FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

Here Are the Google and Microsoft Security Updates You Need Right Now

By Kate O'Flaherty
Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.

Network Resilience: Accelerating Efforts to Protect Critical Infrastructure

By Matt Fussa

As head of the Cisco Trust Office, Matt Fussa leads a global team that partners with government agencies, regulators, and customers to help shape cybersecurity regulation and manage cyber risk. He is… Read more on Cisco Blogs

Chinese Hackers Operate Undetected in U.S. Critical Infrastructure for Half a Decade

By Newsroom
The U.S. government on Wednesday said the Chinese state-sponsored hacking group known as Volt Typhoon had been embedded into some critical infrastructure networks in the country for at least five years. Targets of the threat actor include communications, energy, transportation, and water and wastewater systems sectors in the U.S. and Guam. "Volt Typhoon's choice of targets and pattern

Apple and Google Just Patched Their First Zero-Day Flaws of the Year

By Kate O'Flaherty
Plus: Google fixes dozens of Android bugs, Microsoft rolls out nearly 50 patches, Mozilla squashes 15 Firefox flaws, and more.

Google Fixes Nearly 100 Android Security Issues

By Kate O'Flaherty
Plus: Apple shuts down a Flipper Zero Attack, Microsoft patches more than 30 vulnerabilities, and more critical updates for the last month of 2023.

Google Fixes a Seventh Zero-Day Flaw in Chrome—Update Now

By Kate O'Flaherty
Plus: Major security patches from Microsoft, Mozilla, Atlassian, Cisco, and more.

Apple, Google, and Microsoft Just Patched Some Spooky Security Flaws

By Kate O'Flaherty
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.

Apple, Microsoft, and Google Just Fixed Multiple Zero-Day Flaws

By Kate O'Flaherty
Plus: Mozilla patches 10 Firefox bugs, Cisco fixes a vulnerability with a rare maximum severity score, and SAP releases updates to stamp out three highly critical flaws.

Google Fixes Serious Security Flaws in Chrome and Android

By Kate O'Flaherty
Plus: Mozilla patches more than a dozen vulnerabilities in Firefox, and enterprise companies Ivanti, Cisco, and SAP roll out a slew of updates to get rid of some high-severity bugs.

Apple iOS, Google Android Patch Zero-Days in July Security Updates

By Kate O'Flaherty
Plus: Mozilla fixes two high-severity bugs in Firefox, Citrix fixes a flaw that was used to attack a US-based critical infrastructure organization, and Oracle patches over 500 vulnerabilities.

Apple, Google, and MOVEit Just Patched Serious Security Flaws

By Kate O'Flaherty
Plus: Microsoft fixes 78 vulnerabilities, VMWare plugs a flaw already used in attacks, and more critical updates from June.

5 Reasons Why IT Security Tools Don't Work For OT

By The Hacker News
Attacks on critical infrastructure and other OT systems are on the rise as digital transformation and OT/IT convergence continue to accelerate. Water treatment facilities, energy providers, factories, and chemical plants — the infrastructure that undergirds our daily lives could all be at risk. Disrupting or manipulating OT systems stands to pose real physical harm to citizens, environments, and

Apple's iOS 16.5 Fixes 3 Security Bugs Already Used in Attacks

By Kate O'Flaherty
Plus: Microsoft patches two zero-day flaws, Google’s Android and Chrome get some much-needed updates, and more.

New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids

By Ravie Lakshmanan
A new strain of malicious software that's engineered to penetrate and disrupt critical systems in industrial environments has been unearthed. Google-owned threat intelligence firm Mandiant dubbed the malware COSMICENERGY, adding it was uploaded to the VirusTotal public malware scanning utility in December 2021 by a submitter in Russia. There is no evidence that it has been put to use in the wild

China's Stealthy Hackers Infiltrate U.S. and Guam Critical Infrastructure Undetected

By Ravie Lakshmanan
A stealthy China-based group managed to establish a persistent foothold into critical infrastructure organizations in the U.S. and Guam without being detected, Microsoft and the "Five Eyes" nations said on Wednesday. The tech giant's threat intelligence team is tracking the activity, which includes post-compromise credential access and network system discovery, under the name Volt Typhoon. The

Apple, Google, and Microsoft Just Fixed Zero-Day Security Flaws

By Kate O'Flaherty
Firefox gets a needed tune-up, SolarWinds squashes two high-severity bugs, Oracle patches 433 vulnerabilities, and more updates you should make now.

The EU’s Cyber Solidarity Act: Security Operations Centers to the rescue!

By Márk Szabó

The legislation aims to bolster the Union’s cyber-resilience and enhance its capabilities to prepare for, detect and respond to incidents

The post The EU’s Cyber Solidarity Act: Security Operations Centers to the rescue! appeared first on WeLiveSecurity

Supply Chain Attacks and Critical Infrastructure: How CISA Helps Secure a Nation's Crown Jewels

By The Hacker News
Critical infrastructure attacks are a preferred target for cyber criminals. Here's why and what's being done to protect them. What is Critical Infrastructure and Why is It Attacked? Critical infrastructure is the physical and digital assets, systems and networks that are vital to national security, the economy, public health, or safety. It can be government- or privately-owned. According to Etay

Apple's iOS 16.4: Security Updates Are Better Than New Emoji

By Kate O'Flaherty
Plus: Microsoft Outlook and Android patch serious flaws, Chrome and Firefox get fixes, and much more.

SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms

By Ravie Lakshmanan
Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors since November 2022. "The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked

Apple Users Need to Update iOS Now to Patch Serious Flaws

By Kate O'Flaherty
Plus: Microsoft fixes several zero-day bugs, Google patches Chrome and Android, Mozilla rids Firefox of a full-screen vulnerability, and more.

You Really Need to Update Firefox and Android Right Now

By Kate O'Flaherty
January saw a slew of security patches for iOS, Chrome, Windows, and more.

Update Android Right Now to Fix a Scary Remote-Execution Flaw

By Kate O'Flaherty
Plus: Patches for Apple iOS 16, Google Chrome, Windows 10, and more.

Drop What You're Doing and Update iOS, Android, and Windows

By Kate O'Flaherty
Plus: Major patches dropped this month for Chrome, Firefox, VMware, Cisco, Citrix, and SAP.

You Need to Update Google Chrome, Windows, and Zoom Right Now

By Kate O'Flaherty
Plus: Important patches from Apple, VMWare, Cisco, Zimbra, SAP, and Oracle.

Go Update iOS, Chrome, and HP Computers to Fix Serious Flaws

By Kate O'Flaherty
Plus: WhatsApp plugs holes that could be used for remote execution attacks, Microsoft patches a zero-day vulnerability, and more.

Apple Fixed a Serious iOS Security Flaw—Have You Updated Yet?

By Kate O'Flaherty
Plus: Chrome patches another zero-day flaw, Microsoft closes up 100 vulnerabilities, Android gets a significant patch, and more.

U.K. Water Supplier Hit with Clop Ransomware Attack

By Elizabeth Montalbano
The incident disrupted corporate IT systems at one company while attackers misidentified the victim in a post on its website that leaked stolen data.

U.K. Water Supplier Hit with Clop Ransomware Attack

By Elizabeth Montalbano
The incident disrupted corporate IT systems at one company while attackers misidentified the victim in a post on its website that leaked stolen data.

Apple Just Patched 39 iPhone Security Bugs

By Kate O'Flaherty
Plus: A Google Chrome patch licks the DevilsTongue spyware, Android’s kernel gets a tune-up, and Microsoft fixes 84 flaws.

Latest Cyberattack Against Iran Part of Ongoing Campaign

By Nate Nelson
Iran's steel manufacturing industry is victim to ongoing cyberattacks that previously impacted the country's rail system.

Latest Cyberattack Against Iran Part of Ongoing Campaign

By Nate Nelson
Iran's steel manufacturing industry is victim to ongoing cyberattacks that previously impacted the country's rail system.

You Need to Update Windows and Chrome Right Now

By Kate O'Flaherty
Plus: Google issues fixes for Android bugs. And Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

‘Killnet’ Adversary Pummels Lithuania with DDoS Attacks Over Blockade

By Elizabeth Montalbano
Cyber collective Killnet claims it won’t let up until the Baltic country opens trade routes to and from the Russian exclave of Kaliningrad.

‘Killnet’ Adversary Pummels Lithuania with DDoS Attacks Over Blockade

By Elizabeth Montalbano
Cyber collective Killnet claims it won’t let up until the Baltic country opens trade routes to and from the Russian exclave of Kaliningrad.

U.S. Water Utilities Prime Cyberattack Target, Experts

By Nate Nelson
Environmentalists and policymakers warn water treatment plants are ripe for attack.

U.S. Water Utilities Prime Cyberattack Target, Experts

By Nate Nelson
Environmentalists and policymakers warn water treatment plants are ripe for attack.

You Need to Update iOS, Chrome, Windows, and Zoom ASAP

By Kate O'Flaherty
Plus: Google patches 36 Android vulnerabilities, Cisco fixes three high-severity issues, and VMWare closes two “serious” flaws.

Verizon Report: Ransomware, Human Error Among Top Security Risks

By Elizabeth Montalbano
2022’s DBIR also highlighted the far-reaching impact of supply-chain breaches and how organizations and their employees are the reasons why incidents occur.

Verizon Report: Ransomware, Human Error Among Top Security Risks

By Elizabeth Montalbano
2022’s DBIR also highlighted the far-reaching impact of supply-chain breaches and how organizations and their employees are the reasons why incidents occur.

Android monthly updates are out – critical bugs found in critical places!

By Paul Ducklin
Android May 2022 updates are out - with some critical fixes in some critical places. Learn more...

You Need to Update iOS, Android, and Chrome Right Now

By Kate O'Flaherty
Plus: Microsoft patched some 100 flaws, while Oracle issued more than 500 security fixes.

Five Eyes Nations Warn of Russian Cyber Attacks Against Critical Infrastructure

By Ravie Lakshmanan
The Five Eyes nations have released a joint cybersecurity advisory warning of increased malicious attacks from Russian state-sponsored actors and criminal groups targeting critical infrastructure organizations amidst the ongoing military siege on Ukraine. "Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks," authorities from Australia,

Cyberattackers Put the Pedal to the Medal: Podcast

By Tara Seals
Fortinet's Derek Manky discusses the exponential increase in the speed that attackers weaponize fresh vulnerabilities, where botnets and offensive automation fit in, and the ramifications for security teams.

Cyberattackers Put the Pedal to the Medal: Podcast

By Tara Seals
Fortinet's Derek Manky discusses the exponential increase in the speed that attackers weaponize fresh vulnerabilities, where botnets and offensive automation fit in, and the ramifications for security teams.

Feds: APTs Have Tools That Can Take Over Critical Infrastructure

By Elizabeth Montalbano
Threat actors have developed custom modules to compromise various ICS devices as well as Windows workstations that pose an imminent threat, particularly to energy providers.

Feds: APTs Have Tools That Can Take Over Critical Infrastructure

By Elizabeth Montalbano
Threat actors have developed custom modules to compromise various ICS devices as well as Windows workstations that pose an imminent threat, particularly to energy providers.

Microsoft Zero-Days, Wormable Bugs Spark Concern

By Tara Seals
For April Patch Tuesday, the computing giant addressed a zero-day under active attack and several critical security vulnerabilities, including three that allow self-propagating exploits.

Microsoft Zero-Days, Wormable Bugs Spark Concern

By Tara Seals
For April Patch Tuesday, the computing giant addressed a zero-day under active attack and several critical security vulnerabilities, including three that allow self-propagating exploits.

“We Need COBOL Programmers!” No, You Probably Don’t

By William "Bill" Malik (CISA VP Infrastructure Strategies)

Editor’s note: While this topic isn’t entirely security-specific, Trend Micro leader William Malik, has career expertise on the trending topic and shared his perspective.

——

There was a provocative report recently that the Governor of New Jersey told reporters that the state of New Jersey needed COBOL programmers. The reason was that the number of unemployment claims had spiked, and the legacy system running unemployment claims had failed. That 40-year-old system was written in COBOL, so the conclusion was that the old language had finally given out. Hiring COBOL programmers would let the State update and modernize the application to handle the increase in load.

This might be the problem, but it probably is not. Here’s why.

  1. Software doesn’t wear out, and it doesn’t rust. Any code that’s been running for 40 years is probably rock solid.
  2. Computers have a fixed amount of specific resources: processing power, memory, network capacity, disk storage. If any of these is used up, the computer cannot do any more work.
  3. When a computer application gets more load than it can handle, things back up. Here’s a link to a process that works fine until excessive load leads to a system failure. https://www.youtube.com/watch?v=NkQ58I53mjk Trigger warning – this may be unsettling to people working on assembly lines, or on diets.
  4. Adding more resources must fit the machine architecture proportionately.
  5. Incidentally, throwing a bunch of people at an IT problem usually makes things worse.

From these points, we learn the following lessons.

Software Doesn’t Wear Out

Logic is indelible. A computer program is deterministic. It will do exactly what you tell it to do, even if what you tell it to do isn’t precisely what you meant it to do. Code never misbehaves – but your instructions may be incorrect. That’s why debugging is such a hard problem.

Incidentally, that’s also why good developers usually make lousy testers. The developer focuses her mind on one thing – getting a bunch of silicon to behave. The tester looks for faults, examines edge conditions, limit conditions, and odd configurations of inputs and infrastructure to see how things break. The two mindsets are antithetical.

Once a piece of software has been in production long enough, the mainline paths are usually defect free. In fact, the rest of the code may be a hot mess, but that stuff doesn’t get executed so those defects are latent and do not impact normal processing. Ed Adams published a report in 1984 titled “Optimizing Preventative Service for Software Products” (https://ieeexplore.ieee.org/document/5390362, originally published in the IBM Journal of Research and Development, v 28, n 1). He concluded that once a product has been in production for a sufficient time, it was safer to leave it alone. Installing preventative maintenance was likely to disrupt the system. Most IT organizations know this, having learned the hard way. “If it ain’t broke, don’t fix it” is the mantra for this wisdom.

As a corollary, new software has a certain defect rate. Fixes to that software typically have a defect rate ten times greater. So if a typical fix is large enough, you put in a new bug for every bug you take out.

Computers Are Constrained

All computers have constraints. The relative amount of resources mean some computers are better for some workloads than others. For mainframes, the typical constraint is processing power. That’s why mainframes are tuned to run at 100% utilization, or higher. (How do you get past 100% utilization? Technically, of course, you can’t. But what the measurements are showing you is how much work is ready to run, waiting for available processing power. The scale actually can go to 127%, if there’s enough work ready.)

Different types of computers have different constraints. Mainframes run near 100% utilization – the CPU is the most expensive and constrained resource. PCs on the other hand never get busy. No human can type fast enough to drive utilization above a few percent. The constrained resource on PCs is typically disk storage. That’s why different types of computers do better at different types of work. PCs are great for user interface stuff. Mainframes are perfect for chewing through a million database records. By chance we developed mainframes first; that’s not an indictment of either type, Both are useful.

Computers Can Run Out of Resources

Any IT infrastructure has a design point for load. That is, when you put together a computer you structure it to meet the likely level of demand on the system. If you over-provision it, you waste resources that will never be used. If you under-provision it, you will not meet your service level agreements. So when you begin, you must know what the customers – your users – expect in terms of response time, number of concurrent transactions, database size, growth rates, network transaction load, transaction mix, computational complexity of transaction types, and so on. If you don’t specify what your targets are for these parameters, you probably won’t get the sizing right. You will likely buy too much of one resource or not enough of another.

Note that cloud computing can help – it allows you to dynamically add additional capacity to handle peak load. However, cloud isn’t a panacea. Some workloads don’t flex that much, so you spend extra money for flexibility for a capability that you can provide more economically and efficiently if it were in-house.

Add Capacity in Balance

When I was in high school our physics teacher explained that temperature wasn’t the same as heat. He said “Heat is the result of a physical or chemical reaction. Temperature is simply the change in heat over the mass involved.” One of the kids asked (snarkily) “Then why don’t drag racers have bicycle tires on the back?” The teacher was caught off guard. The answer is that the amount of heat put into the tire is the same regardless of its size, but the temperature was related to the size of the area where the tire touched the road. A bicycle tire has only about two square inches on the pavement, a fat drag tire has 100 square inches or more. So putting the same amount of horsepower spinning the tire will cause the bicycle tire’s temperature to rise about 50 times more than the gumball’s will.

When you add capacity to a computing system, you need to balance related capacity elements or you’ll be wasting money. Doubling the processor’s power (MHz or MIPS) without proportionately increasing the memory or network capacity simply moves the constraint from one place to another. What used to be a system with a flat-out busy CPU now becomes a system that’s waiting for work with a queue at the memory, the disk drive, or the network card.

Adding Staff Makes Things Worse

Increasing any resource creates potential problems of its own, especially of the system’s underlying architecture is ignored. Fore the software development process (regardless of form) one such resource is staff. The book “The Mythical Man-Month” by Fred Brooks (https://www.barnesandnoble.com/w/the-mythical-man-month-frederick-p-brooks-jr/1126893908) discusses how things go wrong.

The core problem is adding more people require strong communications and clear goals. Too many IT projects lack both. I once was part of an organization that consulted on a complex application rewrite – forty consultants, hundreds of developers, and very little guidance. The situation degenerated rapidly when the interim project manager decided we shouldn’t waste time on documentation. A problem would surface, the PM would kick off as task force, hold a meeting, and send everybody on their way. After the meeting, people would ask what specific decisions had been reached, but since there were no minutes, nobody could be sure. That would cause the PM to schedule another meeting, and so on. Two lessons I learned concerns meetings:

  1. If you do not have agenda, you do not have a meeting.
  2. If you do not distribute minutes, you did not have a meeting.

When you add staff, you must account for the extra overhead managing the activities of each person, and establish processes to monitor changes that every participant must follow. Scrum is an excellent way of flattening potentially harmful changes. By talking face to face regularly, the team knows everything that’s going on. Omit those meetings or rely on second-hand reports and the project is already off the rails. All that remains is to see how far things go wrong before someone notices.

In Conclusion …

If you have a computer system that suddenly gets a huge spike in load, do these things first:

  1. Review the performance reports. Look at changes in average queue length, response time, transaction flight time, and any relevant service level agreements or objectives.
  2. Identify likely bottlenecks
  3. Model the impact of additional resources
  4. Apply additional resource proportionately
  5. Continue to monitor performance

If you are unable to resolve the capacity constraints with these steps, examine the programs for internal limitations:

  1. Review program documentation, specifications, service level objectives, workload models and predictions, data flow diagrams, and design documents to understand architectural and design limits
  2. Determine what resource consumption assumptions were built per transaction type, and expected transaction workload mix
  3. Verify current transaction workload mix and resource consumption per transaction type
  4. Design program extension alternatives to accommodate increased concurrent users, transactions, resource demands per transaction class
  5. Model alternative design choices, including complexity, size, and verification (QA cost)
  6. Initiate refactoring based on this analysis

Note that if you do not have (or cannot find) the relevant documentation, you will need to examine the source code. At this point, you may need to bring in a small set of experts in the programming language to recreate the relevant documentation. Handy hint: before you start working on the source code, regenerate the load modules and compare them with the production stuff to identify any patches or variance between what’s in the library and what’s actually in production.

Bringing in a bunch of people before going through this analysis will cause confusion and waste resources. While to an uninformed public it may appear that something is being done, the likelihood is that what is actually being done will have to be expensively undone before the actual core problem can be resolved. Tread lightly. Plan ahead. State your assumptions, then verify them. Have a good plan and you’ll work it out. Remember, it’s just ones and zeros.

What do you think? Let me know in the comments below, or @WilliamMalikTM.

The post “We Need COBOL Programmers!” No, You Probably Don’t appeared first on .

❌