177032417
submission
snydeq writes:
MITRE’s 25-year-old Common Vulnerabilities and Exposures (CVE) program will end April 16 after DHS did not renew its funding contract for reasons unspecified. Experts say ending the program, which served as the crux for most cybersecurity defense programs, is a tragedy. MITRE’s CVE program is a foundational pillar of the global cybersecurity ecosystem and is the de facto standard for identifying vulnerabilities and guiding defenders’ vulnerability management programs. It provides foundational data to vendor products across vulnerability management, cyber threat intelligence, security information, event management, and endpoint detection and response. It’s unclear what led to DHS’s decision to end the contract after 25 years of funding the highly regarded program. The Trump administration, primarily through Elon Musk’s Department of Government Efficiency initiative, has been slashing government spending across the board, particularly at the Cybersecurity and Infrastructure Security Agency (CISA), through which DHS funds the MITRE CVE program.
175846343
submission
snydeq writes:
Large language models (LLMs) are proving to be valuable tools for discovering zero-days, bypassing detection, and writing exploit code, thereby lowering the barrier to entry for pen-testers and attackers alike, writes CSO's Lucian Constantin in a feature on how several penetration testers are using the tools today. 'LLMs and generative AI are likely to have a major impact on the zero-day exploit ecosystem,' said Chris Kubecka, cybersecurity author and founder of HypaSec. 'These tools can assist in code analysis, pattern recognition, and even automating parts of the exploit development process.' Kubecka, for example, built a custom version of ChatGPT called Zero Day GPT, with which she was able to identify 25 zero-days in a couple of months — a task she said might have taken her years to accomplish otherwise. 'Tools like these have significantly simplified our bug bounty work, and I believe everyone in this field should have similar resources in their toolbox,' said Horia Nita, whose team took second place in a recent DefCamp capture-the-flag competition. His team uses uses several custom-made AI tools to help scan new codebases, provide insights into potential attack vectors, and offer explanations for code they encounter. Nita also uses LLMs to generate payloads for brute-forcing. 'With the current state of AI, it can sometimes generate functional and useful exploits or variations of payloads to bypass detection rules,' he said. Constantin's report takes a closer look at the trend, providing a few examples of what is currently being accomplished by top bug hunters.
175352323
submission
snydeq writes:
'As the US heads into a historic election, with a deadlocked electorate facing a choice between two radically different presidential candidates, several cybersecurity matters could be determined by who wins the contest on Nov. 5,' writes CSO's Cynthia Brumfield. While James Lewis, director of the technology and public policy program at CSIS, tells CSO there is more commonality between the candidates on cybersecurity issues than many would think, experts still agree that crucial cyber issues could be impacted by next week’s election results, including the potential for Russia to gain an advantage as a digital adversary, cyber regulations to be weakened, CISA to lose power, and a US Cyber Force emerging.
175138659
submission
snydeq writes:
Code analysis firm Uplevel's recent study of GitHub Copilot use found no major productivity benefits for developers based on key metrics, reports CIO.com's Grant Gross. 'Coding assistants have been an obvious early use case in the generative AI gold rush, but promised productivity improvements are falling short of the mark — if they exist at all. Many developers say AI coding assistants make them more productive, but a recent study set forth to measure their output and found no significant gains. Use of GitHub Copilot also introduced 41% more bugs, according to the study,' Gross writes, adding that in the trenches, reported results are mixed, with few seeing productivity gains and most experiencing a shift to more time on code review. As Gehtsoft's Ivan Gekht puts it: 'It becomes increasingly more challenging to understand and debug the AI-generated code, and troubleshooting becomes so resource-intensive that it is easier to rewrite the code from scratch than fix it.'
175015781
submission
snydeq writes:
Surprised by the City of Columbus’ effort to gag him, cybersecurity expert Connor Goodwolf believes city leaders could have avoided embarrassment in the wake of a ransomware attack if they had talked to him. CSO’s Cynthia Brumfield speaks with Goodwolf, the City of Columbus, and cyber and legal experts about the high-profile incident gone awry. 'First, the mayor’s office erroneously downplayed the nature and impact of what it initially called a system “abnormality.” Then, the city obtained a gag order on a local cybersecurity expert who proved the attackers were ransomware threat actors who stole vast amounts of sensitive personal data on city employees and vulnerable residents. The episode has left the 34th largest city in the US with a black eye and facing class-action lawsuits. Columbus has also earned the scorn of First Amendment experts who claim the city’s efforts to suppress the whistleblower’s information violate the US Constitution’s right to free speech.'
174928710
submission
snydeq writes:
Developers who mistype names and owners of GitHub Actions expose their repositories and accounts to malicious code execution, with significant software supply chain implications, writes CSO's Lucian Constantin. The issue was uncovered by researchers from Orca Security, who registered 14 GitHub organizations with names that are misspellings of popular Actions owners, only one of which was de-listed by GitHub. 'For example, if a developer types “uses: action/checkout” in their own workflow instead of “uses: actions/checkout” — which is the correct instruction because the parent organization is “actions” (plural) — their workflow will try to run code from the repository “checkout” of an untrusted organization ... and their malicious action will execute instead.' Within two months of setting up tests, Orca researches counted 12 public repositories referencing their fake "actons" organization. In the end, it's not the number but the importance and size of the repository making the mistake that matters: 'Even if an attacker manages to compromise only 10 repositories with this technique, one belonging to a popular project can give the attacker access to thousands of users and organizations down the supply chain.'
174862352
submission
snydeq writes:
CISOs are urged to carry out tighter vetting of new hires to ward off potential ‘moles’ who are increasingly finding their way onto company payrolls and into their IT systems, writes John Leyden in a feature on the trend that finds North Korea actively infiltrating Western companies using skilled IT workers who use fake identities to pose as remote workers with foreign companies, typically but not exclusively in the US. "The schemes are part of illicit revenue generation efforts by the North Korean regime, which faces financial sanctions over its nuclear weapons program, as well as a component of the country’s cyberespionage activities."
174854622
submission
snydeq writes:
Sarah Wiedemar reports on a rising trend in the Russia cybersecurity community: bug bounty programs, which the researcher says could have far-reaching implications as the bounty ecosystem matures. International sanctions, IT isolation, and shifting attitudes to ethical hacking have bug bounty programs on the rise in Russia, with zero-day acquisition companies potentially poised to profit. 'Given the current uncertainty that Russian bug bounty hunters and vulnerability researchers are facing when dealing with Western bug bounty programs, Russian IT companies have begun to fill that vacuum,' Wiedemar writes. 'From a Western perspective, a potential problematic development could be that Russian hackers decide to sell vulnerabilities found in Western products to Russian zero-day acquisition companies such as Operation Zero. Thus, instead of reporting them to Western bug bounty platforms for free, they sell to the highest bidder.'
174786532
submission
snydeq writes:
Anticipating astronomical compute-intensive AI workloads, hyperscalers and heavy data center operators are turning to energy providers for nuclear-fueled solutions in a ‘global arms race for power like nothing we have ever seen before,’ reports CIO.com's Paula Rooney.
AWS has paid $650 million to purchase a 960-megawatt nuclear-powered data center on site at Talen Energy’s Susquehanna, Penn., nuclear plant, with additional data centers planned — pending approval by the Nuclear Regulatory Agency.
Microsoft, Google, and Nucor, a maker of small module nuclear reactors (SMRs), put out a request for information this spring, and Constellation Energy showed interest about cooperating on a possible SMR and securing contracts to imminently access nuclear power from the Baltimore power company, says a spokesperson for Constellation, one of the nation’s largest nuclear power providers.
“The data economy and Constellation’s nuclear energy go together like peanut butter and jelly. And as such, we are in advanced conversations with multiple clients, large, well-known companies that you all know about powering their needs,” said Joe Dominquez, Constellation’s CEO during a company conference call in May.
174683282
submission
snydeq writes:
The DPRK group’s attempts to exfiltrate data and install RMM tools by posing as US IT workers was discovered by CrowdStrike’s counter adversary team, which recently published a report on this and other findings. 'Famous Chollima was one of the more shocking cases we worked on this year,' said Adam Meyers, CrowdStrike’s SVP of counter adversary operations, who told his team after they found the first instance, 'Prove that we could find this malicious insider, which we think could be a foreign intelligence officer. ... That was on a Thursday. By Friday, this Australian guy who ran the effort came back to me and said, "Hey, we found 30 more victims."' CrowdStrike ultimately found that over 100 companies, most US-based technology entities, had hired Famous Chollima workers. CrowdStrike’s threat hunters discovered that after obtaining employee-level access to victim networks, the phony workers performed at minimal enough levels to keep their jobs while attempting to exfiltrate data using Git, SharePoint, and OneDrive and installing remote monitoring and management (RMM) tools RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop.
174674396
submission
snydeq writes:
CSO Online's Evan Schuman reports on a design flaw in Microsoft Authenticator that causes it to often overwrite authentication accounts when a user adds a new one via QR scan. 'But because of the way the resulting lockout happens, the user is not likely to realize the issue resides with Microsoft Authenticator. Instead, the company issuing the authentication is considered the culprit, resulting in wasted corporate helpdesk hours trying to fix an issue not of that company’s making.'
Schuman writes: 'The core of the problem? Microsoft Authenticator will overwrite an account with the same username. Given the prominent use of email addresses for usernames, most users’ apps share the same username. Google Authenticator and just about every other authenticator app add the name of the issuer — such as a bank or a car company — to avoid this issue. Microsoft only uses the username.'
The flaw appears to have been in place since Authenticator was released in 2016. Users have complained about this issue in the past to no avail. In its two correspondences with Schuman, Microsoft first laid blame on users, then on issuers. Several IT experts confirmed the flaw, with one saying, 'It’s possible that this problem occurs more often than anyone realizes because [users] don’t realize what the cause is. If you haven’t picked an authentication app, why would you pick Microsoft?'
174591694
submission
snydeq writes:
ServiceNow has reported potential compliance issues to the US Department of Justice “related to one of its government contracts” as well as the hiring of the then-CIO of the US Army to be its head of global public sector, the company said in regulatory filings on Wednesday. The DOJ is looking into the matter, CIO.com reports.
Following an internal investigation, ServiceNow said, its President and COO, CJ Desai, has resigned, while “the other individual has also departed the company.”
The probe also involves what ServiceNow said was the improper hiring of the Army CIO to serve as ServiceNow’s global head of public sector. That executive, Raj Iyer, told CIO.com, “I resigned because I didn’t want to be associated with this fiasco in any way. It’s not my fault.”
174591066
submission
snydeq writes:
The conservative think tank blueprint for how Donald Trump should govern the US if he wins in November calls for dismantling CISA, among many cyber-related measures. Experts say this would increase cybersecurity risks, undermine critical infrastructure, and put more Americans in danger. CSO's Cynthia Brumfield takes a look at what could become of US cybersecurity policy under a Trump administration in 2025 and beyond.
174479835
submission
snydeq writes:
Scrubbing tokens from source code is not enough, as shown by the publishing of a Python Software Foundation access token with administrator privileges to a container image on Docker Hub. "A personal GitHub access token with administrative privileges to the official repositories for the Python programming language and the Python Package Index (PyPI) was exposed for over a year. The access token belonged to the Python Software Foundation’s director of infrastructure and was accidentally included in a compiled binary file that was published as part of a container image on Docker Hub," writes CSOonline's Lucian Constantin. "The incident shows that scrubbing access tokens from source code only, which some development tools do automatically, is not enough to prevent potential security breaches. Sensitive credentials can also be included in environment variables, configuration files and even binary artifacts as a result of automated build processes and developer mistakes."
174131965
submission
snydeq writes:
From fundamental security mistakes and strategic shortcuts, to emerging industry trends, Change Healthcare’s security meltdown provides ample fodder for thought on how not to be the next high-profile victim, writes CSO's John Leyden. 'In response to the attack, US politicians have called for mandated baseline cybersecurity standards in the health sector, as well as better information sharing. They have also raised concerns that industry consolidation is increasing cyber risk. Overall, the ransomware attack on Change Healthcare, which UHG acquired for nearly $8 billion in 2022, illustrates how often poor security controls come up as a factor in ransomware attacks. Following is a look at several lessons learned in the wake of the attack.'
