Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.”
Codecov discloses 2.5-month-long supply chain attack
Codecov, a software company that provides code testing and code statistics solutions, disclosed on Thursday a major security breach after a threat actor managed to breach its platform and add a credentials harvester to one of its tools. The impacted product is named Bash Uploader and allows Codecov customers to submit code coverage reports to the company’s platform for analysis. Codecov said the breach occurred “because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.” The breach is already drawing comparisons to SolarWinds due to the potential for follow-on effects at companies who use Codecov as a supplier.
Major BGP leak disrupts thousands of networks globally
A large Border Gateway Protocol (BGP) routing leak that occurred on April 16 disrupted the connectivity for thousands of major networks and websites around the world. Although it happened in Vodafone’s autonomous network based in India, it impacted several U.S. companies, including Google. Although lasting for just 10 minutes, BGP leaks are serious occurrences as they can lead to users being moved to an internet route with suboptimal performance or piracy activities such as eavesdropping and traffic analysis.
WordPress says FLoC is a security concern
The company announced it will treat Google’s third-party cookie alternative Federated Learning of Cohorts, or FLoC, as a security concern, and proposed blocking the technology by default starting with WordPress 5.8, and considering backporting the block to earlier versions. This block could be overwritten in code by site admins, and WordPress is considering adding a setting to enable FLoC directly. WordPress said its concern is that enabling FLoC by default would make site owners accept it without fully realizing what FLoC is storing and collecting about users. The update to block FLoC is expected by July 2021, although WordPress is currently taking user feedback on the decision.
Thanks to our episode sponsor, Palo Alto Networks
Medtonic partners with Sternum on pacemaker security
The medical device maker announced it will work with the IoT cybersecurity startup Sternum to help prevent its pacemakers from getting hacked through their internet-based software updating systems. Medtonic’s previous solution to the problem was simply to disconnect the pacemakers from the updating system, but did not consider that a long-term solution. Sternum claims to offer “autonomous security that operates from within the device that can protect it without the need to update and patch vulnerabilities.” A spokesperson said this would mitigate risks not just to patients, but also prevent pacemakers from being used as an attack vector on a medical systems overall network.
Biden administration unveils plan to defend electric sector from cyberattacks
The Department of Energy (DOE) yesterday announced a 100-day plan to help shore up the U.S. electric power system against cyber threats. The plan, rolled out with the private sector CISA, is meant to help owners and operators develop more comprehensive approaches to detection, mitigation and forensic capabilities. The plan, will focus on getting industrial control system (ICS) owners and operators to select and use technologies that will help gain real-time awareness of cyber threats, and response capabilities, and will also be encouraging the deployment of technologies that boost visibility into threats in both ICS and operational technology networks.
Pulse Secure VPN zero-day used to hack defense firms, govt orgs
Pulse Secure has shared mitigation measures for a zero-day authentication bypass vulnerability in the Pulse Connect Secure SSL VPN appliance actively exploited against US Defense Industrial base (DIB) networks and worldwide organizations. To mitigate the vulnerability tracked as CVE-2021-22893 (with a maximum 10/10 severity score), Pulse Secure advises customers to upgrade their server software. As a workaround, the vulnerability can be mitigated on some gateways by disabling Windows File Share Browser and Pulse Secure Collaboration features using instructions available in their security advisory.
University of Minnesota banned from submitting to Linux kernel
Linux kernel project maintainers imposed the ban on submissions from the Golden Gophers after it was discovered researchers at the institution submitted a series of malicious code commits as part of their research activities. The maintainers went so far as to revert all code commits ever coming from a @umn.edu email address. These commits will be re-reviewed to ensure they were actually a valid fix and not submitted in bad faith. The commits were used for a February 2021 research paper entitled, “Open Source Insecurity: Stealthily Introducing Vulnerabilities via Hypocrite Commits.” Researchers maintained that any patch suggestions were made through email exchanges and never made into a code branch. The University’s institutional review board approved the research as not ethically harmful.
Signal founder examines a Cellebrite device
In a blog post Moxie Marlinspike published details about how devices from the phone unlocking company Cellebrite work, and found the devices had numerous vulnerabilities themselves. He found the devices lacked exploit mitigation defenses, finding that a malicious app could easily add an “otherwise innocuous file in an app” which would tamper with a Cellebrite device when it attempted a scan. Marlinspike said he would share details about all vulnerabilities found on the device if Cellebrite discloses all the bugs the company uses to unlock phones.
Facebook wants to ‘normalize’ the mass scraping of personal data
As the social network continues to face fallout from a leak of over 500 million Facebook users’ phone numbers, an internal email accidentally sent by a Facebook representative to a journalist at Dutch publication DataNews, the authenticity of which has been confirmed by Motherboard, states that the longer term plan for FaceBook is to anticipate more scraping incidents and “frame them as a broad industry issue and normalize the fact that this activity happens regularly.” Facebook is planning to publish a blog post that talks about the company’s anti-scraping work.