Enlarge (credit: Getty Images)

The Biden administration on Thursday pushed for new mandatory regulations and liabilities to be imposed on software makers and service providers in an attempt to shift the burden of defending US cyberspace away from small organizations and individuals.

"The most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem,” administration officials wrote in a highly anticipated documenting an updated National Cybersecurity Strategy . “Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors’ choices can have a significant impact on our national cybersecurity."

Increasing regulations and liabilities

The 39-page document cited recent ransomware attacks that have disrupted hospitals, schools, government services, pipeline operations, and other critical infrastructure and essential services. One of the most visible such attacks occurred in 2021 with a ransomware attack on the Colonial Pipeline , which delivers gasoline and jet fuel to much of the southeastern US. The attack shut down the vast pipeline for several days, prompting fuel shortages in some states.

Enlarge

Organizations around the world are once again learning the risks of not installing security updates as multiple threat actors race to exploit two recently patched vulnerabilities that allow them to infect some of the most critical parts of a protected network.

The vulnerabilities both carry severity ratings of 9.8 out of a possible 10 and reside in two unrelated products crucial in securing large networks. The first, tracked as CVE-2022-47966 , is a pre-authentication remote code execution vulnerability in 24 separate products from software maker Zoho that use the company’s ManageEngine . It was patched in waves from last October through November. The second vulnerability, CVE-2022-39952 , affects a product called FortiNAC, made by cybersecurity company Fortinet and was patched last week.

Both ManageEngine and FortiNAC are billed as zero-trust products, meaning they operate under the assumption a network has been breached and constantly monitor devices to ensure they’re not infected or acting maliciously. Zero-trust products don’t trust any network devices or nodes on a network and instead actively work to verify they’re safe.

Parrot OS 5.2, a Debian-based, security-oriented distribution, was recently released with the latest Linux Kernel 6.0.

Read more

#linux #debian #parrot #kalilinux #securtiy #pentester #cybersecurity

Enlarge

In 2009, the computer worm Stuxnet crippled hundreds of centrifuges inside Iran’s Natanz uranium enrichment plant by targeting the software running on the facility’s industrial computers, known as programmable logic controllers. The exploited PLCs were made by the automation giant Siemens and were all models from the company’s ubiquitous, long-running SIMATIC S7 product series. Now, more than a decade later, Siemens disclosed today that a vulnerability in its S7-1500 series could be exploited by an attacker to silently install malicious firmware on the devices and take full control of them.

The vulnerability was discovered by researchers at the embedded device security firm Red Balloon Security after they spent more than a year developing a methodology to evaluate the S7-1500’s firmware, which Siemens has encrypted for added protection since 2013. Firmware is the low-level code that coordinates hardware and software on a computer. The vulnerability stems from a basic error in how the cryptography is implemented, but Siemens can’t fix it through a software patch because the scheme is physically burned onto a dedicated ATECC CryptoAuthentication chip. As a result, Siemens says it has no fix planned for any of the 122 S7-1500 PLC models that the company lists as being vulnerable.

Enlarge (credit: Aurich Lawson | Getty Images)

If you purchased a new car in the past few years, chances are good that it contains at least one embedded modem, which it uses to offer some connected services. The benefits, we've been told , are numerous and include convenience features like interior preheating on a cold morning, diagnostics that warn of failures before they happen , and safety features like teen driver monitoring .

In some regions, connected cars are even mandatory, as in the European Union's eCall system . But if these systems sound like a potential security nightmare, that's because they often are. Ars has been covering car hacks for more than a decade now , but the problem really cemented itself in the public consciousness in 2015 with the infamous Jeep hacking incident , when a pair of researchers proved they could remotely disable a Jeep Cherokee while it was being driven, via an exploit in the SUV's infotainment system. Since then, security flaws have been found in some cars' Wi-Fi networks , NFC keys and Bluetooth , and in third-party telematics systems .

Toward the end of 2022, a researcher named Sam Curry tested the security of various automakers and telematics systems and discovered security holes and vulnerabilities seemingly wherever he looked. Curry decided to explore the potential holes in the auto industry's digital infrastructure when he was visiting the University of Maryland last fall after playing around with an electric scooter's app and discovering that he could turn on the horns and headlights across the entire fleet. After reporting the vulnerability to the scooter company, Curry and his colleagues turned their attention to larger vehicles.

Enlarge (credit: Aurich Lawson | Getty Images)

Almost 3 in 4 people think that connected cars and electric vehicle chargers should be rated for their ability to resist cybersecurity threats. That's the finding from a survey conducted last week by Blackberry to see whether people consider Internet-connected devices (also known as the Internet of Things) to be secure from hacking threats.

The survey was commissioned in response to a new White House initiative announced on Wednesday . The Biden administration plans to launch a labeling program for IoT devices in 2023, similar to the EnergyStar ratings that tell consumers how much electricity a TV or appliance will use.

The White House wants the National Institute of Standards and Technology and the Federal Trade Commission to come up with a basic set of security standards so that Americans can tell at a glance whether that new speaker or washing machine is in danger of joining a botnet or getting hit with ransomware.

Enlarge / The 2024 Ford Mustang might prove more resistant to modding than any Mustang in the past. The culprit? Modern-day cybersecurity protections. (credit: Ford)

People have been tinkering with and modifying vehicles since not long after the invention of the automobile. As an activity, it exploded in the wake of World War II, as surplus machinery mixed with bored young people with a bit of mechanical knowhow looking for a bit of a thrill. From hot rods and desert speed racers to the import-tuning scene at the turn of the century, being able to soup up one's ride has been a core aspect of car enthusiasm. But that may be a thing of the past, if the next Ford Mustang is any indication.

Ford debuted its 2024 Mustang in September. The seventh-generation car doesn't deviate much from the recipe that made the people's pony car such a big hit all these years: a two-door body that's recognizable as a Mustang and a choice of gasoline engines up front that drive the wheels at the back. There's no hybrid or electrified version— other than the Mustang Mach-E , of course, but that'll just start a flame war in the comments.

But as you might expect of a car being unveiled in 2022, no previous Mustang has been quite as digital as the incoming model. Advanced driver assists abound, there's a full digital cockpit, and among its connected features is Amazon Alexa integration.