Information Technology

Do you want a solid Linux distribution that also delivers the latest languages and solid security? Yes? Then consider getting Red Hat Enterprise Linux 8.6.Red Hat announced this new release at the Red Hat Summit. It has numerous new features, but the ones that caught my eye were the security improvements.

For example, if you’re serious about securing your Linux distribution, you should run Security-Enhanced Linux (SELinux). But, SELinux has long had a fundamental problem. Because its Common Intermediate Language (CIL) couldn’t store the module name and version in the module itself, there was no simple way to verify that the installed module was the right version. This kind of thing has become a common software chain supply security problem. Now, however, you can create a SHA256 hash checksum signature for your SELinux modules. You can then compare this with the original file’s checksum to make sure you’re actually using the correct SELinux configuration file. Continuing with configuration file security improvements, RHEL’s OpenSSH servers now support drop-in configuration files. The sshd_config file supports the Include directive. That means you can include configuration files in another directory. What makes this matter is that it makes it easier to apply system-specific configurations on OpenSSH servers by using automation tools such as Ansible Engine. It also makes it easier to organize different configuration files for different uses, such as filtering incoming connections.Libreswan, a popular open-source IPsec Virtual Private Network (VPN) server and Internet Key Exchange (IKE), has been rebased to upstream version 4.5. This includes many bug fixes and enhancements, such as the support of IKE version 2 for Labeled IPsec.This enables Libreswan to work better on SELinux systems.For SAP HANA users, the big news is there’s now a jointly-tested RHEL SAP HANA configuration with SELinux enabled. SELinux enables the server to automatically isolate processes. This, in turn, provides excellent privilege escalation attack protection.At a higher level, RHEL’s Web console now includes support for Smart Card Authentication with sudo and SSH. With the growing need for Two-Factor Authentication (2FA) this is a big step forward for improved day-to-day security.For developers, the biggest news is that RHEL 8.6 now comes with PHP 8 and Perl 5.32. It also includes support for GCC 11, LLVM 13.0.1, Rust 1.58.1, Go 1.17.7, OpenJDK 17, and Apache Log4j 2. In other words, it supports today’s most up-to-date languages.If you need high-availability (HA), RHEL 8.6 also comes with a HA Cluster System Role. This makes it much easier to create more consistent and stable RHEL HA clusters solutions.Life is also easier for SAP HANA users because SAP day-1 Automation uses the Red Hat Ansible Automation Platform to automate SAP HANA setup and configurations. Additionally, these new RHEL system roles are now available as Ansible collections, providing organizations with more flexibility to consume SAP automation content. All these SAP HANA improvements make RHEL much more competitive with SUSE SAP HANA offerings.Put it all together and what you get is a great, solid enterprise Linux for Red Hat users on everything from a simple server in the backroom to the data center to the public cloud to the hybrid cloud and beyond.RHEL 8.6 is available now for everyone with an active RHEL subscription. Don’t have one and want to give the latest RHEL a try? You can download a 60-day evaluation edition of RHEL 8.6 to see if it works for you. Related Stories: More

Written by

Angelica Mari, Contributing Editor

Angelica Mari
Contributing Editor

Angelica Mari is a Brazil-based technology journalist. She started working at age 15 as a computer instructor and started writing professionally about technology two years later.

Full Bio

Brazilian e-commerce conglomerate Americanas.com reported a multimillion-dollar loss in sales in its financial results on Friday after a major cyberattack earlier this year. The company lost 923 million Brazilian reais ($183 million) in sales after two attacks that took place between February 19 and 20 and rendered its e-commerce operation unavailable. According to the company, physical stores continued to operate and the logistics arm of the company continued to deliver orders placed after the event.

“In order to add strength to our internal team and security partner companies in the resolution and investigation of this incident, we called on world-renowned experts with experience in situations like these,” the company said in its financial statement. According to Americanas, the operations started to be gradually restored on February 23 and activities fully resumed on the following day. “There is no evidence of other damages, beyond the fact that our e-commerce operations were suspended,” the firm noted. Despite the impact caused by the incident, the company reported a 22% increase in total sales compared to the same period last year. According to the firm’s results, digital sales increased 20% in the first quarter of the year as the pace of sales resumed in the weeks following the incident. The company noted that if the cyberattack hadn’t happened, sales growth would have reached 30%. The authors of the Americanas attack are understood to be the Lapsus$ Group — the group responsible for a major ransomware attack against Brazil’s Ministry of Health in December 2021 that resulted in the unavailability of the COVID-19 vaccination data of millions of citizens. According to analyst firm IDC, overall IT security spending is expected to reach nearly $1 billion in Brazil this year, an increase of 10% in relation to 2020. The research company predicts that 2022 will see firms dealing with an increasing number of cyberattacks, a trend that has gathered pace since the start of the COVID-19 pandemic.

ZDNet Recommends More

As the battle over abortion continues in the United States, concerns have been raised over period tracking apps’ data practices and security.  You should stop using them, or at the least, only use a service with stringent data protection and encryption — and this is why. 

What is Roe v. Wade?

For those unfamiliar with the current upheaval in the US, the 1973 Roe v. Wade case, brought forward against state laws restricting abortion, was a landmark ruling that effectively legalized the procedure in the US. However, different US states still take varied views on abortion and when it is permissible. Earlier this month, reports surfaced of a leaked draft majority opinion showing the US Supreme Court is likely set to overturn Roe v. Wade. The draft also cites a 1992 decision that further concreted the constitutional right to abortion services. According to the Associated Press, Senate Democrats have tried to move quickly and enshrine the 50-year-old ruling into law through new legislation, which, if passed, would have made abortion rights far harder to overturn. However, the proposed bill has been blocked. A final ruling is reportedly to take place within months. If Roe v. Wade is overturned, the non-profit Guttmacher Institute suggests that at least 26 US states, including Texas, Alabama, and Louisiana, may be poised to trigger abortion bans or at least impose a minimal time frame for terminations. 

Technology in the medical sector

Wearable health tech, hospital robots, and telehealth appointments with healthcare providers all have become commonplace. As we’ve seen during the pandemic, technology can be of great benefit to overstretched medical professionals, and we can use mobile technology, too, on a personal level — to track our activities, sleeping patterns, and more. Millions of people with periods worldwide use menstruation tracking apps to track and monitor their monthly cycles, and the overarching “femtech” market is estimated to be worth roughly $49 billion by 2025.

What do period tracking apps do?

Menstruation apps log user input related to menstrual cycles over several months to predict when their next one is due. These apps can also be used to record changes in flow, predict likely fertility windows, log symptoms such as mood swings and cramps, and record sexual activities.Some apps focus on users attempting to become pregnant. Others offer general health and lifestyle advice. Some can quietly connect users to healthcare providers if they have questions or concerns. Period tracking apps can be particularly useful for users entering puberty and for those with irregular cycles. However, they should not be used as a form of birth control and, as people with periods know all too well, accurately predicting your next cycle start date is far from an exact science. 

Which are the most popular period trackers?

In the Android and iOS mobile ecosystems, some of the most popular menstruation trackers are Flo, Clue, Glow, MagicGirl, and Natural Cycles.

What do period tracker apps have to do with the US Supreme Court?

There are several emerging issues connecting the two. Period, fertility, and sexual activity trackers, by design, have to collect intimate information from their users, which is often stored and analyzed over time. Users can then tap into their record for next-cycle estimates, the days they may be most fertile, and to find out if they are likely to be pregnant.  In a post-Roe world, and if some US states do choose to write their own laws surrounding terminations, data from these apps could be used to prosecute people. Online information and digital records can make or break a criminal prosecution. This can include social networking posts, email records, conversations, location (GPS) data, and the user data collected by personal health mobile apps.  Keep in mind that such evidence may be flimsy, at best, considering how inaccurate these trackers can be. Should a user, for example, cross state lines to have a procedure done and their location or cycle records are known, investigators would need to prove beyond a reasonable doubt that the individual broke the law. However, information obtained from reproductive health and monitoring apps could, in theory, be used to build up a case. 

The Electronic Frontier Foundation puts it thus: “Service providers can expect a raft of subpoenas and warrants seeking user data that could be employed to prosecute abortion seekers, providers, and helpers.  They can also expect pressure to aggressively police the use of their services to provide information that may be classified in many states as facilitating a crime.”

The case for criminality

If seeking an abortion becomes a criminal act in some states, then how app providers secure and manage user data has to become a priority — not just in terms of transparency, but what future legal US mandates may require.User data that is fed through third-party infrastructure providers, for example, could become subject to warrants or subpoenas in criminal investigations if individuals are suspected of being pregnant or of seeking a termination. In addition, app providers themselves may be subject to user data requests or demands if the information they hold isn’t legally protected. As noted by Slate, the data held by period trackers might not have any intrinsic value now to government agencies or investigators, but if Roe v. Wade is dissolved, these records could be used as evidence in a prosecution.The state of Louisiana is already considering treating abortions as homicides. Perhaps some states will follow the example of El Salvador, which recently prosecuted a woman for homicide after she suffered a miscarriage.If this is the future, other data sets gathered by these apps — such as smoking habits and alcohol intake, as Slate reports — could also be of interest to prosecutors.   

Isn’t this being overblown?

Not necessarily. It wasn’t so long ago that whistleblower Edward Snowden landed the US National Security Agency (NSA) in hot water over its mass digital surveillance programs.Last year, Flo drew the ire of the US Federal Trade Commission (FTC) for allegedly misleading users by “sharing the health information of users with outside data analytics providers.” In response, Flo said:

We understand that our users place trust in our technology to keep their sensitive information private and the responsibility we have to provide a safe and secure platform for them to use […] Our agreement with the FTC is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to decisively put this matter behind us. In a 2020 study conducted by Privacy International, the civil rights group found that menstruation apps stored a “dizzying” amount of data on their users. For example, after requesting a copy of their information under GDPR, out of five apps surveyed, only two provided records — and these revealed data concerning menstruation, their sexual lives, diseases, orgasm rates, masturbation habits, medication intake, and how many children they have, and more.  According to Privacy International, some of this information was shared with third parties. (It should be noted that some of the apps have reviewed their data policies since the report went live.) The issue is that some period tracking apps may have vague data protection policies, share information — unaware that it could be used against its users — or may outright sell information to third parties. If an investigator can’t secure a warrant or subpoena to demand this data, they could buy it instead, if they knew where to look.  You just need to look to Texas and the so-called Heartbeat Bill, which allows citizens to effectively become bounty hunters by suing anyone for up to $10,000 who assists an individual in receiving an abortion, to understand that there may also be some people out there who would try to purchase this information to line their pockets. 

Data management: The US vs. Europe

How mobile app developers, across every sector, handle data is often questionable and is not necessarily protected under laws such as the EU’s GDPR. The EU’s General Data Protection Regulation (GDPR) requires organizations in the bloc to adhere to basic data protection standards, only hold “necessary” user information, and submit to strict rules depending on whether they are processors or controllers. When it comes to medical information, this is defined as “physical or mental health of an individual, including the provision of health care services, which reveals information about their health status.” Some period trackers may be protected under GDPR, and in general, medical data can be exempt from disclosure when a data request is made if being compliant is “likely to cause serious harm to the physical or mental health of any individual.”Clue told Slate that it is “obligated under European Law (GDPR) to apply special protections to our users’ reproductive health data.” GDPR-bound apps may offer more protection, but this isn’t guaranteed. Apps in the EU may not be exempt from subpoenas, and future US laws could be proposed that force EU firms to hand over data (think the Patriot Act.)Read on: What is GDPR? Everything you need to know about the new general data protection regulationsThe US’ HIPAA laws, too, do not necessarily apply to the information gathered by period tracker apps as the law only deals with Protected Health Information (PHI). PHI is defined as “individually identifiable health information that is transmitted or maintained in electronic, written, or oral form,” but unless an app connects to healthcare providers for medical monitoring, it is unlikely to be HIPAA-compliant. Many period trackers also deal with lifestyle-based information and as these datasets are not inherently focused on health, these datasets would not be protected as PHI. The developers of apps under GDPR are required to clearly lay out how information is managed and used in privacy policies, and these should be checked if you choose to use a period tracker. However, as Privacy International found in a 2019 study, developers can still fall short of GDPR and other data protection standards. In other words, whether or not an app is said to be HIPAA/GDPR-compliant, in real-world scenarios there is no cast-iron guarantee your data is safe — unless, for example, it is encrypted and stored locally on your device, and so developers themselves have no access rights. 

What can period tracking app vendors do?

As the EFF says: “If you build it, they will come — so don’t build it, don’t keep it, dismantle what you can, and keep it secure.”The non-profit has published a list of recommendations for period trackers, women’s health, and healthcare service provider app developers to follow:Allow users pseudonymous access, so you don’t even know their namesDo not track the behavior of your users, and if this must happen, make it opt-in and clear there may be ramificationsCheck data retention policies and ask yourself: do we need to collect all this data, and for so long? Delete logs regularlyEncrypt data in transitEnable end-to-end encryption by defaultDo not allow your apps to become location broker havensDo not share user data, but if you must, only with trusted and vetted partners – and make this clear to usersConsider interoperability with third parties if they can provide the security for users that you cannot

Every time Mozilla releases its Privacy Not Included guide, we find that apps providing sensitive services, including health apps, are lax or fail spectacularly at security. It’s not just about an app provider’s intentions; you also need to assess the vendor’s technical expertise and understanding of cybersecurity.  “Privately-owned user data cannot be protected from state-mandated legal action,” commented Issy Towell, Wearables Analyst at CCS Insight. “Unless that changes, it is the responsibility of apps to demonstrate a genuine duty of care for users by rethinking the kind of data it collects on them.” There may be some apps out there that are more secure than others, where data is protected due to where it is stored and the legal requirements in that area.  For example, Natural Cycles, while FDA-cleared, stores its data in Europe and is, therefore, subject to GDPR requirements. Furthermore, the app’s developers told us that data is encrypted both in transit and at rest, and “we have never — and never will — sell user data.” Natural Cycles told ZDNet: “Natural Cycles is not a covered entity by HIPAA, not by choice, but because we do not handle medical electronic records. It is important to note, however, that HIPAA is not the only data safeguard. As potential legislation changes arise, we remain focused on being a company committed to doing the right thing for our users vs. relying on specific laws that are subject to change. We’re closely monitoring the ongoing situation with legal counsel to make sure that no matter the outcome, we will achieve our goal of remaining regulatory compliant as a medical device, while never turning over personal, sensitive data. We will be evolving our privacy policy to make sure our users are protected against unimaginable potential legal situations.”

Should I delete my period tracking app?

Yes.

(Author’s note: This is my personal recommendation.)It may not be a popular opinion, and it’s certainly one that will raise the ire of some developers, but in the interests of future safety, those with periods in the US should delete these apps from their mobile devices. The convenience is simply not worth the risk of your data being used against you — not unless you are 100% sure that the period tracker you use is protected from laws outside the US and won’t be subject to future legislative changes that could force the developers to hand over your sensitive data. Either that or records held in the app cannot be connected to your name or identifying information. There are rallies and protests, certainly, but one thing many of us can do is to take control of our data privacy in small, marginal ways. Close off as many channels for law enforcement or government bodies to obtain data on your cycles, fertility, or any signs of pregnancy in the future, especially if you live in a state most likely to trigger a bill when (or if) Roe v. Wade is overturned. The data you generate to monitor your cycle, activities, sexual activity, and lifestyle habits, in some states, could become a weapon against you. It is up to period tracker software providers to examine the data they hold, for how long, and how best to protect their users. 

How else can I track my menstrual cycle?

The most secure option is the old-fashioned way — pen and paper. We may eventually see changes in app functionality, too. Towell believes that some apps with users in regions impacted by Roe v. Wade could “help users avoid stating an intention to avoid pregnancy, [but] this will come at the expense of the overall app functionality and experience.””At the very least, if brands want to maintain the trust of users they will need to clearly communicate the potential legal implications of using their app to users,” Towell added. “Unless reproductive rights are protected at the federal level, females will be forced to sacrifice personalized period prediction algorithms for the family-planning method that women have been using for centuries — pen, paper, and a calendar.” More

The US Cybersecurity and Infrastructure Security Agency (CISA) has taken the unusual step of removing a bug from its catalog of vulnerabilities that are known to be exploited, and which federal civilian agencies are required to patch within a certain timeframe.  CISA said it is “temporarily removing”  Microsoft’s May 2022 fix for the security bug CVE-2022-26925 from its Known Exploited Vulnerability Catalog. It said after admins apply Microsoft’s May 10, 2022 rollup security fixes to Windows Servers that are used as domain controllers, there is a risk of authentication failures. CISA removed the vulnerability from its must-patch list on Friday. “Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is being handled by the domain controller,” it said.”After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),” CISA explained. This issue only affects the update on Windows Servers used as domain controllers. CISA is still strongly encouraging admins to apply Microsoft’s May updates on client Windows devices and non-domain controller Windows Servers.  Microsoft describes CVE-2022-26925 as a Local Security Authority (LSA) Spoofing vulnerability. LSA allows applications to authenticate and log users on to a local system. Details of the bug have been publicly disclosed and exploits exist for it, according to Microsoft.  “An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it,” Microsoft says. The bug would have a severity score of 9.8 when it is chained with NTLM Relay Attacks on Active Directory Certificate Services (AD CS), Microsoft adds. The company noted the May 10, 2022 update addresses the vulnerability on all servers but urged admins to prioritize the update of domain controllers.CISA referred admins to Microsoft’s document KB5014754, which detail “certificate-based authentication changes on Windows domain controllers” concerning the May 10 updates for CVE-2022-26931 and CVE-2022-26923. These were an elevation of privilege vulnerability that can happen when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request, according to Microsoft. “Before the May 10, 2022 security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways,” Microsoft says.  More

A phishing campaign targeting Microsoft Windows users delivers three different forms of malware, all designed to steal sensitive information from victims.Detailed by cybersecurity researchers at Fortinet, those who unintentionally run the malicious attachment sent in phishing emails fall victim to AveMariaRAT, BitRAT and PandoraHVNC trojan malware.The campaign allows cyber criminals to steal usernames, passwords and other sensitive information, including bank details. BitRAT is particularly dangerous to victims, because it can take full control of infected Windows systems, complete with the ability to view webcam activity, listen to audio through the microphone, secretly mine for cryptocurrency that goes into a wallet owned by the attackers and download additional malicious files.The initial phishing message is designed to look like a payment report from a trusted source, with a short request to open an attached Microsoft Excel document. SEE: Cybersecurity: Let’s get tacticalThis file contains malicious macros and researchers note that when the document is opened, Microsoft Excel flags potential security concerns about the use of macros. If the user ignores this and opens the file, it starts the process of delivering malware.Using Visual Basic Application (VBA) scripts and PowerShell, the malware is retrieved for installation onto the victim’s machine. The PowerShell code is split into three parts for the three different forms of malware, which can each be installed. It’s not detailed why the phishing email delivers three malware payloads, but it’s likely that with three different forms of malware to deploy, there’s a greater chance of the cyber criminals being able to gain access to whatever sensitive information they’re looking to steal.Phishing remains one of the most common methods cyber criminals use to deliver malware – because put simply, it’s effective – but there are things which can be done to avoid falling victim.Users should be wary of unexpected emails claiming to contain important information hidden in attachments – particularly if that attachment requires you to enable macros first. If possible, for example, if the email claims to come from a college or business associate, you could contact them using a different method than email to check if it’s really them who sent the email.Businesses can also help employees avoid falling victim to phishing emails by using appropriate anti-spam and anti-virus software, as well a training users on how to spot and report phishing emails. MORE ON CYBERSECURITY More

Microsoft has warned that a new variant of the Sysrv botnet is targeting a critical flaw in the Spring Framework to install cryptocurrency mining malware on Linux and Windows systems. Microsoft researchers spotted a new variant of Sysrv, which it calls Sysrv-K, scanning the internet for Wordpress plugins with older vulnerabilities as well as a recently disclosed remote code execution (RCE) flaw in the Spring Cloud Gateway software tagged as CVE-2022-22947.  The flaw affected VMware’s Spring Cloud Gateway and Oracle’s Communications Cloud Native Core Network Exposure Function and was given a critical rating by both firms. Sysrv-K can can gain control of web servers, Microsoft Security Intelligence warned. The botnet scans the internet to locate web servers and then uses various vulnerabilities such as path traversal, remote file disclosure, arbitrary file downloads and remote code execution. Once the malware is running on a Windows or Linux device, Sysrv-K deploys a cryptocurrency miner.Sysrv-K contains new features from older variants. Juniper in April 2021 reported Sysrv was bundled with exploits for six RCE vulnerabilities affecting installations of MongoDB’s Mongo Express admin interface, the ThinkPHP PHP framework, the Drupal CMS, VMware-owned SaltStack, and the XXL-JOB and XML-RPC projects. It also had exploits exploits for PHP framework Laravel, Oracle Weblogic, Atlassian Confluence Server, Apache Solr, PHPUnit, Jboss Application Server, Apache Hadoop, Jenkins, Jupyter Notebook Server, Sonatupe Nexus Repository Manager, Tomcat Manager, and Wordpress. The malware’s two functions were to spread itself across network by scanning the internet for vulnerable systems and installing the XMRig cryptocurrency miner to mine Monero. But Microsoft warns it can now also capture database credentials to control an infected web server.  “A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server. Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot,” Microsoft Security Intelligence said. “Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” it added. Microsoft warned organizations to secure internet-facing systems, apply security updates and protect credentials.  More

Google has created a new “Open Source Maintenance Crew” who will help upstream maintainers of critical open-source projects to handle bugs and patching processes. The new team is part of Google’s contribution to the White House’s push to improve cybersecurity in open source and protect software supply chains following the White House’s January summit with major tech vendors, including Microsoft, Google, IBM and Amazon Web Services. 

Google I/O 2022

Back then, President Joe Biden signed an executive order that requires the government to provide a Software Bill of Materials (SBOM) that details supply chain relationships of components used in building software. SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breachesGoogle says the new maintenance crew consists of a dedicated team of Google engineers who will work with upstream maintainers of critical open-source projects.”One issue frequently cited by open source maintainers is limited time. Since under-maintained, critical open source components are a security risk, Google is starting a new Open Source Maintenance Crew, a dedicated staff of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects,” said Google’s Eric Brewer and Abhishek Arya in a blogpost.Google announced the open-source security team at last week’s “Open Source Software Security Summit II”, hosted at the White House and organized by The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) to mark one year since the cybersecurity executive order, which demanded higher security standards based on the NIST’s Secure Software Development Framework (SSDF). The organizations outlined $150 million in funding required from the private sector and a 10-point plan to improve open source by tackling risk assessments, digital signatures, shifting coding from C and C++ to to memory-safe languages like Rust, Go and Java, incident response, code scanning, and code audits. Google’s work to improve open-source security and reduce supply chain risks has previously included $100 million to support groups like OpenSSF to fix security bugs in open source.     Google last year also published the “Know, Prevent, Fix” framework and is working to improve the accessibility of security tools through initiatives like Open Source Vulnerabilities (OSV) database and data format. The format has been adopted by Python, Rust, and Go ecosystems. The Python Software Foundation, for example, created the Python Packaging Advisory Database to centralize advisories for Python packages published on Pypi repository. The Rust Foundation has a similar database for advisories concerning Rust Crates packages. Other databases relying on OSV include vulnerability databases, such as GitHub’s Security Advisories (GHSA) and the Cloud Security Alliance’s Global Security Database.   “The OSV project showed that connecting a CVE to the vulnerability patch development workflow can be difficult without precise vulnerability metadata,” said Google’s Brewer and Arya. They want to see OSV findings distributed to developers through code editors and at the point where developers might deploy vulnerable workloads.   On the ‘Know’ side, Google highlights the Security Scorecards project that gives developers insights about dependencies they might use on a project. Now, there are scorecard scans of one million projects. The Kubernetes project has also started using Sigstore to sign and verify its releases, and makes this part of its Supply Chain Levels for Software Artifacts, or SLSA, compliance. The OpenSFF’s SLSA framework is based on Google’s internal tools to check code integrity.        “An SBOM created using SLSA provenance and metadata is more complete and addresses both source code and build threat vectors,” says Google. SEE: Rocky Linux developer lands $26m funding for enterprise open-source pushOther key projects include Google’s OSS-Fuzz for fuzzing for open-source software, which has helped developers fix 2,300 flaws across over 500 projects during the past year, The ‘Fix’ component was aimed at removing vulnerabilities and improving notifications to help remediate flaws in the most widely used versions of an affected project rather than just the most recent versions. Part of this is the OpenSSF’s Alpha Omega project, which Google and Microsoft gave an initial $5 million to improve supply chain security. The project awarded the widely used Node.js server-side JavaScript runtime project $300,000 to focus on fixing vulnerabilities in 2022.   Another is the Linux Foundation’s Secure Open Source (SOS) project, which Google backed with $1 million in funding. SOS offers up to $10,000 in rewards to developers for hardening software, for example. Google also gave $300,000 to the Internet Security Research Group to improve memory safety by bringing Rust into the Linux kernel. Linux kernel developers have worked on making Rust the second language to C in the kernel for the past two years.   More

Researchers say that geopolitical tension, ransomware, and cyberattacks using stolen credentials threaten the UK’s financial sector. On Monday, KELA’s security team published a report examining the cybersecurity issues and attacks that surfaced in 2021 and early 2022, specifically focused on the United Kingdom’s banks and other financial services.

The UK was one of the first countries to stand with Ukraine after the invasion by Russia. This could make UK organizations a tempting target for threat actors siding with Russia — whether by state-sponsored advanced persistent threat (APT) groups or hacktivists. The National Cyber Security Centre (NCSC) previously warned businesses to shore up their cybersecurity following Russia’s assault.APTs are often responsible for attacking the financial sector: account credentials, card numbers, and the personally identifiable information (PII) of customers are useful not only in social engineering and identity theft but also to make fraudulent purchases or for card cloning. APTs target organizations worldwide, and those located in the UK are no exception. Over the past few years, APTs, including the Chinese APT40 and APT31, have utilized vulnerabilities, including ProxyLogon, to compromise UK businesses. “In general, APTs may target the financial sector to commit fraud, burglarize ATMs, execute transactions, and penetrate organizations’ internal financial systems,” KELA says. “Although specific threats to the UK financial sector have not been identified, there is no doubt that the UK has occasionally been a target of APT groups during 2021.” Exposed corporate information and leaked credentials are also of note. After browsing Dark Web forums, the researchers found that UK data is “in demand” by cybercriminals who are seeking PII, access credentials, and internal data. For example, in January 2021, an ExploitIn forum user asked for a “UK database leak.” On the same Russian forum, another requested “UK targeted bank leads with DOB, full name, bank name/sort code, address and postal code […] DOB has to be between 1935 and 1955” this year. From January 2021 to February 2022, KELA tracked close to 16,000 unique, leaked credentials linked to UK financial organizations which appeared online. This includes information leaked during the RedCappi, ParkMobile, and Oxfam breaches. However, no UK organizations took a top spot in the 14 breaches during 2021 – 2022 with the highest number of leaked credentials. Instead, many of them were based in India. “As the UK plays a significant role in the global economy, often providing services to international companies and organizations, it is likely that breaches related to foreign companies would affect UK firms,” the researchers said. The sale of network access, while not as common, is also a threat to the UK financial sector. KELA found roughly 60 instances of network access listings, including one for a UK fintech firm with $5 million in annual revenue, offered for only $300, and a prolific Russian trader touting access to UK companies 13 times in the past year. Ransomware also remains a plague for UK financial organizations and services worldwide. The cybersecurity firm observed 135 UK financial companies experiencing a ransomware incident in 2021. However, this may only be a fraction of the true number as these organizations have only been identified due to ransomware blog and leak sites, negotiation portals, and media reports. When it came to targeting UK companies, the Conti, PYSA, LockBit, and Sodinokibi ransomware groups were the most active. “This report sheds light on the multiple, varying cyberthreats posed to UK companies and organizations in general, and the UK financial sector in particular,” the researchers noted. “Through 2021, both financial and other UK companies have been subject to multiple ransomware attacks, and credentials and compromised accounts belonging to British entities were often offered for sale on cybercrime forums.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More