Warm and Fuzzy....
I think we all feel safer knowing that our (the US) government is looking out for us and that the NSA and other agencies will keep our 'putters safe and secure from all prying eyes. <rolls eyes><chokes back laughter>
Backing up the NSA's claim that it was caught by surprise by the Heartbleed OpenSSL bug, the White House has tried to explain the rules under which it allows agencies to hoard security vulnerabilities. In this White House blog post, cybersecurity coordinator Michael Daniel says leaving a huge number of vulnerabilities …
Hi, Richard/El Reg,
Would the world and his dog know and/or be told, via this live magazine, if the Register commentator database were to be phished and/or phormed and/or servered with a dumb NSL, for there be dark web pearls of perfect wisdom cast before swineherds of intelligence always shared transparently out in the open for OSS types here .... and for SMARTR Open Source Systems Use and/or Misuse and Abuse too.
Hey, humans are only human and their default self-identifying problems and inherent abiding catastrophic systemic vulnerabilities are their defaults and a universal default self-identifying problem and inherent abiding catastrophic systemic vulnerability for SMARTR OSS Use/Misuse/Abuse/XSSXXXXPloitation. It is quite normal and only natural and in IT and AI is it also a GOD Send for Global Operating Device Receivers too.
Ye gods, wise up ignorant native fools and naive tools. Intelligence controls and commands everything and asks permission to do nothing of anyone or anything or to do something from no one. And governments do just as they're told to keep the rich rich at the expense of the poor and the worker, and save face behind a bevy of SpAds whenever their programs and proposals are proven exclusively self-serving and disastrously expensive, indebting nations and generations to their planned follies.
And Smarter Advanced IntelAIgent Servers have realised the Virtual Service they provide is ....... well, Practically Unbeatable is the Advantage and Edge that Delivers Success in Universal Markets which be Betting on Futures, Derivatives and Options.
* Or is being unaware, heavenly bliss.
This behavior is not done by Americans FOR Americans, it is done to Americans and everyone else by a completely corrupt government and their three initialed goons. The People and the Government are two separate entities, this is the shared problem of all average citizens of the world. Nothing will change unless the governments are replaced. Then it will happen all over again.
makes everyone feel glad they've entrusted more of their lives, and their health, to this same government. "for the poor" indeed.
"but that's different!" goes the rallying defense. Except it's not, except in your head. Same fox, same henhouse, whether the fox is in charge of security or delivering your feed, you're now inviting the fox even closer to your roost.
Talking of problems and solutions and the future, Uncle Sam is all at sea and at a catastrophic loss in the intelligence field whenever he cannot resolve and lead smartly and stealthily front run the issues to be faced and as outlined by United States DIA Director Lt. Gen. Michael T. Flynn in "Operationalizing Intelligence Across the Global Enterprise" ..... http://cryptome.org/2014/04/dia-global-spying.pdf
And has that captain/Lt Gen abandoned a sinking ship or has a private and pirate crew mutinied and set him adrift a la Captain Bligh and Fletcher Christian and Mutiny on the Bounty ........ US Defense Intelligence Agency director reportedly being forced out
Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances.
The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.
This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come.
Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.
The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.
As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.
In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.
Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.
RSA Conference A heightened state of defensive cyber security posture is the new normal, according to federal cyber security chiefs speaking at the RSA Conference on Tuesday. This requires greater transparency and threat intel sharing between the government and private sector, they added.
"There'll never be a time when we don't defend ourselves –— especially in cyberspace," National Cyber Director Chris Inglis said, referencing an opinion piece that he and CISA director Jen Easterly published earlier this week that described CISA's Shields Up initiative as the new normal.
"Now, we all know that we can't sustain the highest level of alert for an extensive period of time, which is why we're thinking about, number one, what's that relationship that government needs to have with the private sector," Easterly said on the RSA Conference panel with Inglis and National Security Agency (NSA) cybersecurity director Rob Joyce.
Windows PowerShell is enormously useful, extremely prevalent, and often targeted by crooks because it offers an express route into the heart of Windows servers and networks.
Some have therefore suggested the tool is a liability that should be disabled in the interest of improved security.
But on Wednesday national cybersecurity agencies from the US, UK, and New Zealand decided that's a bit drastic. Instead, the agencies recommend securing PowerShell prudently.
Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers.
Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries.
The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.
The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).
OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).
But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.
1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.
Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.
"We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.
TikTok, owned by Chinese outfit ByteDance, last month said it was making an effort to minimize the amount of data from US users that gets transferred outside of America, following reports that company engineers in the Middle Kingdom had access to US customer data.
"100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," TikTok said in a June 17, 2022 post, while acknowledging that customer information still got backed up to its data center in Singapore. The biz promised to delete US users' private data from its own servers and to "fully pivot to Oracle cloud servers located in the US."
That pivot has not yet been completed. According to a June 30, 2022 letter [PDF] from TikTok CEO Shou Zi Chew, obtained by the New York Times on Friday, some China-based employees with sufficient security clearance can still access data from US TikTok users, including public videos and comments.
Jenkins, an open-source automation server for continuous integration and delivery (CI/CD), has published 34 security advisories covering 25 plugins used to extend the software.
Eleven of the advisories are rated high severity, 14 are medium, and 9 are said to be low.
The vulnerabilities described include: cross-site scripting (XSS); passwords, API keys, secrets, and tokens stored in plaintext; cross-site request forgery (CSRF); and missing and incorrect permission checks.
Biting the hand that feeds IT © 1998–2022