HomePodcastCyber Security HeadlinesCyber Security Headlines – March 11, 2021

Cyber Security Headlines – March 11, 2021

Cloud hosting data centers burn down

Multiple data centers of the Strasbourg, France-based cloud computing company OVH, the largest hosting provider in Europe and third-largest in the world, have been destroyed by fire. The company is advising customers to enact their disaster recovery plans. Those affected include cyber threat intelligence company Bad Packets, provider of free chess server Lichess.org, video game maker Rust, telecom company AFR-IX, encryption utility VeraCrypt, news outlet eeNews Europe, among others.

(Bleeping Computer)

New initiative hopes to secure the open source supply chain

The Linux Foundation launched Sigstore, a non profit initiative to improve open source software supply chain security. Sigstore aims to provide free tools to developers built off of the OpenID authentication protocol to securely sign software artifacts, which can be stored in a tamper-proof public log. Currently many open source projects don’t use cryptographic signing, with public keys stored in git repo readme files, with maintainers handling keys of people no longer involved in projects. The initiative hopes to release its initial set of tools by the end of 2021, although this is not a firm commitment. Founding members include Red Hat, Google, and Purdue University.

(Dark Reading)

Dependency confusion attacks flourishing

We previously reported on a security researcher who was able to inject potentially malicious code into the open source supply chain using public software packages identically named to private packages in a company’s manifest. Now Ars Technica reports that Amazon, Slack, Lyft, and Zillow have been hit with similar attacks by malicious actors, with the firm Sonatype noting that the npm and PyPi open source code repositories have been flooded with 5,000 proof-of-concept packages for such attacks. Slack, Lyft, and Zillow said these attacks were detected but did not have malicious code executed, and representatives for npm have previously published a post on how to protect against these types of attacks. 

(Ars Technica)

Stimulus bill adds $1 billion for government IT

Congress approved the funding in the Technology Modernization Fund, which was kept in the final version of the larger overall $1.9 trillion COVID-19 relief package. The Biden administration originally pushed for $9 billion in funding, and the funding was originally not included at all in the version originally approved by the House. Ultimately the funding passed due to the need for the federal government to quickly improve the state of remote work, as well as to improve infrastructure in light of the recent supply-chain attack through the SolarWinds Orion platform. 


Thanks to our episode sponsor, Trend Micro

With organizations rapidly migrating to the cloud, CISOs have new challenges to address. Trend Micro Cloud One(tm) is a connected SaaS platform comprised of six solutions that address all your cybersecurity needs from workloads, to file storage, containers and more. Empower your IT teams to do more with less with Trend Micro Cloud One. Visit us at Trendmicro.com for more info.

Biden appoints US CIO

Fast Company reports that President Biden is appointing Clare Martorana to the role. Martorana has previously served as CIO of the Office of Personnel Management, worked as an executive at WebMD and Everyday Health, and helped modernize the VA’s IT infrastructure. She’s been tasked with ensuring that digital election information and online voter registration are accessible to everyone, as well as bolstering the federal government’s cybersecurity, modernizing IT systems, and making government websites more accessible to citizens. 

(Fast Company)

China’s economic plan looks to end US tech dependency

China made its five-year economic plan public, calling on technology development as a matter of national security, previously identified as important for economic development. Under the plan, China will increase spending on tech R&D by 7% annually across public and private sectors, a higher annual increase than allotted for its military budget. The China Development Bank is preparing $60 billion in loans for over 1000 tech firms, and has raised $30 billion for a new semiconductor investment fund. China hopes to produce 70% of core components needed by domestic chipmakers by 2025.


Report finds sensitive data abounds on GitHub

This report comes from the security firm GitGuardian, which analyzed all public commits made on GitHub since 2017, finding a 20% year over year increase on sensitive data like API keys, private keys, certificates, usernames and passwords in 2020. Overall 15% of leaks on GitHub occur within public repositories owned by organizations with 80% on developers’ personal repositories. Google keys were the most commonly leaked, representing 27.6% of data, followed by development tools and data storage with around 15% each. 


Americans don’t think organizations are serious about cybersecurity 

A survey by Lynx Software found that 51% of respondents said their employers don’t take cybersecurity seriously, with 60% saying they were not prohibited by IT departments for using tools that did not have high security standards. 48% said they were not aware of any stricter IT practices in place since the start of the COVID-19 pandemic. Three-quarters of respondents said they use personal devices for work purposes some of the time, with 54% saying their biggest cybersecurity concern was having personal data leaked. 

(Infosecurity Magazine)

Rich Stroffolino
Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.

Most Popular