Information Technology

Tech salaries, developer skills, cybersecurity, and more: ZDNet’s research roundup More

CISA has warned of critical vulnerabilities in Airspan Networks Mimosa, some of which have earned CVSS severity score ratings of 10, the highest possible. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

When security vulnerabilities are severe, and the products they impact are popular or critical to the operations of key industries, the US Cybersecurity and Infrastructure Security Agency (CISA) will often issue advisories to make sure they reach the attention of IT administrators and security staff. On Thursday, CISA issued such an advisory for Airspan Networks Mimosa. Mimosa devices are offered to industrial and enterprise players for point-to-multipoint (PTMP) network deployment. Seven vulnerabilities have been included in the advisory, detailing bugs earning themselves CVSS v3 base scores ranging from 6.5 to 10.0. The Airspan Networks products impacted by the vulnerabilities are the Mimosa Management Platform (MMP) prior to v1.0.3; PTP C-series devices running firmware prior to v2.8.6.1, and both PTMP C-series and A5x devices running firmware below v2.5.4.1. Also: Operation EmailThief: Zero-day XSS vulnerability in Zimbra email platform revealedNoam Moshe of Claroty reported the security issues, which are said to be exploitable remotely and with low attack complexity. 

“Successful exploitation of these vulnerabilities could allow an attacker to gain user data (including organization details) and other sensitive data, compromise Mimosa’s AWS cloud EC2 instance and S3 buckets and execute unauthorized remote code on all cloud-connected Mimosa devices,” CISA says. The vulnerabilities are below: CVE-2022-21196 (CVSS 10.0): An improper authorization flaw caused by failures to conduct authentication checks across multiple API routes, leading to denial-of-service, information leaks, and remote code execution (RCE). CVE-2022-21141 (CVSS 10.0): Additional failures to perform authorization checks on API functions, leading to the same attack vectors.  CVE-2022-21215 (CVSS 10.0): A server-side request forgery (SSRF) flaw that can be exploited by an attacker to force a server to grant access to backend APIs.  CVE-2022-21176 (CVSS 8.6): The improper neutralization of elements in SQL commands. A lack of user input sanitization could lead to SQL injections and data leaks.  CVE-2022-0138 (CVSS 7.5): A deserialization function doesn’t validate or check data input properly, allowing arbitrary classes to be created.  CVE-2022-21143 (CVSS 9.8): User input is not properly sanitized in some areas, giving attackers the opportunity to execute arbitrary commands.  CVE-2022-21800 (CVSS 6.5): The product line uses the MD5 algorithm for password hashing but fails to salt the hash, causing a higher risk of sensitive data being susceptible to cracking attempts. There is no evidence that the vulnerabilities have been exploited in the wild. Airspan Networks recommends that customers upgrade to MMP v.1.0.4 or later, PTP C5x/C5c (v2.90 or later), and PTMP C-series/A5x v.2.9.0 or later.  In January, CISA updated its Known Exploited Vulnerabilities catalog with 13 new vulnerabilities. In total, nine had a remediation date of February 1, and four have a remediation date of July 18.  The bugs include a command injection flaw in the System Information Library for node.js, a Drupal unrestricted file upload issue, and command injection vulnerabilities in the Nagios XI operating system. ZDNet has reached out to the Airspan Networks Mimosa team, and we will update when we hear back.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cisco has announced 15 vulnerabilities that affect its small business RV160, RV260, RV340, and RV345 series routers, which include three perfect 10s on the CVSS scoring scale and a pair above nine. The first 10, dubbed CVE-2022-20699, impacts RV340, RV340W, RV345, and RV345P routers, and gains its score from allowing remote code to be run as root. “This vulnerability is due to insufficient boundary checks when processing specific HTTP requests. An attacker could exploit this vulnerability by sending malicious HTTP requests to the affected device that is acting as an SSL VPN gateway,” Cisco said. The second perfect score is from CVE-2022-20708 which is due to issues in the web management side of the routers allowing for remote arbitrary command execution. Two related vulnerabilities, CVE-2022-20707 and CVE-2022-20749, were given CVSS 7.3 scores. “These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by sending malicious input to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system,” the company said. “Cisco has released software updates that address these vulnerabilities. There are no workarounds that address this these vulnerabilities.” Another vulnerability in the management interface across the entire RV series, CVE-2022-20700, was rated at 10 along with another at nine and a third at six as it allowed for privilege lifting to root level and subsequently command execution. Cisco said this trio of bugs was due to “insufficient authorization enforcement mechanisms”.

The other vulnerability rated above nine — CVE-2022-20703 at 9.3 — hit the entire RC range and was due to not verifying any software images installed by a local attacker. “An attacker could exploit this vulnerability by loading unsigned software on the device. A successful exploit could allow the attacker to install and boot a malicious software image or execute unsigned binaries on the device,” Cisco said. Cisco said there are no workarounds for any of the issues, and the solution was to update the software used on its small business routers. Related Coverage More

The Department of Homeland Security announced the creation of a new Cyber Safety Review Board that will bring together cybersecurity experts from public and private organizations to “review and assess significant cybersecurity events.”The board was part of the executive order that President Joe Biden signed last year. Experts have long urged the federal government to create an organization for cybersecurity incidents akin to the National Transportation Safety Board, which investigates airplane crashes and transportation incidents. Homeland Security secretary Alejandro Mayorkas said the board will “thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors.”

more Log4j

DHS said the board will start its first work on issues related to Log4J because vulnerabilities associated with the software library “are being exploited by a growing set of threat actors” and “present an urgent challenge to network defenders.””As one of the most serious vulnerabilities discovered in recent years, its examination will generate many lessons learned for the cybersecurity community. Together, the White House and DHS determined that focusing on this vulnerability and its associated remediation process was the most important first use of the CSRB’s expertise,” DHS explained. When asked by ZDNet why the board was working on Log4J before examining the range of issues connected to the SolarWinds scandal, a DHS spokesperson said the federal government and private sector have conducted “various reviews” of the compromise over the past year and decided the best use of the Cyber Safety Review Board’s expertise is to focus its initial review on the vulnerabilities in Log4J software library and associated remediation processes.They noted that the Log4J software library is used widely, is relatively easy to exploit and could cause significant impact on a network. The DHS spokesperson said the board’s review and recommendations “will take into consideration existing findings and recommendations related to the activities that prompted the December 2020 Cyber Unified Coordination Group (i.e., “the SolarWinds incident”) to include any elements related to the existence and exploitation of vulnerabilities or the response to the events.”

The board will have 15 members who will offer recommendations to DHS and the White House. DHS under secretary for policy Robert Silvers will serve as chair and Google’s senior director for security engineering Heather Adkins will be deputy chair. CISA director Jen Easterly will appoint the board’s members and will be in charge of managing, supporting and funding the effort. The first report from the board will be finished by the summer and will list actions taken by both the government and the private sector to mitigate the Log4J issue. The board’s members will also offer recommendations for how to address associated threat activity and more general advice for “improving cybersecurity and incident response practices and policy based on lessons learned from the Log4J vulnerability.”A redacted version of the report will be released to the public, according to DHS. Silvers said he and the other members of the board “are luminaries in the field” and that he was honored to serve alongside them as the Board’s chair. “When a major cyber incident occurs, it impacts all of us,” Adkins added. “The CSRB is a ground-breaking opportunity to conduct holistic reviews and provide forward-thinking solutions that cut across organizations and sectors. I am honored to serve with this diverse array of talent from both private companies and the U.S. government as we launch this inaugural review.”The other members of the board include Dmitri Alperovitch, co-founder and chairman of the Silverado Policy Accelerator, DOJ principal associate deputy attorney general John Carlin, federal chief information security officer at the Office of Management and Budget Chris DeRusha, National Cyber Director Chris Inglis, NSA cybersecurity director Rob Joyce, Luta Security founder Katie Moussouris, CISA executive assistant director for infrastructure security David Mussington, Verizon Threat Research Advisory Center co-founder Chris Novak, Center for Internet Security senior vice president Tony Sager, Department of Defense CIO John Sherman, FBI assistant director Bryan Vorndran, Microsoft assistant general counsel Kemba Walden and Palo Alto Networks senior vice president Wendi Whitmore. Experts lauded the creation of the cyber review board, with many noting that the country has long needed experts to review significant cyber events to provide unified responses to urgent situations. AttackIQ’s Jonathan Reiber, the former chief strategy officer for Cyber Policy in the Office of the US Secretary of Defense during the Obama administration, told ZDNet that officials need to learn from past events, codify lessons, and then communicate those lessons to the world.”Having such a talented team of thinkers and communicators — from the likes of Dmitri Alperovitch to Kate Moussouris, to everyone else on the list — that reviews major cybersecurity events and shares recommendations will be a huge help,” Reiber said. “Their insights will help organizations in both the private and public sectors make strategic changes and improve cybersecurity readiness.” Other experts, like Bugcrowd founder Casey Ellis, lauded the board for starting with a problem like Log4J because it revealed a raft of adjacent and systemic weaknesses on a uniquely large scale. An examination of the issue will provide more information about open source supply chain security, dealing with unsophisticated and sophisticated adversaries at the same time, post-patch product recertification and regression analysis and more, according to Ellis. He added that it will be good to have an answer to the question: “what do we do if things hit the fan over the holiday season.”  Vulcan Cyber engineer Mike Parkin noted that the board will have no regulatory authority, prompting further questions about how their recommendations will be used in the real world. Some took a more critical view of the effort, wondering whether the findings of the board will be translated into action. “Fundamentally, we have to ask ourselves — is there a lack of analysis towards lessons learned that is perpetuating cyber risks? Or a lack of follow through and accountability that is perpetuating cyber risks? That is to say, a need for the creation of new knowledge or the will to implement existing knowledge?” said Tim Wade, technical director at Vectra. “My personal bias is a belief towards the latter, so my expectations for the effectiveness of such a board hinge on its capacity to force action.” More

Fortinet beat Wall Street estimates on Thursday, reporting a strong fourth quarter growth and a 2021 revenue 28.8% higher than 2020.Fortinet delivered fourth quarter revenue of $963.6 million, up more than 28% from a year ago. For the fourth quarter, Fortinet’s non-GAAP earnings of $1.23 a share were above expectations. Wall Street was expecting Fortinet to report fourth quarter earnings of $1.15 a share on revenue of $960.2 million.For 2021, Fortinet reported a total revenue of $3.34 billion and a service revenue of $2.09 billion. Fortinet CEO Ken Xie said the company’s revenue gave them three straight years of revenue growth of 20% or more. “Cash flow from operations was $1.5 billion and free cash flow was a record $1.2 billion for the year. Our 2021 performance was driven by increased demand for our cybersecurity solutions and exceptional execution from our global operations and sales teams and excellent support from our channel partners and distributors,” Xie said. “Fortinet’s integrated and single platform approach to security is resonating with customers that want to effectively protect their corporate networks from a wide range of attack vectors. Given our robust pipeline and strong business momentum, we expect several more years of solid growth as Fortinet is well positioned to address our $174 billion market opportunity.”Product revenue was up more than 31% compared to Q4 2020 at $378.9 million. Service revenue was $584.7 million for the fourth quarter of 2021, an increase of more than 27% compared to the same quarter of 2020.

The company is predicting a Q1 revenue in the range of $865 million to $895 million and a non-GAAP EPS in the range of $0.75 to $0.80Fortinet announced in March 2021 that it was investing $75 million in router maker Linksys as part of a “strategic alliance” aimed at securing work from home networks.

Tech Earnings More

Antivirus vendor NortonLifeLock celebrated its second straight quarter of growth in excess of 10% for revenues, net income, and bookings. Norton’s revenues for the third quarter of FY 2022, which ended December 31, 2021, was  $702 million, a 10% jump over the $639 million posted for the year-ago quarter. 

Net income grew even more steeply, rising 16% to reach $202 million, or $0.34 per share, compared to the $178 million, or $0.30 per share posted for the third quarter of FY 2021.Both figures were spurred on by $752 million in new books, which represented a 10% rise and pushed the company’s direct customer count up by 2.4 million to 23.4 million total customers. This represents the ninth consecutive quarter of customer growth for the company, as well. Vincent Pilette, CEO of NortonLifeLock, noted that, as the company’s planned merger with Avast approaches, these results reinforce the idea that “people, more than ever before, need a partner to help them safely lead their digital lives.” The CEO went on to say that the Avast merger will help NortonLifeLock to “get started on accelerating our pace of innovation and expanding our global reach.” Speaking of acceleration, NorthLifeLock noted that it believes it will close the Avast merger earlier than its original mid-year window. The new targeted closing date is now February 24, 2022. It expects to formally confirm this in a separate announcement — if the timeline does not change.The Q3 financials resulted in the security company honing its FY 2022 guidance to include an expected annual revenue figure of between $2.79 billion and $2.80 billion, which would represent another 10% year-over-year growth milestone for the entire fiscal year, right at the top of the previously forecasted range. 

NortonLifeLock also predicted earnings per share for FY 2022 will reach $1.73 to $1.75, once again narrowing and moving its guidance towards the high side of its previously-announced $1.65 to $1.75. 

Tech Earnings More

If you don’t know what comprises synthetic data, well, don’t worry; you have plenty of company. Synthetic data is information that’s artificially manufactured by machines rather than generated by real-world events. Synthetic data is created algorithmically and is used as a stand-in for test datasets of production or operational data to validate mathematical models and, increasingly, to train machine-learning models. This substitutional data helps preserve privacy in personal information and can save IT systems a great deal of time, trouble, and money in the process.When machine-learning models are being created, the data has to be pure; if there are errors, duplications, or other hiccups in real data in building such models, problems inevitably will surface, costing time and money for the company. With more and more artificial intelligence and machine-learning models being used in various use cases, the need for synthetic data is rapidly growing. Analysts have projected that more synthetic than original data will be used to build ML models by the end of the decade.There are companies focusing on the commercial business use of synthetic data, and one of the first is Gretel, based in San Diego, Calif. The 2-year-old startup on Feb. 1 announced the general availability of its privacy engineering toolkit containing APIs and services that enable users to classify, transform and generate high-quality synthetic data. Combined, these capabilities remove privacy bottlenecks for numerous development and workflow processes that prevent data sharing and stifle innovation, CEO Ali Golshan told ZDNet. “We’ve built a privacy toolkit that’s accessible to all developers and scalable to any enterprise-ready project,” Golshan said. “With Gretel, anyone can classify, anonymize, and synthesize data that’s privacy-proven and highly accurate in just a few clicks. Our advanced privacy guarantees also give users complete control to adjust data privacy levels, based on their project needs, and guard synthetic data against adversarial attacks.”Golshan said the company has tested its products in an open beta program for more than a year. It has incorporated improvements to its toolkit based on feedback from more than 60 enterprise engagements, a community of thousands of users, and open-source users who have downloaded the SDK more than 70,000 times, the company said.Gretel has been working with organizations over several vertical industries, Golshan said, including health care, life sciences, finance, and gaming. Some of their recent work includes creating synthetic genomic data and synthetic time-series banking data. Interest in Gretel’s privacy engineering tools is supported by analysts’ forecasts that by 2030, synthetic data will completely overshadow real data in AI models, Golshan said

“Today, working with data is hard. Gretel is making it easier. By building flexible, secure, and easy to deploy tools to support data-driven developers, Gretel will open a world of progress across industries,” said Max Wessel, Executive Vice President & Chief Learning Officer at SAP.Advanced Privacy Engineering Made AccessibleGretel’s all-in-one privacy stack is comprised of engineering tools that:create highly accurate, privacy-proven synthetic data;seed pre-production systems with safe, statistically accurate datasets;identify and remove sensitive data to reduce PII-related risks;augment and de-bias datasets to train ML/AI models fairly; andanonymize sensitive data in real time, for data at scale.Gretel is also previewing an AWS S3 storage connector for its toolkit. For more information, go here. Gretel’s services can be accessed through its SaaS cloud offering or CLI for local environments. More

Multiple ports in Belgium and the Netherlands are reporting issues after a cyberattack affecting IT services was announced. Terminals operated by SEA-Tank, Oiltanking, and Evos in Antwerp, Ghent, Amsterdam, and Terneuzen are all dealing with issues related to their operational systems, according to France24.A spokesperson from Evos told ZDNet that they are continuing to operate their terminals but are having some delays after the attack. 

ZDNet Recommends

“There is a disruption of IT services at our terminals in Terneuzen, Ghent, and Malta, which is causing some delays in execution. All operations continue to take place in a safe manner,” the spokesperson said. Prosecutors in Antwerp have opened an investigation into the cyberattacks and told the Associated Press that the Federal Computer Crime Unit is looking into the issue. Companies reported having difficulties unloading barges because their software had been “hijacked,” making it difficult to process each one. The incidents come days after oil companies Oiltanking and Mabanaft, both owned by German logistics conglomerate Marquard & Bahls Group, suffered a cyberattack that crippled their loading and unloading systems. Oiltanking told ZDNet in a statement yesterday that its terminals are operating with limited capacity and that they “have declared force majeure.” On Tuesday, Royal Dutch Shell said it was forced to reroute to different supply depots because of the issue. German newspaper Handelsblatt said 233 gas stations across Germany now have to run some processes manually because of the attack.

An internal report from the German Federal Office for Information Security (BSI) said the BlackCat ransomware group was behind the attack on Oiltanking. Emsisoft threat analyst Brett Callow noted that it is likely BlackCat is a rebrand of BlackMatter, which was itself a rebrand of DarkSide, the group behind the ransomware attack on Colonial Pipeline in May 2021. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Billion-dollar German logistics firm Hellmann Worldwide Logistics was also hit with ransomware in December.Andy Norton, cyber risk officer at Armis, said that for decades, ICS cybersecurity simply didn’t exist because it didn’t need to. Operational technology and information technology, he explained, were separate domains with separate systems that didn’t connect to each other, and legacy industrial devices didn’t connect independently to the internet or to each other. “This disconnection — the so-called ‘air gap’ — was thought to be all the security that OT systems needed, aside from physical access control. Now, though, IT/OT integration is becoming the norm. Connected devices stream data, monitor equipment and processes, and support line automation and other Industry 4.0 functions, so the air gap is no longer a reliable method of OT security,” Norton said. “As OT and IT continue to merge, cybersecurity requirements now apply to ICS just as much as to corporate networks, but many organizations struggle to find the right approach to protect their operational technology,” Norton added.”Facilities that can’t operate securely are at risk of going offline at any moment. A ransomware attack on an ICS facility can halt operations and leak operational and corporate data to the dark web-or destroy that data altogether.” More