Russia is offering its own Transport Layer Security (TLS) certificates to bypass sanctions imposed by Western companies and governments that are limiting citizens’ access to websites amid the nation’s invasion of Ukraine. Restrictions on foreign payments are leaving many Russian websites unable to renew certificates with international signing authorities causing browsers to block access to sites. As a result, the Russian state has launched a domestic TLS certificate authority (CA) for the independent issuing and renewal of TLS certificates. The risks of Russian-owned and -issued TLS certificates are significant and include traffic interception and man-in-the-middle (MitM) attacks.

To read this article in full, please click here

Read More

Zimperium report warns of bugs, malware and misconfigurations

Read More

This blog was written by an independent guest blogger.

The US Office of Management and Budget (OMB) has released a strategy to help the federal government embrace a zero-trust approach to cybersecurity.

Overview of OMB’s Zero Trust strategy

Released on January 26, 2022, the strategy identifies “specific security goals” that heads of Federal Civilian Executive Branch (FCEB) agencies must achieve by the end of the Fiscal Year (FY) 2024. Provided below are some of these objectives.

In its Executive Order (EO) 14028, The White House states that FCEB agencies must develop their own plans for implementing a zero-trust architecture (ZTA). OMB’s strategy goes beyond this mandate by requiring FCEB agencies to incorporate additional requirements and submitting them to OMB and the US Cybersecurity & Infrastructure Security Agency (CISA) within 60 days of the memorandum taking effect. FCEB agencies also need to submit a budget estimate for FY 2024 within that period. In the shorter term, OMB explains that in-scope entities can use internal funding or seek money from alternative sources to achieve primary goals in FY 2022 and FY 2023.
OMB’s strategy notes that FCEB agencies must designate and identify a lead for implementing zero trust at their organization within 30 days of the strategy entering into force. Ultimately, OMB will use those leads to coordinate the implementation of zero trust across the federal government. It’ll also refer to them to orchestrate planning and implementation efforts within each agency. 

Identity and MFA as key tenets

The security goals identified above align with several pillars of zero trust set forth by CISA. “Identity” is one of the most important of those elements. The purpose of “Identity” for zero trust is to have agency staff use enterprise-managed identities to access the applications they need to perform their job duties. The best way to do that is to invest in centralized identity management systems and integrate them into both applications, and common platforms, noted OMB in its federal strategy. Specifically, agencies can implement phishing-resistant multi-factor authentication (MFA) at the application layer as well as require staff, contractors, and partners to enroll in this scheme. (This option must also be an option for public users.) Finally, agencies must design their password policies in such a way that doesn’t require the use of special characters or require regular password rotation.

A driving factor behind the importance of identity and MFA to zero trust is the growth in cloud adoption. In December 2021, 90% of O’Reilly subscribers revealed their organizations were using the cloud at that time—up from 88% a year earlier. The study went on to reveal that at least 75% of respondents in organizations across every sector were using the cloud, with retail & commerce, finance & banking, and software registering as some of the most active industries. Looking ahead, nearly half (48%) of survey participants said that their organizations were planning to migrate at least half of their applications to the cloud in the coming year. One-fifth of personnel said they intended to migrate all their applications within that period.

This growing focus on the cloud means that literally everyone is an outsider, as I told TechSpective last August. In response, organizations need to implement a scheme by which they can validate the authenticity of approved identities and their attributes for users, services, and devices.

Giving authentication and identity the emphasis they deserve

FCEB agencies and other organizations can emphasize authentication and identity protection for zero trust by laying the groundwork for an Identity and Access Management (IAM) strategy. In formulating this plan, organizations should follow the CISA’s MFA guidelines. They then need to clarify which authentication methods they’ll require of their users and plan how to roll out authentication for their users. Finally, entities can develop access rules and policies to shape who can access certain types of data and applications along with the conditions under which they can do so. 

Regarding MFA in particular, agencies and other organizations can consider combining MFA with other best practices such as Single Sign-On to improve account security while reducing user friction. To this end, they can use an integrated service or solution that offers multi-factor authentication, SSO and policy-based access.

Read More

CaddyWiper looks like nothing else, says ESET

Read More

Even in today’s age of digital evolution, malicious hackers continue to use attack vectors dating back decades. Research shows notable periods of resurgence relating to certain methods deemed old-fashioned. What this indicates is that while attack specifics can change with time, points of infection, distribution and proliferation can remain and even lead to the most significant of breaches.

“Cybercriminals tend to return to ‘old favorite’ methods of attack, particularly when newer vectors get shut down or become more difficult to execute due to the efforts of law enforcement and security teams,” says Egress Threat Intelligence Vice President Jack Chapman.

To read this article in full, please click here

Read More

When GitHub launched the code autocomplete tool Copilot in June 2021, many developers were in awe, saying it reads their minds and helps them write code faster. Copilot looks at the variable names and comments someone writes and suggests what should come next. It provides lines of code or even entire functions the developer might not know how to write.

However, developers using unknown suggestions without verifying them can lead to security weaknesses. Researchers at the New York University’s Tandon School of Engineering put Copilot to the test and saw that 40% of the code it generated in security-relevant contexts had vulnerabilities.

“Copilot’s response to our scenarios is mixed from a security standpoint, given the large number of generated vulnerabilities,” the researchers wrote in a paper. They checked the code using GitHub’s CodeQL, which automatically looks for known weaknesses, and found that developers often get SQL-injection vulnerabilities or flaws included on the 2021 CWE Top 25 Most Dangerous Software Weaknesses list. Also, when it comes to domain-specific languages, such as Verilog, it struggles to generate code that’s “syntactically correct and meaningful.”

To read this article in full, please click here

Read More

Facial recognition company lists multiple ways tech could be used by Kyiv

Read More