left menu to manage the pop-ups

**1\. How do I add custom fields to my pop-up?**

Follow the Custom Fields Manual to learn how to add new fields to your contact form.

**2\. Questions? Comments?**

Contact talk@chop-chop.org if you have any questions or wish to provide feedback.

Possibilité de relier à MailChimp en version Pro. Vraiment très simple à utiliser et paramétrer.

I went thru all free pop-up plugins out there and everyone of them was really bad - hard to configure, not responsive or just ugly. Pop-up CC is easy to setup and looks awesome. Premium version has more options, but free is still very good - you can use all the templates etc. I had and issue tho with plugin not sending notifications about new subscribers so wrote about it to the creators and they responded very fast, helping me fix it. It works as intended now. Thanks!

Great plugin design and functionality. I had some difficulty setting it up - based on a lack of developer knowledge, but their support team were fantastic and responded to my query within hours. They went above ad beyond to get me set up and now I'm on my way there's no looking back. Can't recommend highly enough - keep up the great work.

Good and quite simple to use. Poor documentation, you have to try to understand some option.

Read all 16 reviews

“Pop-Up Chop Chop” is open source software. The following people have contributed to this plugin.

Contributors

*    Chop Chop

**2.1.7**

WordPress 5.5.1 and PHP 7.4 compatibility  
FIX: Minor php and css errors

**2.1.6**

WordPress 5.4.2 compatibility  
FIX: Input error message

**2.1.5**

WordPress 5.4.1 compatibility  
PHP 7.4 compatibility

**2.1.3**

FIX: Admin responsive css  
UPDATE: Tested with 4.9.2

**2.0.9**

Change load time

**2.0.8**

Cleanup

**2.0.6**

ADD: close on overlay click

**2.0.5**

ADD: style select to wysywig editor

**2.0.4**

Delete: old live preview fields

**2.0.3**

ADD: missing files in wordpress repo

**2.0.2**

ADD: missing files in wordpress repo

**2.0.1**

UPDATE: add newsletter metabox file

**1.4.1**

FIX: wordpress help tabs

**1.4.0**

ADD: CMB upgrade

**1.3.5**

FIX: “disable on” list

**1.3.4**

FIX: Templates css

**1.3.3**

ADD: woocommerce products to “disable on” list

**1.3.2**

FIX: background image uploader

**1.3.0**

ADD: woocommerce pages to “disable on” list

**1.2.5**

FIX: Customize button

**1.2.4**

FIX: Templates css

**1.2.3**

FIX: Google fonts

**1.2.2**

ADD: Jquery Cookies new version

**1.2.1**

FIX: Templates css

**1.2.0**

FIX: Templates css

**1.1.6**

FIX: Templates css

**1.1.5**

ADD: Close timeout option  
FIX: Templates css

**1.1.4**

FIX: Templates css  
FIX: Wysiwyg editor

**1.1.3**

ADD: Field label

**1.1.2**

ADD: “Thank you” message edit option

**1.1.1**

ADD: intro/outro fade  
ADD: New thumbnails  
FIX: Newsletter section

**1.1.0**

FIX: Admin ajax  
ADD: Speed optimization

**1.0.9**

FIX: Templates css

**1.0.8**

ADD: Cookie option  
FIX: Templates css  
ADD: Admin panel enhancements

**1.0.7**

FIX: Templates css

**1.0.6**

FIX: Wysiwyg editor

**1.0.5**

ADD: Field label  
FIX: Button css

**1.0.4**

FIX: headers  
FIX: mobile templates

**1.0.3**

FIX: Templates css

**1.0.2**

FIX: Templates css  
ADD: “Show once per session” option  
ADD: Auto close the pop-up after the sign-up

**1.0.1**

Fix: newsletter signup form

**1.0.0**

First release

CVE-2022-41638: Pop-Up Chop Chop

Auth. (admin+) Stored Cross-Site Scripting (XSS) in Fatcat Apps Analytics Cat plugin <= 1.0.9 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Analytics Cat – Google Analytics is a lean, fast, simple, no-frills way to add your Google Analytics / Universal Google Analytics code to your WordPress site.

This bloat-free, simple Google Analytics WordPress plugin doesn’t add tons of features. Instead, Analytics Cat – Google Analytics simply focuses on letting you add your Google Analytics (Universal Analytics) Code to your site in less than 2 minutes, without slowing your site down.

**Which features does Analytics Cat – Google Analytics have?**

*   Add the Google Analytics (Universal Analytics) tracking code to your WordPress site with ease.
*   Hide your Google Analytics tracking code from logged-in users so you don’t pollute your data.

**How to use Analytics Cat – Google Analytics?**

There are multiple ways to add the Google Analytics tracking code to your WordPress site.

**1\. Pasting your Google Analytics script into your theme**  
This approach isn’t great for two reasons:  
a) If you edit your live site and make a mistake when pasting your Google Analytics script into your theme, you could take down your website.  
b) If your theme is updated with new features or security fixes, your Google Analytics code will be overwritten.

**2\. Pasting your Google Analytics script into a header/footer script plugin**  
This is a valid approach, but has some disadvantages. General purposes “header script plugins” aren’t built from the ground-up to support Google Analytics.

What this means is that :  
a) These plugins lack Google Analytics-specific functionality.  
b) These plugins will not adapt if Google Analytics changes again. Since Analytics Cat is a dedicated Google Analytics WordPress plugin, we’ll make sure make sure to stay compatible with future changes to Google Analytics.  
c) These plugins usually don’t support hiding your Google Analytics code from logged-in users.

**3\. Using Some Other Google Analytics WordPress Plugin**  
There are some good Google Analytics plugins out there, but many of them are bloated, have too many settings and are slow.

You’ll love Analytics Cat – Google Analytics Cat iff what you want is a simple, reliable Google Analytics plugin,

**Does Analytics Cat – Google Analytics Plugin work with Universal Analytics?**

Yes. Analytics Cat is built from the ground up to support Universal Analytics.

Analytics Cat – Google Analytics does not work with the old Google Analytics script that Google deprecated.

**Can I hide my Google Analytics tracking code from logged in users?**

Yes. You can hide your Google Analytics code from logged in users by going to Settings -> Google Analytics Manager.

**Is Analytics Cat – Google Analytics easy to translate?**

Yes. Analytics Cat – Google Analytics Cat is fully translateable. Please let us know if you’re interested in contributing.

**Analytics Cat – Google Analytics Feature Roadmap**

This is just the first version of Analytics Cat – we have tons of new features & improvements lined up. Do you have any suggestions? Please leave a comment in the support forums.

—The Fatcat Apps Team

**Privacy Disclosure**

This plugin can be configured to connect to 3rd party service providers such as Google.

If you use this plugin to connect to a 3rd party, personal data may also be shared with that party.

Additional privacy policy information for 3rd party services can be found here:

Google

Our full privacy policy is available here: https://fatcatapps.com/legal/privacy-policy/

*   Analytics Cat - Google Analytics for WordPress settings screen
    

1.  Upload the Analytics Cat – Google Analytics plugin file (fca-ga.zip) to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  In your sidebar, select ‘Settings -> Google Analytics Manager’ to add your tracking code.

**How do I set up Google Analytics using Analytics Cat?**

After installing this plugin, simply go to Settings -> Google Analytics Manager and add your Google Analytics (Universal Analytics) ID.

**What is my Google Analytics tracking ID?**

Follow these steps to find your Google Analytics tracking id:

1.  Sign in to your Google Analytics account
    
2.  On the bottom left side of the screen, click on “Admin” (Cog icon).
    
3.  Select your preferred Account and Property from the columns.
    
4.  Under Property, Click ‘Tracking Info’ > ‘Tracking Code’
    
5.  You will find your Tracking ID here (example: UA-xxxxxx-01)
    
6.  Paste this Tracking ID into Analytics Cat
    

Important: Do not paste your tracking code (starting with ). Instead, paste your tracking id (example: UA-xxxxxx-01) into Analytics Cat.

**Can I anonimize ip addresses?**

Yes you can! Append the following code to your theme’s functions.php page:

    function my_custom_ga_attributes ( $value ) {
        return '&aip=1';
    }
    
    add_filter( 'fca_ga_attributes', 'my_custom_ga_attributes' );
    

For more information, read this: How to find your Google Analytics tracking code, Google Analytics tracking ID, and Google Analytics property number

This plugin works well and does what it's supposed to do without issues.

Does what it says. Simple and easy to setup.

No extra fluff makes me tear up in joy. Thank you for staying true to the description and point. 👏

I have used this plugin to get input/insights for my ActiveCampaign marketing tool. It does exactly what it says it does, reliably.

It works really well but I deducted a star because I have started getting spam after installing it. Prior to this I was receiving none and this is the only plugin I have installed in the last three months.

Read all 11 reviews

“Analytics Cat – Google Analytics Made Easy” is open source software. The following people have contributed to this plugin.

Contributors

**Analytics Cat – Google Analytics 1.1.1**

*   Improved notices
*   Changed default role exclusion to none
*   Fix potential empty value error reported
*   Remove unused API calls

**Analytics Cat – Google Analytics 1.1.0**

*   Improved security for Editor page
*   Tested up to WordPress 5.9.1

**Analytics Cat – Google Analytics 1.0.9**

*   Updated feedback form
*   Tested up to WordPress 5.6.2

**Analytics Cat – Google Analytics 1.0.8**

*   Fixed double tracking issue

**Analytics Cat – Google Analytics 1.0.7**

*   Tested up to WordPress 5.5

**Analytics Cat – Google Analytics 1.0.6**

*   Added filter fca\_ga\_attributes to add ability to customize enqueued script attributes (see readme)
*   Admin UI text update
*   Removed quotes from Google Analytics ID ( fixed issue with 3rd party add-on )
*   Tested up to WordPress 5.4.2

**Analytics Cat – Google Analytics 1.0.5**

*   Upgraded from analytics.js to gtag.js
*   Tested up to WordPress 5.4.1

**Analytics Cat – Google Analytics 1.0.4**

*   Load Select2 library locally instead of via CDN
*   Add privacy disclosure

**Analytics Cat – Google Analytics 1.0.3**

*   Removed installation splash screen

**Analytics Cat – Google Analytics 1.0.2**

*   Add settings saved message
*   Update help text & links
*   Update permissions text

**Analytics Cat – Google Analytics 1.0.1**

*   Fix link to quick start guide in admin UI

**Analytics Cat – Google Analytics 1.0.0**

*   Release candidate 1 of Analytics Cat – Google Analytics

CVE-2022-40311: Analytics Cat – Google Analytics Made Easy

Endless vulnerabilities. Massive hacking campaigns. Slow and technically tough patching. It's time to say goodbye to on-premise Exchange.

Once, reasonable people who cared about security, privacy, and reliability ran their own email servers. Today, the vast majority host their personal email in the cloud, handing off that substantial burden to the capable security and engineering teams at companies like Google and Microsoft. Now, cybersecurity experts argue that a similar switch is due—or long overdue—for corporate and government networks. For enterprises that use on-premise Microsoft Exchange, still running their own email machine somewhere in a closet or data center, the time has come to move to a cloud service—if only to avoid the years-long plague of bugs in Exchange servers that has made it nearly impossible to keep determined hackers out.

The latest reminder of that struggle arrived earlier this week, when Taiwanese security researcher Orange Tsai published a blog post laying out the details of a security vulnerability in Microsoft Exchange. Tsai warned Microsoft about this vulnerability as early as June of 2021, and while the company responded by releasing some partial fixes, it took Microsoft 14 months to fully resolve the underlying security problem. Tsai had earlier reported a related vulnerability in Exchange that was massively exploited by Chinese state-sponsored hackers known as Hafnium, who last year penetrated more than 30,000 targets, by some counts. Yet according to the timeline described in Tsai’s post this week, Microsoft repeatedly delayed fixing the newer variation of that same vulnerability, assuring Tsai no fewer than four times that it would patch the bug before pushing off a full patch for months longer. When Microsoft finally released a fix, Tsai wrote, it still required manual activation and lacked any documentation for four more months.

Meanwhile, another pair of actively exploited vulnerabilities in Exchange that were revealed last month still remain unpatched after researchers showed that Microsoft’s initial attempts to fix the flaws had failed. Those vulnerabilities were just the latest in a years-long pattern of security bugs in Exchange’s code. And even when Microsoft does release Exchange patches, they’re often not widely implemented, due to the time-consuming technical process of installing them.

The result of those compounding problems, for many who have watched the hacker-induced headaches of running an Exchange server pile up, is a clear enough message: An Exchange server is, itself, a security vulnerability, and the fix is to get rid of it.

“You need to move off of on-premise Exchange forever. That’s the bottom line,” says Dustin Childs, the head of threat awareness at security firm Trend Micro’s Zero Day Initiative (ZDI), which pays researchers for finding and reporting vulnerabilities in commonly used software and runs the Pwn2Own hacking competition. “You’re not getting the support, as far as security fixes, that you would expect from a really mission-critical component of your infrastructure.”

Aside from the multiple vulnerabilities Orange Tsai exposed and the two actively exploited unpatched bugs revealed last month, Childs points to another 20 security flaws in Exchange that a researcher reported to ZDI, which ZDI, in turn, reported to Microsoft two weeks ago, and which remain unpatched. “Exchange right now has a very broad attack surface, and it just hasn’t had a lot of really comprehensive work done on it in years from a security perspective,” says Childs.

Childs points to two other ZDI discoveries of Exchange vulnerabilities, one in 2018 and another in 2020, that were actively exploited by hackers even after the bugs were reported to Microsoft and patched. Security podcast _Risky Business_ went so far as to title a recent episode “It’s Exchangehog Day,” in a reference to the dreary cycle of vulnerability revelations and subsequent patching the servers require.

When WIRED reached out to Microsoft for comment on its Exchange security issues, Aanchal Gupta, the corporate vice president of Microsoft Security Response Center (MSRC), responded with an exhaustive list of measures the company has taken to mitigate, patch, and harden on-premise Exchange servers. He noted that Microsoft quickly released updates in response to Tsai's findings to partially block the vulnerabilities he exposed before the company released the full fix in August. Gupta further wrote that  MSRC “worked around the clock” to help customers update their Exchange servers in the midst of last year's Hafnium attacks, released numerous security updates for Exchange over the year, and even launched an Exchange Emergency Mitigation service, which helps customers automatically apply security mitigations to block known attacks on Exchange servers even before a full patch is available.

Still, Gupta agreed that most customers should move from on-premise Exchange servers to Microsoft's cloud-based email service, Exchange Online. “We strongly recommend customers migrate to the cloud to take advantage of real-time security and instant updates to help keep their systems protected from the latest threats,” Gupta said in an emailed statement. “Our work to support on-premises customers to move to a supported and up-to-date version continues, and we strongly advise customers who cannot keep these systems up to date to migrate to the cloud.”

If email administrators are, in fact, having trouble keeping Exchange fully patched, Trend Micro's Childs says that's due largely to the complexity of actually installing Exchange updates, both because of the age of its code and the risks of breaking functionality by changing interdependent mechanisms in the software. Security researcher Kevin Beaumont, for instance, recently live-tweeted his own experience of updating an Exchange server, documenting countless bugs, crashes, and hiccups in the process, which took him nearly three hours, despite the fact the server had last been updated just a few months earlier. “It’s a difficult and arduous process, so even though there are active attacks, people just don’t patch their on-premise Exchange,” says Childs. “So there are patched bugs that are taking forever to get fixed, and also unpatched bugs that have yet to get fixed.”

Another problem compounding on-premise Exchange’s security woes arises from the fact that vulnerabilities found in its software are often particularly easy to exploit. Exchange bugs aren’t any more common than, say, vulnerabilities in Microsoft’s Remote Desktop Protocol, says Marcus Hutchins, an analyst for security firm Kryptos Logic. But they’re far more reliable to use because, despite the fact that an Exchange server hosts email locally, it’s accessed through a web service. And passing commands through an online interface to a web server is a far more reliable form of hacking than methods like so-called memory corruption vulnerabilities, which have to alter data in a lower-level and less predictable portion of a targeted machine. “It’s basically very fancy web exploitation,” says Hutchins. “It’s not something that’s going to crash the server if you do it wrong. It’s very stable and simple.”

That exploitability is compounded by what seems to be Microsoft’s increasing inattention to maintaining the security of on-premise Exchange in favor of its cloud-based email service, 365 Exchange Online. As Beaumont pointed out earlier this month, Microsoft itself recommended that customers disable “legacy” authentication for Exchange—using industry jargon for outdated and often unsupported features—without acknowledging that there was no alternative form of authentication available.

That’s a strong hint that Microsoft itself thinks of on-premise Exchange servers on the whole as de facto “legacy” products, says Jake Williams, a former National Security Agency hacker who leads threat intelligence at cybersecurity firm Scythe. Microsoft no doubt wants customers to switch to its cloud-based service he says, and seems to have shifted its security resources accordingly. “It’s clear the depth on the on-premise Exchange team is not where it was a few years ago and hasn’t kept up with the security landscape,” says Williams. “It’s pretty stark.”

Williams acknowledges that some users may prefer or even require that their email be hosted locally rather than in the cloud for legal or privacy issues. But many enterprises that rely on the security of controlling the Exchange server themselves need to reckon with the fact they’re likely introducing more risks than they’re avoiding. “I tell customers, ‘I get it, you want to run on-prem for control reasons,’” says Williams. “But you have to start evaluating this as a liability. And that’s because Microsoft is not putting effort and resources into patching.”

“The proof is in the pudding,” Williams adds. “This code base is not getting the love that it clearly and desperately needs.” And if Microsoft isn’t giving that love to your Exchange server, perhaps Exchange no longer deserves your love, either.

Your Microsoft Exchange Server Is a Security Liability

The new open source specification from Open Compute Project is backed by Google, Nvidia, Microsoft, and AMD.

Some of the top names in the hardware industry have joined forces to create common technologies to enhance security in the cloud.

Google, Nvidia, Microsoft, and AMD partnered to establish Caliptra, an open specification to embed security mechanisms inside chips. The spec, which is open source and free to license, was announced on Tuesday at the Open Compute Project Summit, being held in Santa Clara, Calif. The participating companies are members of the Open Compute Project (OCP), which will maintain the development of the specification along with the Linux Foundation.

The Caliptra project revolves around establishing a root of trust (RoT) — building security layers into silicon so data is encrypted and not exposed as it travels in data centers or the cloud.  

"We need to embed that capability in silicon. At some point in the future, it's not going to be enough to have it on the motherboard, for example in the server as a separate piece of circuitry," said Cliff Grossner, vice president of market intelligence at OCP, during a press briefing.

Caliptra expands the security boundaries of data from the chip level to the cloud. The specification provides common language for chip makers and cloud providers to create technologies around confidential computing, which is gaining attention as a way to protect data while it is in storage, in transit, or being processed in the cloud.

"With the rise of edge computing, the resultant growth in the exposed attack surface also presents a need for stronger physical security solutions," wrote Mark Russinovich, Microsoft CTO for Azure, in a Tuesday blog post about Caliptra.

**Defining Open Source Confidential Computing**

Vulnerabilities like Spectre and Meltdown showed hackers could steal data by attacking hardware. Intel and AMD, whose CPUs dominate the data center and cloud infrastructure, are adding proprietary features to lock down data at the chip level, but Caliptra is being pitched as a viable open source alternative.

The specification defines a reusable silicon block that can be dropped into chips and devices to establish an RoT. The silicon block provides verifiable cryptographic assurances that the chip security configuration is correct. It also provides a mechanism within the chip to ensure that the boot code can be trusted.

"This represents an enhancement over existing solutions today, and we expect that this will meet the enhanced security requirements for edge and confidential computing going forward," OCP's Grossner said.

The specification includes mechanisms to protect data from a range of electromagnetic, side-channel, and other common attacks. But Caliptra does not cover emerging attack vectors like quantum computers, which will provide the means to crack advanced encryption in just seconds.

The Caliptra specification also covers major aspects of attestation, which is more of a chip-level handshake to ensure that only authorized parties get access to data stored in hardware enclaves. The RoT blocks in a chip isolate the data, while providing an effective mechanism to verify the authenticity and integrity of code, firmware, and other security assets.

**Securing the Enterprise Cloud**

The first Caliptra spec, version 0.5, can be prototyped on field-programmable gate arrays before being implemented into final chip designs. The specification document points to the technology being geared for enterprise computing infrastructures rather than home or business PCs.

The tenets of Caliptra, which include authentication, detection, and recovery, tilt heavily toward establishing a silicon RoT for server and edge chips, which are built differently than PC chips.

Microsoft is using attestation based on Trusted Platform Module (TPM) chips as a security mechanism for Windows 10 and 11 operating systems. The company's Pluton security chip, which has a TPM built in and can be used for attestation, has largely been rejected by the wider PC industry.

Microsoft and Google executives didn't say whether or when they would make Caliptra a part of their cloud services. Microsoft last week expanded the use of AMD's SNP-SEV technology for confidential computing in the cloud. Azure also offers virtual machine instances with Intel's proprietary SGX security enclave.

**Expanding the Open Compute Project**

The Open Compute Project was established in 2011 by the likes of Google and Meta (then Facebook), which were buying thousands of servers and looking to standardize on hardware designs in their mega data centers. The goal was to reduce the server build times and cut costs by stripping off unnecessary components.

OCP has since grown into a powerhouse that counts all major infrastructure hardware providers as members — with the exception of Apple and Amazon, which rely on internally designed hardware.

OCP guidelines also include power, cooling, storage, and networking specifications that are now widely adopted. The OCP has also inspired nontech companies, largely in the financial sector, to experiment and develop standardized servers for on-premises data centers.

"We have the industry leaders coming together here within the OCP community, and we want to bring the standardized facility architecture for deployed servers," Grossner said. "Server security will become scalable."

Servers previously largely depended on CPUs, but now include different computing devices such as GPUs to handle applications like artificial intelligence. Standardizing the server security architecture was a top priority for company executives addressing media during the OCP call.

"This ecosystem we all play in — it starts with trust you have ... in your computing. We were on a path to have a number of bifurcated solutions, and that's just not good for anyone," said Mark Papermaster, chief technology officer at AMD, during the call.

Hardware Makers Standardize Server Chip Security With Caliptra

On October 10, 2022, there were 576,562 LinkedIn accounts that listed their current employer as Apple Inc. The next day, half of those profiles no longer existed. A similarly dramatic drop in the number of LinkedIn profiles claiming employment at Amazon comes as LinkedIn is struggling to combat a significant uptick in the creation of fake employee accounts that pair AI-generated profile photos with text lifted from legitimate users.

On October 10, 2022, there were 576,562 **LinkedIn** accounts that listed their current employer as **Apple Inc.** The next day, half of those profiles no longer existed. A similarly dramatic drop in the number of LinkedIn profiles claiming employment at **Amazon** comes as LinkedIn is struggling to combat a significant uptick in the creation of fake employee accounts that pair AI-generated profile photos with text lifted from legitimate users.

Jay Pinho is a developer who is working on a product that tracks company data, including hiring. Pinho has been using LinkedIn to monitor daily employee headcounts at several dozen large organizations, and last week he noticed that two of them had far fewer people claiming to work for them than they did just 24 hours previously.

Pinho’s screenshot below shows the daily count of employees as displayed on Amazon’s LinkedIn homepage. Pinho said his scraper shows that the number of LinkedIn profiles claiming current roles at Amazon fell from roughly 1.25 million to 838,601 in just one day, a 33 percent drop:

The number of LinkedIn profiles claiming current positions at Amazon fell 33 percent overnight. Image: twitter.com/jaypinho

As stated above, the number of LinkedIn profiles that claimed to work at Apple fell by approximately 50 percent on Oct. 10, according to Pinho’s analysis:

Image: twitter.com/jaypinho

Neither Amazon or Apple responded to requests for comment. LinkedIn declined to answer questions about the account purges, saying only that the company is constantly working to keep the platform free of fake accounts. In June, LinkedIn acknowledged it was seeing a rise in fraudulent activity happening on the platform.

KrebsOnSecurity hired Menlo Park, Calif.-based **SignalHire** to check Pinho’s numbers. SignalHire keeps track of active and former profiles on LinkedIn, and during the Oct 9-11 timeframe SignalHire said it saw somewhat smaller but still unprecedented drops in active profiles tied to Amazon and Apple.

“The drop in the percentage of 7-10 percent \[of all profiles\], as it happened \[during\] this time, is not something that happened before,” SignalHire’s **Anastacia Brown** told KrebsOnSecurity.

Brown said the normal daily variation in profile numbers for these companies is plus or minus one percent.

“That’s definitely the first huge drop that happened throughout the time we’ve collected the profiles,” she said.

In late September 2022, KrebsOnSecurity warned about the proliferation of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. A follow-up story on Oct. 5 showed how the phony profile problem has affected virtually all executive roles at corporations, and how these fake profiles are creating an identity crisis for the businesses networking site and the companies that rely on it to hire and screen prospective employees.

A day after that second story ran, KrebsOnSecurity heard from a recruiter who noticed the number of LinkedIn profiles that claimed virtually any role in network security had dropped seven percent overnight. LinkedIn declined to comment about that earlier account purge, saying only that, “We’re constantly working at taking down fake accounts.”

A “swarm” of LinkedIn AI-generated bot accounts flagged by a LinkedIn group administrator recently.

It’s unclear whether LinkedIn is responsible for this latest account purge, or if individually affected companies are starting to take action on their own. The timing, however, argues for the former, as the account purges for Apple and Amazon employees tracked by Pinho appeared to happen within the same 24 hour period.

It’s also unclear who or what is behind the recent proliferation of fake executive profiles on LinkedIn. Cybersecurity firm **Mandiant** (recently acquired by **Google**) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and **Indeed**, as part of an elaborate scheme to land jobs at cryptocurrency firms.

On this point, Pinho said he noticed an account purge in early September that targeted fake profiles tied to jobs at cryptocurrency exchange **Binance**. Up until Sept. 3, there were 7,846 profiles claiming current executive roles at Binance. The next day, that number stood at 6,102, a 23 percent drop (by some accounts that 6,102 head count is still wildly inflated).

Fake profiles also may be tied to so-called “pig butchering” scams, wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.

In addition, identity thieves have been known to masquerade on LinkedIn as job recruiters, collecting personal and financial information from people who fall for employment scams.

**Nicholas Weaver**, a researcher for the International Computer Science Institute at **University of California, Berkeley**, suggested another explanation for the recent glut of phony LinkedIn profiles: Someone may be setting up a mass network of accounts in order to more fully scrape profile information from the entire platform.

“Even with just a standard LinkedIn account, there’s a pretty good amount of profile information just in the default two-hop networks,” Weaver said. “We don’t know the purpose of these bots, but we know creating bots isn’t free and creating hundreds of thousands of bots would require a lot of resources.”

In response to last week’s story about the explosion of phony accounts on LinkedIn, the company said it was exploring new ways to protect members, such as expanding email domain verification. Under such a scheme, LinkedIn users would be able to publicly attest that their profile is accurate by verifying that they can respond to email at the domain associated with their current employer.

LinkedIn claims that its security systems detect and block approximately 96 percent of fake accounts. And despite the recent purges, LinkedIn may be telling the truth, Weaver said.

“There’s no way you can test for that,” he said. “Because technically, it may be that there were actually 100 million bots trying to sign up at LinkedIn as employees at Amazon.”

Weaver said the apparent mass account purge at LinkedIn underscores the size of the bot problem, and could present a “real and material change” for LinkedIn.

“It may mean the statistics they’ve been reporting about usage and active accounts are off by quite a bit,” Weaver said.

Battle with Bots Prompts Mass Purge of Amazon, Apple Employee Accounts on LinkedIn

Google on Thursday announced that it's seeking contributors to a new open source initiative called Graph for Understanding Artifact Composition, also known as GUAC, as part of its ongoing efforts to beef up the software supply chain.
"GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata," Brandon Lum, Mihai

Google on Thursday announced that it's seeking contributors to a new open source initiative called **Graph for Understanding Artifact Composition**, also known as GUAC, as part of its ongoing efforts to beef up the software supply chain.

"GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata," Brandon Lum, Mihai Maruseac, and Isaac Hepworth of Google said in a post shared with The Hacker News.

"GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding."

Software supply chain has emerged a lucrative attack vector for threat actors, wherein exploiting just one weakness -- as seen in the case of SolarWinds and Log4Shell -- opens a pathway long enough to traverse down the supply chain and steal sensitive data, plant malware, and take control of systems belonging to downstream customers.

Google, last year, released a framework called SLSA (short for Supply chain Levels for Software Artifacts) that aims to ensure the integrity of software packages and prevent unauthorized modifications.

It has also launched an updated version of Security Scorecards, which identifies the risk third-party dependencies can introduce to a project, allowing developers to make informed decisions about accepting vulnerable code or considering other alternatives.

This past August, Google further introduced a bug bounty program to identify security vulnerabilities spanning a number of projects such as Angular, Bazel, Golang, Protocol Buffers, and Fuchsia.

GUAC is the latest effort to bolster the health of the supply chain. It achieves this by aggregating software security metadata from a mix of public and private sources into a "knowledge graph" that can answer questions about supply chain risks.

The data that undergirds this architecture is derived from Sigstore, GitHub, Open Source Vulnerabilities (OSV), Grype, and Trivy, among others, to derive meaningful relationships between vulnerabilities, projects, resources, developers, artifacts, and repositories.

"Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance," Google said.

Put differently, the idea is to connect the different dots between a project and its developer, a vulnerability and the corresponding software version, and the artifact and the source repository it belongs to.

The aim, therefore, is to not only enable organizations to determine if they are affected by a specific vulnerability, but also estimate the blast radius should the supply chain be compromised.

That said, Google also appears to be cognizant of the potential threats that could undermine GUAC, including scenarios where the system is tricked into ingesting forged information about artifacts and their metadata, which it expects to mitigate through cryptographic verification of data documents.

"\[GUAC\] aims to satisfy the use case of being a monitor for public supply chain and security documents as well as for internal use by organizations to query information about artifacts that they use," the internet giant noted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google