WebProNews

Tag: CISA

  • Google Sides With US in Holding Companies Responsible for Cybersecurity

    Google Sides With US in Holding Companies Responsible for Cybersecurity

    Google and the US government may be at odds about many things, but the two are in agreement on one big one: who should be responsible for cyberattacks.

    In a blog post by Kent Walker, President, Global Affairs & Chief Legal Officer, and Royal Hansen, VP of Engineering for Privacy, Safety, and Security, the executives make the case that companies should be responsible for improving cybersecurity:

    “Should companies be responsible for cyberattacks? The U.S. government thinks so – and frankly, we agree.”

    The two execs then quote Jen Easterly and Eric Goldstein of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security:

    “The incentives for developing and selling technology have eclipsed customer safety in importance. […] Americans…have unwittingly come to accept that it is normal for new software and devices to be indefensible by design. They accept products that are released to market with dozens, hundreds, or even thousands of defects. They accept that the cybersecurity burden falls disproportionately on consumers and small organizations, which are often least aware of the threat and least capable of protecting themselves.”

    Walker and Hansen go on to lament that cyber threats are growing, taking advantage of “insecure software, indefensible architectures, and inadequate security investment.” The solution is a complete rethinking of how software is designed and deployed.

    “The bottom line: People deserve products that are secure by default and systems that are built to withstand the growing onslaught from attackers,” the executives write. “Safety should be fundamental: built-in, enabled out of the box, and not added on as an afterthought. In other words, we need secure products, not security products. That’s why Google has worked to build security in – often making it invisible – to our users. Many of our most significant security features, including innovations like SafeBrowsing, do their best work behind the scenes for our core consumer products.”

    The executives emphasize the importance of security being smooth and streamlined, not the cumbersome experience that often exists today, and that results in customers choosing insecurity over inconvenience. Walker and Hansen also recognize there is no silver bullet but that significant steps can and should be taken to greatly improve the status quo.

    “Of course, raising the security baseline won’t stop all bad actors, and software will likely always have flaws – but we can start by covering the basics, fixing the most egregious security risks, and coming up with new approaches that eliminate entire classes of threats,” they add. “Google has made investments in the past two decades, but contributing resources is just a piece of the puzzle. It’s work for all of us, but it’s the responsible thing to do: The safety and security of our increasingly digitized world depends on it.”

  • PSA: Update Google Chrome Immediately

    PSA: Update Google Chrome Immediately

    Google has released a major update to Google Chrome, fixing a number of critical bugs, including ones that could lead to remote takeover.

    The latest version fixes 11 bugs, five of which are rated High severity. The Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) is advising users and companies to upgrade immediately.

    Google has released Chrome version 103.0.5060.134  for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.  

    CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.

  • Worldwide Government Agencies Warn of MSP Cyberattacks

    Managed service providers (MSPs) are coming under increased cyberattack, according to multiple government agencies worldwide.

    A new advisory issued by CISA, NSA, FBI, and various international cyber authorities is warning MSPs and their customers are being increasingly targeted by bad actors. MSPs are prime targets, since they provide a single attack vector that can be used to compromise multiple organizations.

    Government agencies are advising these companies to take a number of actions in an effort to mitigate these threats, including:

    • Implementing mitigation resources to help prevent initial compromise.
    • Enable monitoring and at least six months of logging, as well as endpoint detection and network defense monitoring.
    • Use multifactor authentication and other measures to secure remote access applications.
    • Have incident response and recover plans in place.
    • Understand and manage the risks associated with software and services supply chains.

    “As this joint advisory makes clear, malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support – why it’s critical that MSPs and their customers take action to protect their networks,” said CISA Director Jen Easterly. “Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”

    “We are committed to further strengthening the UK’s resilience, and our work with international partners is a vital part of that,” said NCSC CEO Lindy Cameron. “Our joint advisory with CISA is aimed at raising organisations’ awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk. I strongly encourage both managed service providers and their customers to follow this and our wider guidance – ultimately this will help protect not only them but organisations globally.” 

    Organizations are encouraged to review the entire advisory as soon as possible.

  • Companies Race to Fix Critical Zero-Day Vulnerability

    Companies Race to Fix Critical Zero-Day Vulnerability

    Companies around the world are racing to patch a critical zero-day vulnerability that is among the worst ever found.

    Cyber security experts and government officials began warning Friday of a critical bug in “Log4j,” a Java-based logging framework used in Apache. As news of the vulnerability became known, the list of impacted companies grew to include some of the biggest in the world.

    Palo Alto Networks reported that iCloud, Twitter, Amazon, Baidu and Minecraft were impacted, to name just a few. Even worse, the vulnerability is actively being exploited and attacked, putting many companies at risk.

    The director of the Cybersecurity & Infrastructure Security Agency (CISA) issued a statement outlining the seriousness of the vulnerability.

    “We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity. We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies — and signals to non-federal partners — to urgently patch or remediate this vulnerability. We are proactively reaching out to entities whose networks may be vulnerable and are leveraging our scanning and intrusion detection tools to help government and industry partners identify exposure to or exploitation of the vulnerability. 

    To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.” 

    Cybersecurity experts are echoing CISA’s assessment of the danger, calling the vulnerability a major issue for the tech and cybersecurity community.

    Dr. Richard Ford, CTO of cybersecurity research firm Praetorian, told WebProNews the Log4j is even worse than other, widely reported vulnerabilities.

    “Praetorian researchers weaponized the vulnerability within hours and have a fully working exploit that we can use in the field,” said Dr. Richard Ford. “As background, Praetorian is an Austin-based cybersecurity solutions company that helps solve complex cybersecurity problems across critical enterprise assets and product portfolios. Their combination of software and security expertise puts them at the forefront of vulnerabilities such as this. Earlier this year, Praetorian was at the forefront of another critical vulnerability, proxylogon. The company says, as critical as proxylogon was to resolve, it had a much smaller potential impact than Log4j.

    “The company’s engineers and researchers have been working since last night in a war room to scan its customers and are finding vulnerabilities in the field. Worse yet, we’re also inadvertently discovering the vulnerability in 3rd parties who are on adjacent or integrated systems. Naturally, we are following responsible disclosure policies so cannot call out these systems by name, but it is one of the largest exposures we have seen at Internet scale. All vulnerabilities are typically scored by how dangerous they are: this vulnerability has practically the highest score possible, and it seems likely that even some professionals are unaware of its potential impact. The situation is rapidly evolving, and we are learning a great deal about the scope and impact of this vulnerability as we quickly work with customers to help mitigate the risk in the short term while they work on a long term solution, which will require patching all instances of the vulnerable code – a process which could take months.”

    Due to Log4J’s widespread use, experts believe companies will continue to come under attack in the coming days as mitigation efforts are being taken.

    “ This vulnerability feels similar to ShellShock, first identified in 2014, and still observed by GreyNoise,” Andrew Morris, Founder and CEO of cybersecurity firm GreyNoise told WebProNews. “Due to ease of exploitation and prevalence of Log4J, GreyNoise researchers believe that this activity will continue to increase over the next few days.”

  • Another Week, Another Round of Serious Google Chrome Security Flaws

    Another Week, Another Round of Serious Google Chrome Security Flaws

    In what is becoming a regular occurrence, Google has issued another Chrome update to fix a number of issues, including seven serious security flaws.

    Google Chrome is the most popular desktop browser by a wide margin. Unfortunately, it also seems to have its fair share of security issues, with Google issuing a patch every couple to few weeks to fix critical ones.

    Google has now issued another fix, addressing seven serious security issues. Even the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is recommending users and admins update immediately.

    This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

    CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.

    A recent report showed Firefox has dropped 50 million users in the last couple of years, and is now hovering around 200 million. Google’s ongoing issues show why it’s important to not only have a variety of browsers on the market, but also ones that use different rendering engines.

    Safari uses Webkit, Firefox uses Gecko and Chrome is based on the Chromium codebase, which uses Blink. Many others, such as Brave, Opera, Vivaldi and Microsoft Edge are also based on Chromium, meaning they all use the same engine.

    As a result, with the popularity of Apple’s Safari on mobile, and Chrome-based browsers on the desktop, Firefox’s future as a private, secure third option is more important than ever.

  • PSA: Update Firefox Immediately—Critical Vulnerability Being Exploited

    PSA: Update Firefox Immediately—Critical Vulnerability Being Exploited

    A recent release of Mozilla Firefox has a vulnerability severe enough that even the Department of Homeland Security is telling everyone to update.

    According to Mozilla, “incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.”

    That last statement is particularly worrisome, as many software flaws are patched before bad actors start abusing them. In this case, however, this flaw is already being exploited.

    The Department of Homeland Security’s Cyber-Infrastructure (CISA) division states the following:

    “Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.

    “The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates.”

    As CISA points out, this flaw impacts both the regular and enterprise (ESR) versions of Firefox, so ALL users should update immediately. Individuals can use the app’s built-in updater or go to Mozilla’s official site for the latest version.