Lawmakers introduced the bill because they’re worried about the potential for quantum computers to easily crack current cryptographic algorithms
Monthly Archives: July 2022
Criminals Use Malware as Messaging Bots to Steal Data
Cyber-criminals are using the Telegram and Discord messaging apps as command and control mechanisms
Teleport features passwordless access with new access plane update
Teleport, an open source platform designed to provide zero trust access management applications, has announced the latest version of its unified access plane, Teleport 10, which features passwordless access as a single sign-on (SSO) infrastructure access solution.
Teleport’s unified access plane is an open source identity-based infrastructure access platform that unifies secure access to servers, Kubernetes clusters, applications and databases.
grafana-9.0.5-1.fc37
FEDORA-2022-047d3845db
Packages in this update:
grafana-9.0.5-1.fc37
Update description:
Automatic update for grafana-9.0.5-1.fc37.
Changelog
* Wed Jul 27 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 9.0.5-1
– update to 9.0.5 tagged upstream community sources, see CHANGELOG (rhbz#2107413)
– run integration tests in check phase
– remove conditional around go-rpm-macros
– resolve CVE-2022-31107 grafana: OAuth account takeover (rhbz#2107435)
– resolve CVE-2022-31097 grafana: stored XSS vulnerability (rhbz#2107436)
Securing Open-Source Software
Good essay arguing that open-source software is a critical national-security asset and needs to be treated as such:
Open source is at least as important to the economy, public services, and national security as proprietary code, but it lacks the same standards and safeguards. It bears the qualities of a public good and is as indispensable as national highways. Given open source’s value as a public asset, an institutional structure must be built that sustains and secures it.
This is not a novel idea. Open-source code has been called the “roads and bridges” of the current digital infrastructure that warrants the same “focus and funding.” Eric Brewer of Google explicitly called open-source software “critical infrastructure” in a recent keynote at the Open Source Summit in Austin, Texas. Several nations have adopted regulations that recognize open-source projects as significant public assets and central to their most important systems and services. Germany wants to treat open-source software as a public good and launched a sovereign tech fund to support open-source projects “just as much as bridges and roads,” and not just when a bridge collapses. The European Union adopted a formal open-source strategy that encourages it to “explore opportunities for dedicated support services for open source solutions [it] considers critical.”
Designing an institutional framework that would secure open source requires addressing adverse incentives, ensuring efficient resource allocation, and imposing minimum standards. But not all open-source projects are made equal. The first step is to identify which projects warrant this heightened level of scrutiny—projects that are critical to society. CISA defines critical infrastructure as industry sectors “so vital to the United States that [its] incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” Efforts should target the open-source projects that share those features.
GitGuardian launches ggcanary project to help detect open-source software risks
Code security platform provider GitGuardian has announced the launch of a new open-source canary tokens project to help organizations detect compromised developer and DevOps environments. According to the firm, security teams can use GitGuardian Canary Tokens (ggcanary) to create and deploy canary tokens in the form of Amazon Web Services (AWS) secrets to trigger alerts as soon as they are tampered with by attackers. The release is reflective of a wider industry trend of emerging standards and initiatives designed to tackle risks surrounding the software supply chain and DevOps tools.
ggcanary features “highly sensitive” intrusion detection
In a press release, GitGuardian stated organizations’ continued adoption of the cloud and modern software development practices is leading to them unknowingly expanding their attack surfaces. Poorly secured internet-facing assets and corporate networks are triggering attackers to turn to components in the software supply chain like continuous integration and continuous deployment (CI/CD) pipelines as entry points, it added.
Sophisticated UEFI rootkit of Chinese origin shows up again in the wild after 3 years
A sophisticated rootkit that’s able to insert itself into the lowest levels of Windows computers — the motherboard firmware — has been making victims since 2020 after disappearing from the radar for around three years. The rootkit, dubbed CosmicStrand by researchers from Kaspersky Lab, is stealthy and highly persistent since its code is stored deep in the UEFI, outside the detection scope of most security programs.
The Unified Extensible Firmware Interface (UEFI) is the modern equivalent to the BIOS. It’s the firmware that contains the necessary drivers to initialize and configure all hardware components of a computer before the main operating system starts and takes over. While BIOS rootkits used to be a relatively common occurrence many years ago, the UEFI has better security protections, so UEFI malware is relatively rare.
osbuild-62-1.fc36 osbuild-composer-58-1.fc36
FEDORA-2022-ca66b145a5
Packages in this update:
osbuild-62-1.fc36
osbuild-composer-58-1.fc36
Update description:
New upstream release:
osbuild-composer 58
osbuild 62
Update osbuild to the latest version
US Doubles Reward for Info on North Korean Hackers
AT&T Cybersecurity Insights Report: A Focus on Manufacturing
During the pandemic, many forward-thinking manufacturers took shifts in consumer demands and in-person work patterns as an opportunity to modernize their factory floors and operational infrastructure. Now as supply chain challenges and inflationary forces come to the fore, the entire industry will be called to continue their innovative investments to make manufacturing processes speedier, more efficient, and equipped to compete in a new era. At the same time, they’re bolstering their cybersecurity measures to ensure that the IT technologies they’re marrying with legacy operational technology (OT) remains secure and dependable.
Not only have we observed these market trends anecdotally through conversations with AT&T customers, but they’re backed with some solid data as well. Released this week, the AT&T Cybersecurity Insights Report: Securing the Edge-A Focus on Manufacturing takes a close look at the innovation and security practices of the manufacturing world. Findings in the report show that manufacturers are leaning into edge implementation to improve operations on the assembly line and beyond—and putting considerable investment into security to ensure that these advancements bring as little risk with them as possible.
Edge innovation fuels factory advances
Manufacturers are among the furthest along in implementing edge use cases among the six verticals examined in the core 2022 AT&T Cybersecurity Insights Report. The industry is taking full advantage of 5G and IoT technologies to transform operations at the edge in groundbreaking ways, moving forward with initiatives such as smart warehousing, transportation optimization, intelligent inventory, and augmented maintenance.
The study showed that:
78% of manufacturers globally are planning, have partially, or have fully implemented an edge use case.
50% of manufacturers are at the mature stage of deployment for at least some of their edge network use cases
This puts manufacturing ahead of energy, finance, and healthcare verticals when it comes to edge adoption. Among all the edge use cases, video-based quality inspection ranked the highest priority for manufacturers for full or partial implementation. It also was scored as one of the lowest in perceived risk. Manufacturers are utilizing a combination of IoT sensors and cameras to pinpoint defects in real-time on the assembly line in order to discover root causes of defects more quickly, improve product quality, and reduce waste in the process.
For example, a car manufacturer may use edge devices to watch a car as it traverses the assembly line and if a windshield blade is not installing on one car because of variance in the windshield assembly they can quickly review footage to find exactly how many cars were impacted by the issue. The car maker can then fix the defects on each partially completed vehicle before they roll any further down the assembly line where the problem could be compounded, incurring rework, or waste at the end of the manufacturing process.
Edge computing offers reduced bandwidth, lower latency, and proximity of data, enabling companies to both leverage those IoT inspection devices and pair them with specialized AI-inspection models. The power of edge makes it possible to do this across multiple, global facilities, effectively handling the large number of files and formats typically found in a modern manufacturer’s workflow.
IT-OT convergence heightens certain security risks
The convergence of IT and OT technologies is a long-running trend in manufacturing, but the shift to the edge is accelerating the mash-up of legacy OT systems with IT networks, Internet-facing utilities, IoT devices, and more. This is taking smart manufacturing to a whole new level; however, it also amplifies the risk to manufacturers that a cyberattack against a single device in a warehouse could potentially take down an entire assembly line if proper security measures aren’t taken.
The top perceived attacks prioritized by manufacturers reflects that very real concern. The study showed that manufacturers judged the following as the top three most likely attacks to impact them:
Attacks against user/endpoint devices (71.3%)
Ransomware (69.4%)
Attacks against server/data within or at the network edge (65.9%)
Interestingly, in spite of the high level of concern about endpoint attacks manufacturers reported a relatively low use of patching as a layer of security protection for edge deployments. Just 29% of participants selected patching as a control they’d use to help protect the components of their primary edge use case. This highlights some of the big challenges manufacturers face in IT-OT convergence situations. Like many IoT devices and embedded OT systems that are now connected into the IT network (and often to the Internet at large), video cameras that manufacturers use on the factory floor may not be supported by timely updates and patching can be logistically difficult. These logistical concerns about patching become even more of a challenge for other connected manufacturing equipment that may not be easily patched due to a plethora of operational constraints.
As such, security architects for manufacturers will need to consider more compensating controls to make up for known weaknesses in areas like patching.
Manufacturing ramps up security investments
Currently, manufacturers judge that the cybersecurity controls that will have the highest effectiveness and efficiency are intrusion and threat detection, device authentication, and data leakage monitoring. The overall top-rated control for effectiveness cited by manufacturers was network access controls and associated Zero Trust Network Access (ZTNA)—however, it was also one which was judged to have the highest total cost of ownership. Given the dynamic and still developing nature of IT- OT convergence, network access control is likely nascent and in limited use at many of these organizations.
The good news is that manufacturers are putting considerable investments into securing their edge use cases in the coming three years. The study found that well over half of manufacturers are investing between 11% – 20% of their total edge use case budget in security controls and other cyber risk management measures. This ongoing investment will play a considerable role in determining the long-term success of new edge innovations for manufacturers in the years to come. Check out the full report here.