Tech sector embraces public-private collaboration on open-source software security

Participants in a White House meeting on securing open-source software expressed optimism for working effectively with government to help prevent Log4j-like events.

Hoping to foster improved security of open-source software, the White House hosted a meeting last week with some of the largest public and private users and maintainers of open-source software. Widely used open-source software “brings unique value, and has unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance,” the White House said.

The meeting was organized in December, shortly after a dangerous vulnerability in the Java-based logging utility Log4j emerged. That easy-to-exploit flaw has the potential to compromise hundreds of millions of machines globally. The FBI, the NSA and the Cybersecurity and Infrastructure Agency (CISA) quickly branded it as “a threat to organizations and governments everywhere.” In a letter inviting tech leaders to the meeting, National Security Advisor Jake Sullivan said that “open-source software is a key national security concern.”

The meeting included attendees from a wide range of government departments and agencies, including the Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, National Cyber Director Chris Inglis, and officials from the Office of the National Cyber Director, CISA, and the National Institute of Standards and Technology (NIST). Private sector participants included executives and top-level representatives from Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook (Meta), GitHub, Google, IBM, the Linux Foundation, OpenSSF, Microsoft, Oracle and RedHat.

This article appeared in CSO Online. To read the rest of the article please visit here.



CISA sees no significant harm from Log4j flaws but…

The U.S. cybersecurity agency can’t rule out that adversaries are using Log4j to gain persistent access to launch attacks later.

Officials at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) say that despite initial fears of widespread compromise, they have yet to see significant harm stemming from a vulnerability in the Java-based Log4j logging utility that became public in December. They can’t rule out that adversaries haven’t already used the vulnerability to monitor targeted machines silently, however, biding their time for later attacks.

“We’ve been actively monitoring for threat actors looking to exploit” the vulnerability, and “at this time we have not seen the use in significant intrusions,” Jen Easterly, director of CISA, said at a press briefing. “Adversaries may be utilizing this vulnerability to gain persistent access that they could use in the future, which is why we are so focused on remediating the vulnerability across the country and ensuring that we are detecting any intrusions if and when they arise.”

However, the vulnerability has been exploited by threat actors in minor ways. “We are seeing some prevalence of what we would call low-level activities, such as installation of cryptomining and software installation of malware that could be used historically in botnets,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, said.

This article appeared in CSO Online. To read the rest of the article please visit here.



FTC, SEC raise legal risks surrounding the log4j flaw

The U.S. Federal Trade Commission also threatened possible legal action for companies that don’t address the risk from the Log4j vulnerabilities.

Last week, the U.S. Federal Trade Commission (FTC) issued a warning to companies to remediate the serious vulnerability in the popular open-source Java logging package Log4j to avoid future legal action. In issuing its notice, the FTC underscored that organizations have legal obligations “to take reasonable steps to mitigate known software vulnerabilities.”

The FTC also evoked the cautionary tale of credit rating agency Equifax, which in 2017 failed to patch a known vulnerability that irreversibly exposed the personal information of 147 million consumers. Consequently, Equifax was forced to pay up to $700 million as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states.

The FTC says it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j or similar known vulnerabilities in the future.” Some legal experts consider the FTC’s warning “an unusual but interesting move.” Others say it’s a continuation of the Biden administration’s more muscular stance on a spectrum of cybersecurity issues.

“I really believe that the FTC is laying down a marker and it fits within the broader mosaic of how the executive branch is addressing cyber threats and the responsibility of the private sector to address them,” Scott Ferber, partner at McDermott Will & Emery, tells CSO. “It’s been a mix of carrot and stick, although some might say more stick than carrot, particularly regarding industries and sectors that are regulated, whether it’s critical infrastructure, finance or government contractors.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Tingey Injury Law Firm on Unsplash


Security leaders on how to cope with stress of…

The Log4j vulnerability puts great pressure on security teams already stretched thin dealing with ransomware and other attacks. This advice will help them cope.

The year 2021 was unprecedented in the strain it placed on cybersecurity professionals. From the beginning of the year through now, incident responders and network defenders have been whipsawed by a seemingly endless array of unparalleled back-to-back security emergencies. In the words of researcher Kevin Beaumont, “We’ve reached peak cyber for 2021. Please stop cybering.”

The year started with wide-scale remediation efforts stemming from the late-2020 discovery of the state-sponsored Nobelium cyber-espionage campaign that exploited SolarWinds’ widely used Orion platform. Amid the SolarWinds clean-up, security teams had to then grapple with the exploitation of four zero-day vulnerabilities in the Microsoft Exchange Server that sparked a global wave of hacks and breaches. Ransomware gangs accelerated their attacks on healthcare, education, and business organizations, culminating in significant incidents that brought down leading U.S. oil pipeline company Colonial Pipeline and the North American operations of a major meat supplier, JBS.

Thrown into this mix of high-profile incidents were dozens of other ransomware attacks, hacks, and espionage efforts affecting government bodies, healthcare providers, educational institutions, political organizations, and human rights workers across the globe. The Biden administration responded with a series of executive orders, directives, and new requirements for government agencies and critical infrastructure providers to turn the tide of the unrelenting digital malfeasance. At the same time, Congress stepped in with legislative measures to bolster the nation’s cybersecurity posture.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Elisa Ventur on Unsplash