Microsoft has quietly rolled out a change in Windows 10 version 1909 – the latest version of Windows 10 –  that allows enterprise customers to stop devices sending telemetry data to Microsoft’s servers.  Windows 10 That’s according to the findings of the Bavarian State Office for Data Protection Supervision, an influential data-protection authority in Germany, […] More

The National Security Agency (NSA) has released a new report that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks. NSA’s report ‘Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance’ is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal cyberattacks. 

ZDNet Recommends

The report covers network design, device passwords and password management, remote logging and administration, security updates, key exchange algorithms, and important protocols such as Network Time Protocol, SSH, HTTP, and Simple Network Management Protocol (SNMP).SEE: Cybersecurity: Let’s get tactical (ZDNet special report)The US Cybersecurity and Infrastructure Security Agency (CISA) is encouraging tech leaders to view the NSA document as part of its new push for all organizations in the US and elsewhere to raise defenses after the recent disk wiper malware targeting Ukrainian organizations. The document, from NSA’s cybersecurity directorate, encourages the adoption of ‘zero trust’ networks. Zero trust assumes malicious insiders and threats existing inside and outside classical network boundaries. The NSA says it “fully supports the Zero Trust model” and offers recommendations for creating it, from installing routers and using multiple vendors to creating firewalls that reduce the potential of an exploit impacting one vendor’s product. However, the agency also notes that its guidance focuses on mitigating common vulnerabilities and weaknesses on existing networks. The Biden administration has given federal agencies until 2024 to implement zero trust architectures, so the NSA’s guidance joins recommendations from the National Institute of Standards and Technology’s (NIST) work to explain what zero trust is with key vendors such as Microsoft and Google. The UK is also pushing organizations to adopt zero trust. Among other things, the document focuses closely on Cisco and its widely used IOS networking software for routers and switches, including configuring its one to 15 levels of privileged access to network devices and how to store passwords with algorithms that Cisco IOS devices use. The NSA knows a lot about Cisco gear, as Edward Snowden’s 2013 leaks revealed.   NSA recommends that similar systems within a network should be grouped together to protect against an attacker’s lateral movement after a compromise. Attackers will target systems like printers that are more easily exploitable, for example. It also recommends removing backdoor connections between devices in the network, using strict perimeter access control lists, and implementing network access control (NAC) that authenticates unique devices connected to the network. Regarding VPNs, it says to “disable all unneeded features and implement strict traffic filtering rules”. It also specifies the algorithms that should be used for key exchanges in IPSec VPN configurations.     NSA says local administrator accounts should be protected with a unique and complex password. It recommends enforcing a new password policy and warns that “most devices have default administrative credentials which are advertised to the public”. Admins should remove all default configurations and then reconfigure them with a unique secure account for each admin. “Do not introduce any new devices into the network without first changing the default administrative settings and accounts,” NSA says.     The new report follows NSA’s guidance to help people and organizations choose virtual private networks (VPN). VPN hardware for securing connections between remote workers to corporate networks became a prime target during the pandemic.  More

Google has detailed some of the work done to find malicious code packages that have been sneaked into bigger open-source software projects. The Package Analysis Project is one of the software supply chain initiatives from the the Linux Foundation’s Open Source Security Foundation (OpenSSF) that should help automate the process of identifying malicious packages distributed on popular package repositories, such as npm for JavaScript and PyPl for Python. It runs a dynamic analysis of all packages uploaded to popular open-source repositories. It aims to provide data about common types of malicious packages and inform those working on open-source software supply chain security about how best to improve it. “Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute. As a result, malicious packages like ua-parser-js, and node-ipc are regularly uploaded to popular repositories despite their best efforts, with sometimes devastating consequences for users,” Caleb Brown of Google’s Open Source Security Team explains in a blogpost.  

Open Source

“Despite open-source software’s essential role in all software built today, it’s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software.”SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsThe Package Analysis project identified more than 200 malicious packages in one month, according to OpenSFF. For example, it found token theft attacks on Discord users that were distributed on PyPl and npm. The PyPl package “discordcmd”, for example, attacks the Discord Windows client via a backdoor downloaded from GitHub and installed on the Discord app to steal Discord tokens.   Attackers distribute malicious packages on npm and PyPl often enough that it’s something OpenSSF, which Google is a member of, decided it needed to be addressed. In March, researchers found hundreds of malicious packages on npm that were used to target developers using Microsoft’s Azure cloud, most of which contained typosquatting and dependency confusion attacks. Both types are social-engineering attacks that exploit repetitive steps when developers frequently update a large number of dependencies. Dependency confusion attacks rely on unusually high version numbers for a package that in fact may have no previous version available.  OpenSSF says most of the malicious packages it detected were dependency-confusion and typo-squatting attacks. But the project believes most of these are likely the work of security researchers participating in bug bounties. “The packages found usually contain a simple script that runs during install and calls home with a few details about the host. These packages are most likely the work of security researchers looking for bug bounties, since most are not exfiltrating meaningful data except the name of the machine or a username, and they make no attempt to disguise their behavior,” OpenSSF and Google note.  OpenSSF notes that any of these packages “could have done far more to hurt the unfortunate victims who installed them, so Package Analysis provides a countermeasure to these kinds of attacks.”The recent Log4j flaw highlighted the general risks of software supply chain security in open source. The component was embedded in tens of thousands of enterprise applications and prompted a massive and urgent clean-up by the US government. Microsoft last week also highlighted the role of software supply chain attacks carried out by Russian state-backed hackers in connection with military attacks on Ukraine.   This February, Google and Microsoft pumped $5 million into OpenSSF’s Alpha-Omega Project to tackle supply chain security. The Alpha side works with maintainers of the most critical open-source projects, while the Omega side will select at least 10,000 widely deployed open-source programs for automated security analysis. More

It was only a matter of time before the AI chatbot was emulated for malicious purposes — and one such tool is now on the market, known as WormGPT. ZDNET screenshot via Twitter When ChatGPT was made available to the public on November 30, 2002, the AI chatbot took the world by storm.  The software […] More

The cybersecurity industry continues to have issues finding talent to fill all of the available roles. To address the problem, the Utah legislature is giving Utah Valley University (UVU) and Utah State University (USU) a $5 million grant. The goal is to build an academic pipeline that will prepare students to work in fields like cybersecurity, security analytics, and artificial intelligence. 

Utah has more than 4,000 unfilled tech jobs, and the grant is part of the state’s Deep Technology Talent Initiative (DTTI), which aims to expand academic tech programs and collaborate with local tech giants like Adobe, Northrup Grumman, and FireEye. Alongside the new programs at both schools, the companies will provide work experience for students through internships, capstones, and laboratory work. Both UVU’s Center for National Security Studies and USU’s Center for Anticipatory Intelligence are part of the Intermountain Intelligence, Industry and Security Consortium (I3SC), which hopes to equip students to fill roles in Utah’s “Silicon Slopes.””The next advancement in higher education requires us to play as a team. USU is excited to lead out alongside UVU in creating a leading-edge learning team — the I3SC consortium — that includes industry, state, and federal partners working together in unprecedented ways to prepare our graduates to be leaders in innovation, security, and resilience,” Jeannie Johnson, director of the Center for Anticipatory Intelligence at USU, told ZDNet.Through the DTTI, I3SC was awarded $5,013,900 to create a “multifaceted academic pipeline program” available to students at both institutions. The courses will cover a variety of topics including secure computing, artificial intelligence, security analytics, cybersecurity, anticipatory intelligence, and security studies.Thousands of students are already enrolled in tech programs at both schools, and the I3SC consortium’s goal is to build out a tech workforce that can handle the emerging threats from foreign governments, hackers, and other cybersecurity issues.”We’re at a critical point where the threat landscape presents challenges for companies at all levels. The need has never been greater for smart, experienced, and skilled professionals, and that is what we are building with our consortium,” said Ryan Vogel, director of the Center for National Security Studies at UVU.

Vogel added that they have already received a lot of interest from students across the STEM and policy disciplinary spectrum. “We need graduates ready to take jobs, professionals that are skilled and experienced. That’s our focus with this project: to meet this demand and exceed it, in cybersecurity and other technological areas,” Vogel said.  More