Friday Five 10/22
A GPS software bug, helping nonprofits defend against nation state attacks, and the DOJ wants more incident reporting - catch up on the infosec news of the week with the Friday Five!
1. CISA: GPS software bug may cause unexpected behavior this Sunday by Bill Toulas
An odd story here via Bleeping Computer on something that may or may not turn into an issue this weekend. CISA warned this week that because of a timing bug, set to trigger on Sunday, some Network Time Protocol servers running GPS Daemon (GPSD) software could run slow or fail to respond. CISA is encouraging administrators, if they haven't already, to update to GPSD version 3.23, something that should remedy the problem. Similar to the Y2K bug, we won’t know for sure whether this is a legitimate issue until Sunday but if you encounter any downtime on your devices on Sunday, there’s probably a good reason why.
2. DOJ wants to know: What are the impediments to working with law enforcement? by Joe Uchill
SC Media broke down a Criminal Division Cybersecurity Roundtable discussion carried out by Deputy Attorney General Lisa O. Monaco and Assistant Attorney General Kenneth A. Polite Jr. on Wednesday. One of the biggest takeaways: The DOJ needs more reporting from victims. It's a tough ask for companies to come clean when they've been compromised, either through a phishing attack, stolen credentials, or ransomware. Many worry that disclosing an attack can tarnish their reputation but that knowledge is essential for law enforcement and the government to do their job effectively. "If companies don’t come forward — in this threat environment, with the stakes being as high as they are in many cases – I think legitimate questions will be and should be asked of companies – why didn’t you come forward and help prevent the next victim? That’s why I’ve called publicly for a national incident reporting standard, because we can’t go at this alone," Monaco said. Monaco went on to tout recent developments internally at DOJ designed to tamp down ransomware attacks, including the creation of the National Cryptocurrency Enforcement Team and the Ransomware and Digital Extortion Task Force.
3. House Passes Bills on Both Supply Chain, Telecom Security by Dan Gunderman
From time to time in this space we lament the progress made at a federal level when it comes to cybersecurity but there continue to be little victories here and there. The U.S. House of Representatives passed two bills designed to shore up the nation's security on Wednesday. As Bank Info Security reports, The Department of Homeland Security Software Supply Chain Risk Management Act of 2021 would "require DHS' undersecretary for management to issue departmental guidance requiring DHS contractors to submit software bills of materials, or SBOMs, that identify the origins of each component of the software furnished to DHS." A separate bill, the Secure Equipment Act, would bar the Federal Communications Commission from reviewing or issuing equipment licenses to companies on the FCC's "Covered Equipment or Services List" - that pose a national security threat.
4. Microsoft now defends nonprofits against nation-state attacks by Sergiu Gatlan
Last week in this space we mentioned some of the work being done by tech companies like Microsoft and Google to protect at risk users, specifically through the distribution of hardware security authentication keys designed to boost two-factor authentication use. This week Microsoft rolled out a new program designed to lend a hand to another vulnerable group, non-profits, groups that may not have the funds to fully secure every known attack vector. While they’re typically less funded, they're also some of the most targeted groups by nation state groups, accounting for 31% of attacks, according to one of the firm's recent reports. The new effort, which the company is calling a Security Program for Nonprofits, helps prevent nation state attacks through a risk assessment, security training for IT professionals and end users, and proactive monitoring and notification.
5. Walmart CISO on security in retail: ‘It comes down to trust’ by Jill Aitoro
Not an article but a video interview, via SC Media, in which Jill Aitoro, the publication's Editor-in-Chief, discusses how to security translates to the retail sector with Walmart's CISO, Jerry Geisler. Geisler talks about the shift the company experienced with COVID-19, how it mitigated challenges introduced by the need for remote work, and how cyber intelligence has helped it become better equipped to respond to threats.