World

Security holes cause panic on the Internet

BOSTON – Security experts say it’s one of the worst computer vulnerabilities they’ve ever seen. They say state-backed Chinese and Iranian hackers and rogue crypto miners have captured it.

The US Department of Homeland Security is issuing a dire warning, asking federal agencies to urgently remove the bug because it is so vulnerable to exploits – and asking people with public networks to set up firewalls if they cannot be sure. The affected software is small and often undocumented.

Discovered in a widely used utility called Log4j, the vulnerability allows internet-based attackers to easily take control of everything from industrial control systems to web servers and appliances. consumer electronics. Simply determining which systems use the utility is an extraordinary challenge; it is often hidden under layers of other software.

Top US cybersecurity defense official, Jen Easterly, called the vulnerability “one of the most egregious flaws I’ve seen in my entire career, if not the most serious” in Monday’s call with state and local officials as well as private sector partners. Revealed publicly last Thursday, it is the catnip for cybercriminals and digital spies because it allows easy, password-free access.

The Cybersecurity and Infrastructure Agency, or CISA, run by Easterly, set up a resource page on Tuesday to help clear a vulnerability the agency says is present in hundreds of millions of devices. Other highly computerized countries also take the issue seriously, with Germany activating its national IT crisis center.

Dragos, a leading industrial-controlled cybersecurity company, said a wide range of key industries, including electricity, water, food and beverage, manufacturing and transportation, were exposed. “I don’t think we’re going to see a single major software vendor in the world – at least industrially – that doesn’t have a problem with this,” said Sergio Caltagirone, vice president of threat intelligence The company’s threat said.

Eric Goldstein, CISA’s head of cybersecurity, said Washington is leading a global response. He said no federal agencies are known to have been compromised. But these are early days.

“What we have here is an extremely common, easy to exploit, and highly damaging vulnerability that can certainly be exploited by an adversary to do real damage,” he said.

A SMALL Fragment of Mother, A World of Troubles

The affected software, written in the Java programming language, records user activity on the computer. Developed and maintained by a number of volunteers under the auspices of the Apache Open Source Software Foundation, it is extremely popular with commercial software developers. It runs on multiple platforms — Windows, Linux, Apple’s macOS — powering everything from web cams to car navigation systems and medical devices, according to security firm Bitdefender.

Goldstein told reporters during a conference call Tuesday night that CISA will update the patched software repositories as fixes become available. Log4j is often embedded in third-party programs whose owners need to be updated. “We expect the fix to take some time,” he said.

The Apache Software Foundation said that Chinese tech giant Alibaba announced the vulnerability on November 24. It took two weeks to develop and release a fix.

In addition to patching to fix bugs, computer security professionals have a tougher challenge: trying to detect if a security hole has been exploited – whether the network or device has been compromised. . That means many weeks of active surveillance. A weekend of frantic attempts to identify – and slam – the doors that were open before being exploited by hackers, has now turned into a marathon.

FULL BEFORE THE STORM

Joe Slowik, head of threat intelligence at cybersecurity firm Gigamon.

Cybersecurity firm Check Point said on Tuesday it had scanned 44 percent of its corporate network and discovered 1.3 million exploit attempts, most by known malicious groups. It said the vulnerability was exploited to spread crypto-mining malware – which uses computer cycles to surreptitiously mine digital currencies – in five countries.

However, no successful ransomware infections that took advantage of this vulnerability have been detected. But experts say it’s probably only a matter of time.

“I think what’s coming will take two weeks before the effects of this are seen because hackers have already infiltrated organizations and will find out what to do next.” John Graham-Cumming, Cloudflare’s technical director, whose online infrastructure protects websites from online threats.

We are taking a lull before the storm, says Sean Gallagher, senior researcher at cybersecurity firm Sophos.

“We expect that competitors have the ability to gain a lot of access to whatever they may have right now with the goal of monetizing and/or leveraging it later.” That would include extracting usernames and passwords.

John Hultquist, a leading threat analyst at cybersecurity firm Mandiant, said state-backed Chinese and Iranian hackers exploited the vulnerability, presumably to carry out espionage. spies and other state organizations will do the same. He did not name the Chinese hacker’s target or its geographical location. He said Iranian actors were “particularly aggressive” and had engaged in ransomware attacks that were primarily intended to cause trouble.

SOFTWARE: CHECKED BY DESIGN?

Experts say that the Log4j episode shows an unresolved problem in software design. Too many programs used in critical functions were not developed with enough thought in mind for security.

Gigamon’s Slowik says open source developers shouldn’t be blamed like the volunteers responsible for Log4j because the entire industry of programmers often blindly put in such code without doing it. expertise.

Popular and custom apps often lack “Software Invoices” that let the user know what’s hidden – an important need at times like these.

“This is becoming increasingly an issue as software vendors in general are using publicly available software,” said Dragos’ Caltagirone.

In industrial systems in particular, he added, previously analogous systems in everything from water utilities to food production over the past few decades have been digitally upgraded for automated management. and remote. “And one of the ways they did that, obviously through software and through the use of programs that use Log4j,” Caltagirone said.

.

Source link

news7h

News7h: Update the world's latest breaking news online of the day, breaking news, politics, society today, international mainstream news .Updated news 24/7: Entertainment, Sports...at the World everyday world. Hot news, images, video clips that are updated quickly and reliably

Related Articles

Back to top button
Immediate Peak