Cyber Security Headlines – November 16, 2021

DHS launches program to close cyber talent gap

The Cyber Talent Management System was announced by the Department of Homeland Security, designed to help CISA better fill vacancies. This program has been in development for the past seven years, and designed to cut through bureaucratic red tape in the federal hiring process. Typically federal hiring prioritizes benchmarks like longevity rather than technical skills. Under the program, DHS can hire cyber professions with salaries up to $332,100 in certain circumstances, to better compete with the private sector. While vacancies at CISA are the initial focus, the program will eventually be used to fill gaps at other DHS agencies next year. 

(The Record)

China expands cybersecurity review requirements

China’s Big Tech crackdown continues. According to new draft rules from the Cybersecurity Administration of China, the country will require technology companies to undergo a cybersecurity review prior to listing on the Hong Kong stock exchange if authorities determine a potential impact to national security. The rules also require companies to get security clearance for mergers, and spin-offs or establishing overseas headquarters and R&D centers. Platforms with over 100 million daily active users will need to get approval on major updates to operations, user rights, or data privacy. The regulator is accepting feedback on the draft rules through December 13th. These rules come to light after Didi’s IPO resulted in it having apps pulled and signups suspended pending a cybersecurity review by the regulator.

(Bloomberg)

Microsoft blocks Edge redirects

Microsoft confirmed an update for Windows 11 will prevent app developers from using microsoft-edge protocol links, which are now restricted to the Edge browser using Bing for search. Apps like EdgeDeflector had used these links to let users use their default browser for Start menu search results rather than Edge. In a statement Microsoft said taskbar search is “an end-to-end experience that is not designed to be redirected” and said it will “fix” any improper redirection workarounds. While EdgeDeflector has a modest user base, popular browsers have started adopting the feature. Mozilla’s Firefox offered a similar workaround, and the Brave browser added a feature for it to its roadmap. 

(The Verge)

Cloudflare stops a giant DDoS attack

The company said it blocked the attack, which peaked at just under 2Tbps, one of the largest DDoS attacks recorded. This attack came from 15,000 bots running a variant of the original Mirai code on exploited IoT devices as well as unpatched instances from GitLab. Rapid7 warned that GitLab instances could be used for such an attack two weeks ago, saying that roughly 30,000 internet-facing instances remained unpatched at that time. Cloudflare said it was the largest attack it’s seen, and comes close to the 2.4 Tbps DDoS attack targeting one of Microsoft’s Azure customers in Europe last month. 

(TechCrunch)

Thanks to our episode sponsor, Vulcan Cyber

Ryan Gurney spent years as CSO and security exec for companies like Google Looker, Zendesk, Engine Yard, and eBay. Ryan has seen a few things and is done pretending cyber security is something it isn’t. Attend the Vulcan Cyber virtual summit on December 9th to get Ryan’s take on the difference between negligent and effective cyber security. It’s a fine line. Go to vulcan.io and click the button at the top of the screen to register for the event.

All DDR4 modules vulnerable to rowhammer attacks

Rowhammer attacks access physical rows inside memory chips millions of times a second in an effort to get neighboring bits to flip to its opposite binary value. Previously these attacks have hammered memory rows in uniform patterns, meaning that targeted rows are accessed the same number of times. However new research shows that using non-uniforms patterns that access two or more rows with different frequencies bypassed all mitigations manufacturers designed into DRAM like Target Row Refresh. The researchers created a custom-built “fuzzer,” which detects bugs by automatically injecting malformed data in a semi-random fashion into a piece of hardware or software. One of the researchers estimated that “this increases the number of devices that can be hacked with known attacks to 80%.”

(Ars Technica)

US and Israel tag team on ransomware

The two countries established a joint cybersecurity initiative to combat the use of ransomware by threat actors, particularly as it threatens the global financial system. This initiative will include information-sharing between the two counties when it comes to regulations, hacking incidents, and intelligence on cyber threats. Government agencies will also extend staff visits, training, and exercises to improve responses to ransomware threats. 

(Bloomberg)

Government advice to schools on ransomware “vastly outdated”

This finding comes from a report by the US Government Accountability Office, warning that Department of Education guidance for K-12 schools needs to be refreshed to better deal with ransomware and other threats. This guidance was last issued in 2010. For context, K-12 schools reported 62 ransomware incidents in 2019, up from 11 in 2018. One can imagine that things didn’t get better in 2020. The Department of Education said it had not been told by CISA to make updates. However, GAO report found that the Education Department was responsible to determine if an update to guidance was needed.

(Tripwire)

Skiff adds user facing app to IPFS

The decentralized  Interplanetary File System has been around for a while, providing a network of peer hosted nodes that organizes based on requests for delivering specific content, rather than being location-centric like the conventional web. Browser support is available on Brave and Opera, but application support has been spartan outside of developer and crypto tools. Skiff is a new app looking to expand the uses of IPFS, provided a privacy-focused document editor. IPFS does not encrypt files by default, but Skiff provides a front end that uses end-to-end encryption, splits up files and distributes them across IPFS. As an app, Skiff is fast and lightweight, supports subpages and checkboxes, and integrates private collaboration. 

(Fast Company)


Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.