|
|
|
|
|
Cyber Daily: White House Convenes Open-Source Security Summit Amid Log4j Risks
|
|
|
|
|
|
Happy Friday. The silver lining of the Log4j security problem is that people in positions of power are now paying attention to what open-source foundations have noted for years.
Namely, tech businesses that use free code in their money-making products largely don't pull their weight when it comes to physically fixing flaws and creating patches.
After security gaps emerged last month in the open-source Log4j logging tool from the Apache Software Foundation, U.S. officials got vocal about the severity of potential cyberattacks. Thursday's meeting at the White House, my colleague James Rundle reports, got the right players in a room together.
What we don't know is what they will actually do to solve the problem.
Readers, there will be no newsletter on Monday in observance of Martin Luther King Jr. Day. See you Tuesday.
|
|
|
CONTENT FROM OUR SPONSOR: Netscout
|
|
7 requirements for detecting Log4j exploits using packets.
Along with scanning and patching, start detecting and blocking. See why packet-derived data is the ultimate protection against Log4j exploitation.
Read More
|
|
|
|
|
|
Widespread use of open-source technologies, combined with the fact that they are maintained by volunteers, creates national-security risks, U.S. officials say.
|
|
|
PHOTO: CHERISS MAY
/REUTERS
|
|
|
The Biden administration hosted a meeting of major technology companies, federal agencies and nonprofits Thursday to discuss cybersecurity problems with open-source technology, amid concerns that free, but flawed, software could leave critical infrastructure open to attack.
|
|
|
Apache, which distributes Log4j, is pushing for more expert help from technology companies that use free software. “We believe the path forward will require upstream collaboration by the companies and organizations that consume and ship open source software,” the foundation said in a statement after the meeting.
“If we’re going to solve a lot of these grand challenges, it’s going to take all of us,” said Mike Hanley, GitHub’s chief security officer, who attended Thursday’s meeting. Following the meeting, a number of participants issued statements expressing support for the White House’s attention to the issue but warned that security in open-source software remains fragile.
“For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that many eyes were watching to detect and resolve problems,” said Kent Walker, chief legal officer at Google in a blog post published after the meeting. “But in fact, while some projects do have many eyes on them, others have few or none at all.”
Read the full story.
|
|
|
|
Massive cyberattack hit Ukrainian government websites. The attack left a message telling Ukrainians to "be afraid and expect the worst" and left some websites inaccessible on Friday. Kyiv opened an investigation into the incident. A foreign ministry spokesperson said it was too early to say who could be behind the attack but noted that Russia had carried out similar attacks in the past. Ukraine and its allies have recently raised concerns about a possible Russian military campaign against Ukraine. The United States warned on Thursday that there was a high risk of such a Russian military intervention in Ukraine.
One message on a hacked website said in Ukrainian, Russian and Polish, "Ukrainian! All your personal data was uploaded to the public network. All data on the computer is destroyed, it is impossible to restore it." The Ukrainian government said it had restored most affected websites and that no personal data was stolen. The government suspended a number of other websites to prevent the attack from spreading. (Reuters)
Ukrainian police arrest ransomware leaders. Police disrupted a ransomware group they say extorted more than 50 companies in Europe and the U.S. for more than $1 million. U.S. and U.K. officials participated in raids of suspects’ homes and apprehended an unidentified 36-year-old man in Kyiv, his wife and three associates. Officials seized three cars, computer equipment, bank cards, mobile phones and flash drives. (CyberScoop)
|
|
|
PHOTO: MARK SCHIEFELBEIN
/ASSOCIATED PRESS
|
|
|
China dismisses claims that travelers to the Beijing Winter Olympics are at risk of being hacked. Discussions about hacking risks are “completely unfounded and the worries are unnecessary. The Chinese government is a firm defender of cybersecurity and firmly opposes any form of cyber-espionage and cyber attack activities,” the Chinese embassy in Belgium said in a post on its website.
|
|
|
|
"Attackers just started to integrate the attack into their toolkit."
|
— Markus Neis, threat intelligence manager at Swiss telecoms carrier Swisscom Schweiz AG. He was referring to widespread attempts to exploit holes in the Log4j open-source logging tool, speaking at an online event on Thursday organized by Belgium's cybersecurity agency.
|
|
|
|
|
|
|
|
PHOTO: MICHAEL BROCHSTEIN/ZUMA PRESS
|
|
|
Telecom breach reporting mandate: Jennifer Rosenworcel, chair of the Federal Communications Commission, made an initial step this week to tighten rules compelling telecom carriers to notify customers and the federal government of data breaches.
|
|
|
Federal privacy law, redux: The U.S. Chamber of Commerce and several industry associations renewed their push for Congress to pass a national data privacy law that would reconcile the mix of state-level regulations. States with laws already on the books vary in their approaches, the groups noted in a letter to Congress. Several federal bills have been in play over the past few years but none has become law. (Reuters)
Speaking of lag time, here's a peek at how long it took one sizable healthcare company to notify patients that sensitive information about them was exposed to hackers. Memorial Health System, based in Marietta, Ga., runs hospitals, emergency rooms and dozens of clinics in three states. As the company told state regulators in a letter this week, this is how breach notification went down over five months:
|
|
Aug. 14, 2021:
|
Memorial identifies the presence of malware on some servers. An investigation finds that hackers were in the hospital's network from July 10 through Aug. 15.
|
|
|
Sept. 17:
|
Memorial determines that the intruders may have accessed or acquired data from systems potentially containing patient information.
|
|
|
Nov. 1:
|
The company finishes a review of the scope of the information at risk and the population potentially impacted. It starts the process of confirming which patients may be impacted, the types of information at issue and the best contact details for those involved to provide accurate notification.
|
|
|
Dec. 9:
|
Confirmation process concludes.
|
|
|
Jan. 12, 2022:
|
Memorial begins to send written notices to 216,478 individuals informing them that their name, address, Social Security number, medical and treatment information and insurance data were subject to unauthorized access.
|
|
|
|
|
PHOTO: JOSEFIN LIGNÉ /NORDIC CHOICE HOTELS
|
|
|
Our story this week, "Inside a Ransomware Hit at Nordic Choice Hotels," is full of good details about how hackers set off a chain of events consuming the hotel's tech team since early December.
And someone at the main office in Norway or at one of 200 hotels communicated with the attackers despite warnings not to.
|
|
|
|
|
|
|