Information Technology

Securing the open-source software supply chain is a huge deal. Last year, the Biden administration issued an executive order to improve software supply chain security. This came after the Colonial Pipeline ransomware attack shut down gas and oil deliveries throughout the southeast and the SolarWinds software supply chain attack. Securing software became a top priority. In response, The Open Source Security Foundation (OpenSSF) and Linux Foundation rose to this security challenge. Now, they’re calling for $150 million in funding over two years to fix ten major open-source security problems.

Open Source

They’ll need every penny of it and more.The government will not be paying the freight for these changes. $30 million has already been pledged by Amazon, Ericsson, Google, Intel, Microsoft, and VMWare. More is already on the way. Amazon Web Services (AWS) has already pledged an additional $10 million. At the White House press conference, OpenSSF general manager Brian Behlendorf said, “I want to be clear: We’re not here to fundraise from the government. We did not anticipate needing to go directly to the government to get funding for anyone to be successful.”Here are the ten goals the open-source industry is committed to meeting.Security Education: Deliver baseline secure software development education and certification to all.Risk Assessment: Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.Digital Signatures: Accelerate the adoption of digital signatures on software releases.Memory Safety: Eliminate root causes of many vulnerabilities through the replacement of non-memory-safe languages.Incident Response: Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.Better Scanning: Accelerate the discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.Code Audits: Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.Data Sharing: Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.Software Bill of Materials (SBOMs): Everywhere Improve SBOM tooling and training to drive adoption.Improved Supply Chains: Enhance the 10 most critical open-source software build systems, package managers, and distribution systems with better supply chain security tools and best practices.I’ll go into more detail about those in later stories, but even at a glance, this is a massive undertaking. For instance, C, which is core to the Linux kernel, the most important of all open-source projects, has many vulnerabilities within it. While the memory-safe Rust language is now being used in Linux, it’s years, decades away, from replacing C in Linux’s over 27.8 million lines of code. Indeed, I doubt we’ll ever see all of Linux’s C code replaced by Rust. We’re already close to solving some of the others. The open-source security company Chainguard is calling on the software industry to standardize on Sigstore. Sigstore enables developers to securely sign software artifacts such as release files, container images, binaries, bills of material manifests. and more. This Linux Foundation project is backed by Google, Red Hat, and Purdue University.Sigstore has several great features. These include:Sigstore’s keyless signing gives a great developer experience and removes the need for painful key management.Sigstore’s public transparency log (Rekor) and APIs mean Kubernetes consumers may easily verify signed artifacts.Sigstore’s use of standards, such as support for any Open Container Initiative (OCI) artifact (including containers, Helm Charts, configuration files, and policy bundles) and OpenID Connect (OIDC), means it integrates seamlessly with other tools and services.The active, open-source, vendor-neutral Sigstore community gives confidence that the project will be rapidly adopted and become a de-facto industry standard.Indeed, Kubernetes has already adopted Sigstore. In brief, it makes it simple to adopt a secure digital signature for your code. Then, the programmers who use your code can be sure it really is the code they want and can trust.This is essential. As Stephen Chin, software chain security company JFrog VP of Developer Relations, said, “While open source has always been seen as a seed for modernization, the recent rise of software supply chain attacks has demonstrated we need a more hardened process for validating open-source repositories.”Of course, there will always be bugs. As Behlendorf said, “Software will never be perfect. The only software that doesn’t have any bugs is software with no users.”Related Stories: More

An hacking group which conducts cyber espionage campaigns and ransomware attacks is targeting organisations in Europe and the United States. Cybersecurity researchers at Secureworks have detailed a string of cyber attacks involving ransomware and data theft which took place in early 2022 to an Iranian hacking group they refer to as Cobalt Mirage – also known as APT35, Charming Kitten, Phosphorus and TA453 by other research groups. Among the attacks is an incident targeting a US local government network in March 2022, which Secureworks researchers have attributed to Cobalt Mirage due to hallmarks of previously uncovered attacks by the group.  These include exploiting the ProxyShell vulnerabilities to deploy Fast Reverse Proxy client (FRPC) and enable remote access to vulnerable systems, along with use of infrastructure that matches patterns associated with the threat group. While the initial means of compromise in this attack is still unclear, researchers note how the attackers likely exploited unpatched Log4j vulnerabilities despite a patch being available. There’s evidence that this initial exploitation may have occurred as early as January 2022. Most of the intrusion activity spanned a four-day period in March, with the key aim of the activity based around scanning the network and stealing data – researchers note that this is strange, as like other attacks detected during the period, the targets had no strategic or political value to Iran. SEE: A winning strategy for cybersecurity (ZDNet special report)After the March 2022 intrusion was detected and disrupted, no further malicious activity was observed. Researchers suggest that the main motivation behind this attack, and others is financial gain, but it’s unclear how exactly the attackers would look to profit from it. “While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited,” Secureworks Counter Threat Unit (CTU) researchers wrote in a blog post. No ransomware was deployed in the attack against the undisclosed US local government victim, but researchers note that Cobalt Mirage does engage in ransomware attacks – as another victim discovered in January described as a ‘a U.S. philanthropic organization’. According to Secureworks researchers who investigated the incident, attackers used ProxyShell and Microsoft Exhange vulnerabilities to move around the network and remotely gain access to accounts, before eventually triggering a BitLocker ransomware attack. Unusually, the ransom note was sent to a printer on the network and printed out on paper, detailing an email address and contact details. While Cobalt Mirage has links to state-backed hacking operations, in this case, the ransomware is being deployed as a purely financially motivated attack. Ransomware ransom notes are more typically left either on screens or on servers.”The threat actors completed the attack with an unusual tactic of sending a ransom note to a local printer. The note includes a contact email address and Telegram account to discuss decryption and recovery. This approach suggests a small operation that relies on manual processes to map victims to the encryption keys used to lock their data,” the security researchers said. In both incidents detailed by researchers, attackers were able to gain access to networks by exploiting unpatched critical cybersecurity vulnerabilities. In order to protect networks against cyber attacks, it’s recommended that security patches are applied as quickly as possible in order to prevent potential intruders exploiting known vulnerabilities. Researchers also recommend implementing multi-factor authentication, and monitoring for unauthorised or suspicious use of tools and file-sharing services  which could indicate attackers are in the network. MORE ON CYBERSECURITY More

 On modern systems with solid-state drives, you can often find a management utility that includes a Secure Erase command.
Getty Images
Welcome to this week’s installment of Ask ZDNet, where we answer the questions that make Dear Abby’s eyes glaze over. In the mailbag this week: What’s the best way to securely erase your PC before selling it or giving it away? How can you fix your weak passwords easily? And why is it so hard to find a laptop with a large display and a touchscreen? If you’ve got a question about any of the topics ZDNet covers, one of our team of editors and contributors probably has an answer. We’ll find an outside expert who can steer you in the right direction if they don’t. Questions can cover just about any remotely related topic to work and technology, including PCs and Macs, mobile devices, security and privacy, social media, home office gear, consumer electronics, business etiquette, financial advice… well, you get the idea. Send your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Ask away. 

What’s the best way to permanently delete all the personal files from my laptop before I give it away?

I am giving away my old Windows laptop to a friend. Before I do that, I want to make sure my personal files are securely erased and completely unrecoverable. Do I need special software for that?

When you’re getting a PC ready for reuse, the best way to begin is to boot from Windows installation media, remove all existing disk partitions, and then perform a clean install. That option removes any existing personal files, but it doesn’t wipe the disk clean. As a result, it’s possible that someone with advanced technical skills could use forensic tools or data recovery software to access some of the deleted information.

On modern systems with solid-state drives, you can often find a management utility that includes a Secure Erase command. For Samsung SSDs, use the Samsung Magician program. For Intel SSDs, download and install the Intel Memory and Storage Tool. SSDs from Crucial use the Crucial Storage Executive utility. Microsoft Surface devices support a custom tool called the Microsoft Surface Data Eraser.You can also use Windows’ built-in encryption tools to ensure that the entire system drive, including unused disk space, is encrypted before performing a clean install. That extra step requires some additional time, but it ensures that any data recovered from anywhere on the drive will be unreadable. And you don’t need third-party software to get the job done.Your system drive is fully encrypted by default if you’ve signed in to Windows with a Microsoft account on a modern device that supports BitLocker Device Encryption (BDE). (To confirm that your device supports BDE, run the System Information utility (Msinfo32.exe) as an administrator and check the Device Encryption Support entry at the bottom of the System Summary page.On a system running Windows 10 Pro or Windows 11 Pro, you can use the Manage BitLocker utility (type BitLocker in the search box to find it) to encrypt the system drive and any data drives. Be sure to choose the option to encrypt the entire drive and not just the space that currently contains data.If Device Encryption isn’t available, open a command prompt using the Run As Administrator option and enter this command:Cipher /W:C:That command “zeroes out” unused disk space, overwriting it so that it can’t be recovered. This process can take a long time, so consider letting it run overnight while you concentrate on more important tasks.Also: The best encryption software: Protect your data

My password manager says some of my passwords are weak. Should I be worried?

I recently started using a password manager, and when I sign in to some sites the program tells me my password is weak. What do I need to do to replace those weak passwords with strong ones?

If you’ve recently started using a password manager, congratulations! That’s a major step on the road to being more secure. You’re undoubtedly dealing with a collection of credentials you created yourself over the years during this transition. And because human beings are notoriously bad at creating truly random strings of text, those passwords are probably weak, which means they can be easily guessed or are vulnerable to a brute-force attack.

A weak password is typically too short, is made up of words that can be found in a dictionary, and/or contains all or part of the account name. Even if you did manage to create a truly random, hard-to-guess password, your password manager will flag it if it determines you’ve used it at multiple sites.The good news is that your password manager undoubtedly contains a password generator, which you can use to replace those old, weak, insecure passwords. Unfortunately, the process of changing your old passwords is labor-intensive. For each service, you’ll need to find the page where you change your password; use the password generator to create a new, random, unique password and then update the saved entry.As a best practice, you should do this as soon as possible for high-value sites like banks, credit card portals, and email and social media accounts. After completing each password change, I recommend that you immediately sign out of the service and sign in again, using your freshly saved password, to confirm that the new password was properly stored.

Where are all the touchscreen PCs?

I’ve been shopping for a new laptop with a larger display, at least 16 inches. The extra clunkiness doesn’t bother me as my mobile needs are pretty limited and I’m not a big fan of having an external display. But I’ve been surprised by how many Windows laptops with larger displays don’t come with a touchscreen. It is 2022, right? Am I just looking in the wrong place?

These days, most mainstream laptops have screens that are 13 or 14 inches in size, measured diagonally. That form factor is the sweet spot for general business use, typically small enough and light enough to be truly portable. At that size, a touchscreen comes in handy occasionally, and it’s usually not an expensive upgrade.

As you’ve discovered, 16- and 17-inch laptops are not so portable and typically command a premium price. Dell’s new XPS 17 laptop, for example, weighs 4.87lbs with a non-touchscreen and bulks up to a hefty 5.34lbs (with a $300 surcharge) if you specify a touchscreen. And this model is considered remarkably light for the category. (Your shoulder may beg to differ.) These devices are generally designed for graphics professionals who use them as desktop replacements and occasionally need to do high-end graphics work on the road.Given their size and the fact that most graphics editing tasks require a mouse, a touchscreen on a laptop that large is pretty much a waste of battery power and money. For your use case, I suggest looking at a laptop with a 15-inch screen, like the Dell XPS 15. And if you’re going to use it as a desktop replacement, connected to a docking station with a keyboard and mouse most of the time, skip the touchscreen and spend the money; you’ll save on a discrete GPU.Also: The best 2-in-1 laptops: Top flexible, hybrid, and convertible notebooksSend your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Be sure to include a working email address in case we have follow-up questions. We promise not to use it for any other purpose.  

ZDNet Recommends

  More

 On modern systems with solid-state drives, you can often find a management utility that includes a Secure Erase command.
Getty Images
Welcome to this week’s installment of Ask ZDNet, where we answer the questions that make Dear Abby’s eyes glaze over. In the mailbag this week: What’s the best way to securely erase your PC before selling it or giving it away? How can you fix your weak passwords easily? And why is it so hard to find a laptop with a large display and a touchscreen? If you’ve got a question about any of the topics ZDNet covers, one of our team of editors and contributors probably has an answer. We’ll find an outside expert who can steer you in the right direction if they don’t. Questions can cover just about any remotely related topic to work and technology, including PCs and Macs, mobile devices, security and privacy, social media, home office gear, consumer electronics, business etiquette, financial advice… well, you get the idea. Send your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Ask away. 

What’s the best way to permanently delete all the personal files from my laptop before I give it away?

I am giving away my old Windows laptop to a friend. Before I do that, I want to make sure my personal files are securely erased and completely unrecoverable. Do I need special software for that?

When you’re getting a PC ready for reuse, the best way to begin is to boot from Windows installation media, remove all existing disk partitions, and then perform a clean install. That option removes any existing personal files, but it doesn’t wipe the disk clean. As a result, it’s possible that someone with advanced technical skills could use forensic tools or data recovery software to access some of the deleted information.

On modern systems with solid-state drives, you can often find a management utility that includes a Secure Erase command. For Samsung SSDs, use the Samsung Magician program. For Intel SSDs, download and install the Intel Memory and Storage Tool. SSDs from Crucial use the Crucial Storage Executive utility. Microsoft Surface devices support a custom tool called the Microsoft Surface Data Eraser.You can also use Windows’ built-in encryption tools to ensure that the entire system drive, including unused disk space, is encrypted before performing a clean install. That extra step requires some additional time, but it ensures that any data recovered from anywhere on the drive will be unreadable. And you don’t need third-party software to get the job done.Your system drive is fully encrypted by default if you’ve signed in to Windows with a Microsoft account on a modern device that supports BitLocker Device Encryption (BDE). To confirm that your device supports BDE, run the System Information utility (Msinfo32.exe) as an administrator and check the Device Encryption Support entry at the bottom of the System Summary page.On a system running Windows 10 Pro or Windows 11 Pro, you can use the Manage BitLocker utility (type BitLocker in the search box to find it) to encrypt the system drive and any data drives. Be sure to choose the option to encrypt the entire drive and not just the space that currently contains data.If Device Encryption isn’t available, open a command prompt using the Run As Administrator option and enter this command:Cipher /W:C:That command “zeroes out” unused disk space, overwriting it so that it can’t be recovered. This process can take a long time, so consider letting it run overnight while you concentrate on more important tasks.Also: The best encryption software: Protect your data

My password manager says some of my passwords are weak. Should I be worried?

I recently started using a password manager, and when I sign in to some sites the program tells me my password is weak. What do I need to do to replace those weak passwords with strong ones?

If you’ve recently started using a password manager, congratulations! That’s a major step on the road to being more secure. You’re undoubtedly dealing with a collection of credentials you created yourself over the years during this transition. And because human beings are notoriously bad at creating truly random strings of text, those passwords are probably weak, which means they can be easily guessed or are vulnerable to a brute-force attack.

A weak password is typically too short, is made up of words that can be found in a dictionary, and/or contains all or part of the account name. Even if you did manage to create a truly random, hard-to-guess password, your password manager will flag it if it determines you’ve used it at multiple sites.The good news is that your password manager undoubtedly contains a password generator, which you can use to replace those old, weak, insecure passwords. Unfortunately, the process of changing your old passwords is labor-intensive. For each service, you’ll need to find the page where you change your password; use the password generator to create a new, random, unique password and then update the saved entry.As a best practice, you should do this as soon as possible for high-value sites like banks, credit card portals, and email and social media accounts. After completing each password change, I recommend that you immediately sign out of the service and sign in again, using your freshly saved password, to confirm that the new password was properly stored.

Where are all the touchscreen PCs?

I’ve been shopping for a new laptop with a larger display, at least 16 inches. The extra clunkiness doesn’t bother me as my mobile needs are pretty limited and I’m not a big fan of having an external display. But I’ve been surprised by how many Windows laptops with larger displays don’t come with a touchscreen. It is 2022, right? Am I just looking in the wrong place?

These days, most mainstream laptops have screens that are 13 or 14 inches in size, measured diagonally. That form factor is the sweet spot for general business use, typically small enough and light enough to be truly portable. At that size, a touchscreen comes in handy occasionally, and it’s usually not an expensive upgrade.

As you’ve discovered, 16- and 17-inch laptops are not so portable and typically command a premium price. Dell’s new XPS 17 laptop, for example, weighs 4.87 pounds with a non-touchscreen and bulks up to a hefty 5.34 pounds (with a $300 surcharge) if you specify a touchscreen. And this model is considered remarkably light for the category. (Your shoulder may beg to differ.) These devices are generally designed for graphics professionals who use them as desktop replacements and occasionally need to do high-end graphics work on the road.Given their size and the fact that most graphics editing tasks require a mouse, a touchscreen on a laptop that large is pretty much a waste of battery power and money. For your use case, I suggest looking at a laptop with a 15-inch screen, like the Dell XPS 15. And if you’re going to use it as a desktop replacement, connected to a docking station with a keyboard and mouse most of the time, skip the touchscreen; choose a less expensive non-touch-enabled display and invest the savings in a discrete GPU.Also: The best 2-in-1 laptops: Top flexible, hybrid, and convertible notebooksSend your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Be sure to include a working email address in case we have follow-up questions. We promise not to use it for any other purpose.  

ZDNet Recommends

  More

Boardrooms have a reputation for not paying much attention to cybersecurity, but it could be that executives are finally keen to take more interest in securing the systems and networks their businesses rely on. Senior figures from American, British and Australian cybersecurity agencies have said that business execs are now more aware of cyber threats and are actively engaging with their chief information security officer (CISO) and information security teams. 

Abigail Bradshaw, head of the Australian Cyber Security Centre (ACSC), said that, in a “massive leap in trust,” many organisations are actively seeking out advice to help inform boardrooms about cybersecurity issues.SEE: A winning strategy for cybersecurity (ZDNet special report) “Today boards say, ‘Can you come and brief our board, and can you stay while the CISO’s briefing the board? And can you please give us a view about the quality of our controls and our estimation of risk?’, which is hugely transparent,” she said, speaking at the UK National Cyber Security Centre’s (NCSC) Cyber UK conference in Newport, Wales  “I see that as well, it feels as if it’s really maturing,” said Lindy Cameron, CEO of the NCSC. “We’ve been trying really hard over the last few months to get organisations to step up but not panic, do the things we’ve asked them to for a long time and take it more seriously”. The NCSC regularly issues advice to organisations on how to improve and manage cybersecurity issues, ranging from ransomware threats to potential nation state-backed cyberattacks – and Cameron said she’s seen a more hands-on approach to cybersecurity from business leaders in recent months.”I’ve seen chief execs really asking their CISOs the right questions, rather than leaving them to it because they don’t have to understand complex technology. It does feel like a much more engaging strategic conversation,” she said. But there can still be a disconnect between knowing what needs to happen, then actually budgeting for and implementing a cybersecurity strategy. “I think everybody in this room knows what we need to do to do the basics of cybersecurity. And often the challenge is the culture and the resources; the will to say, ‘This is the thing that we have to do and we’re going to endure the pain to get there’,” said Rob Joyce, director of cybersecurity at the National Security Agency (NSA). He pointed to multi-factor authentication (MFA), something which is generally regarded as a key step that businesses can take to boost cybersecurity, providing an extra barrier to hackers trying to use phished, leaked or stolen usernames and passwords. However, rolling MFA out to all users of a network can be a challenge.  “We have a long journey ahead on multi-factor authentication, there’s nobody who thinks that’s a bad idea – but it’s a real investment, a real pain to implement it,” said Joyce. Nonetheless, the NSA director believes progress is being made, especially after the White House signed an executive order around cybersecurity for critical infrastructure and has committed to a zero-trust security model for federal agencies.SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breachesWhile these proposals only relate directly to critical infrastructure and government respectively, following the cybersecurity strategies could be useful to many organisations in other sectors outside of government and industry.”The narrative has shifted at a political level, at the board level, at the industry level, who are now getting together and saying, ‘We know where we must go, let’s resource everyone to get there’,” said Joyce. And while most businesses will be expected to take control of implementing and updating a cybersecurity strategy themselves, governments and cybersecurity agencies are there to provide advice and guidance – and that’s something that the ACSC’s Bradshaw hopes that companies continue to take advantage of during their cybersecurity journeys. “What they’re looking for is evidence of an ongoing relationship and collaboration between my agency and their CISO and senior execs. That is something I’m extremely grateful for and I think bodes well for the evolution that’s necessary over the next decade,” she said. MORE ON CYBERSECURITY More

Security by design needs to be ingrained in software development and innovative thinking is required to help secure society against cyberattacks as technology become a bigger part of our everyday lives, the chief of the US Cybersecurity & Infrastructure Security Agency (CISA) has warned.CISA director Jen Easterly said that, while it’s important to focus on the cybersecurity issues of today, it’s also important to think about the challenges of tomorrow. 

“The stakes in the decade ahead could not be any higher, particularly for those of us in technology and cybersecurity,” she said, warning that it’s “critical” to focus on the overriding values that must underpin cyber defense over the next decade.SEE: A winning strategy for cybersecurity (ZDNet special report)Alongside the current challenges facing cybersecurity – such as ransomware and supply chain attacks – emerging technologies could bring new threats. For example, the rise of Internet of Things (IoT)-connected smart cities could provide cyber criminals and other hostile attackers with a direct means to disrupt and tamper with services people use every day – unless these cities are designed properly from day one. But cybersecurity wasn’t the only challenge Easterly pointed to, noting the need to make sure that democratic states beat authoritarian regimes to the foundational technologies of tomorrow, the challenges of facial recognition and the race for cryptographically relevant quantum computers, and the growth of artificial intelligence and the fracturing of the internet.”The emerging technology of today will define the shape of the world tomorrow and it’s not an exaggeration in my view to assert the next 10 years could truly determine whether the liberal world order of the post-World War II period will survive or more optimistically whether we as like-minded democratic nations will continue to thrive,” she said.”Will we lead on the development of smart tech and the growth of smart cities in a way that is not just secure by design but engineered for privacy by design?” asked Easterly, speaking via video at the National Cyber Security Centre’s (NCSC) Cyber UK conference in Newport, Wales.The same can be asked of software and supply chains. Many major cybersecurity incidents begin with newly discovered zero-day cybersecurity vulnerabilities – and while once these are disclosed, patches are made available, organisations can be slow to roll them out, making them vulnerable to attackers. By implementing secure by design – a process where applications and software are built with cybersecurity in mind first – technology can be safer and more secure against cyberattacks.  “Will we work together finally to lead the effort to shape the tech ecosystem to ensure that our software and our systems and our networks – and yes, the supply chains that underpin it all – are secure and resilient by design that a decade from now a major intrusion or a new severe zero-day vulnerability is the exception not the norm?” said Easterly – who emphasised that this reality is possible, but only with a coordinated effort. “The answer to all of these questions can be, indeed, they must be yes, but only if we invest aggressively in our alliances, in our people, in global standards that reflect core values that we hold dear across our nations and that bind us together,” she added. MORE ON CYBERSECURITY More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

The agencies responsible for cybersecurity from the United States, United Kingdom, Australia, and Canada have issued a second alert this week, stating that attacks on managed service providers (MSP) are expected to increase. The advisory states that if an attacker is able to compromise a service provider, then ransomware or espionage activity could be conducted throughout a provider’s infrastructure, and attack its customers. “Whether the customer’s network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects,” the nations advised. “NCSC-UK, ACSC, CCCS, CISA, NSA, and FBI expect malicious cyber actors — including state-sponsored advanced persistent threat groups — to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships.” For the purposes of this advice, the MSP definition covers IaaS, PaaS, SaaS, process and support services, as well as cybersecurity services. In pretty obvious advice, the initial recommendation is to not get compromised in the first place. Beyond that, users are advised to adopt familiar set of advice such as: Improve monitoring and logging, update software, have backups, use multi-factor authentication, segregate internal networks, use a least privilege approach, and remove old user accounts. It is advised that users check contracts contain clauses to ensure MSPs have sufficient security controls in place. “Customers should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall outside the scope of the contract. Note: contracts should detail how and when MSPs notify the customer of an incident affecting the customer’s environment,” the advisory states. “MSPs, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing, and all contingencies for incident response and recovery.” Related Coverage More

Written by

Jason Cipriani, Contributing Writer

Jason Cipriani
Contributing Writer

Jason Cipriani is based out of beautiful Colorado and has been covering technology news and reviewing the latest gadgets as a freelance journalist for the past 13 years. His work can be found all across the Internet and in print.

Full Bio

on May 11, 2022

| Topic: Google

Google
Google’s annual developer conference kicked off on Wednesday with several announcements. One includes a handful of new products and services — that Google is either rolling out or will be rolling out in the future — to help improve users’ security and to protect their privacy. The company recapped the announcements via a blog post by Jen Fitzpatrick. 

Google’s announcements tackle several different aspects of your privacy and security. For example, Google is working on a new virtual card tool that can be used across Android devices and in the Chrome browser on Mac or PC. It’s separate from Google Pay, and once a card is added to the service, a virtual card number will be given to the vendor whenever you purchase something online. Also: What are virtual credit card numbers and how do they work?In the event of a data breach, the virtual card number can be replaced, and you won’t have to deal with replacing your physical card. Apple has the same type of feature for the Apple Card. Google’s virtual cards are expected to launch this summer. 
Image: Google
Google also announced a new tool for users’ profiles that will alert you if there’s an action or step you need to take to better protect your information. The Account Safety Status will show up as a yellow circle around your profile’s avatar, letting you know there’s something that needs your attention. In addition to the Safety Status feature, Google Workspace users will soon see more proactive phishing alerts in Google Docs, Slides, and Sheets. 

To help users keep their personal contact information out of Google search results, a new tool will let you flag data, such as your phone number or address, that’s found in public searches. Once flagged, Google will evaluate it and remove any unwanted and potentially harmful information. Through a new Protected Computing initiative, Google will continue its efforts to remove any personally identifying information from your account data and continue investing in encryption. Google is also working on a new My Ad Center that will allow users to provide feedback about the ads they see while using various Google products. Users can remove ad types, or indicate that they want to see more ads about a specific topic. Personally, I’m looking forward to the virtual card numbers the most. I use that feature all the time with my Apple Card, and I wish more credit or debit cards had the same offering. Thanks to Google, at least, it sounds like they will very soon. More