Cloud hosting data centers burn down
Multiple data centers of the Strasbourg, France-based cloud computing company OVH, the largest hosting provider in Europe and third-largest in the world, have been destroyed by fire. The company is advising customers to enact their disaster recovery plans. Those affected include cyber threat intelligence company Bad Packets, provider of free chess server Lichess.org, video game maker Rust, telecom company AFR-IX, encryption utility VeraCrypt, news outlet eeNews Europe, among others.
New initiative hopes to secure the open source supply chain
The Linux Foundation launched Sigstore, a non profit initiative to improve open source software supply chain security. Sigstore aims to provide free tools to developers built off of the OpenID authentication protocol to securely sign software artifacts, which can be stored in a tamper-proof public log. Currently many open source projects don’t use cryptographic signing, with public keys stored in git repo readme files, with maintainers handling keys of people no longer involved in projects. The initiative hopes to release its initial set of tools by the end of 2021, although this is not a firm commitment. Founding members include Red Hat, Google, and Purdue University.
Dependency confusion attacks flourishing
We previously reported on a security researcher who was able to inject potentially malicious code into the open source supply chain using public software packages identically named to private packages in a company’s manifest. Now Ars Technica reports that Amazon, Slack, Lyft, and Zillow have been hit with similar attacks by malicious actors, with the firm Sonatype noting that the npm and PyPi open source code repositories have been flooded with 5,000 proof-of-concept packages for such attacks. Slack, Lyft, and Zillow said these attacks were detected but did not have malicious code executed, and representatives for npm have previously published a post on how to protect against these types of attacks.
Stimulus bill adds $1 billion for government IT
Congress approved the funding in the Technology Modernization Fund, which was kept in the final version of the larger overall $1.9 trillion COVID-19 relief package. The Biden administration originally pushed for $9 billion in funding, and the funding was originally not included at all in the version originally approved by the House. Ultimately the funding passed due to the need for the federal government to quickly improve the state of remote work, as well as to improve infrastructure in light of the recent supply-chain attack through the SolarWinds Orion platform.
(Protocol)
Thanks to our episode sponsor, Trend Micro
Biden appoints US CIO
Fast Company reports that President Biden is appointing Clare Martorana to the role. Martorana has previously served as CIO of the Office of Personnel Management, worked as an executive at WebMD and Everyday Health, and helped modernize the VA’s IT infrastructure. She’s been tasked with ensuring that digital election information and online voter registration are accessible to everyone, as well as bolstering the federal government’s cybersecurity, modernizing IT systems, and making government websites more accessible to citizens.
China’s economic plan looks to end US tech dependency
China made its five-year economic plan public, calling on technology development as a matter of national security, previously identified as important for economic development. Under the plan, China will increase spending on tech R&D by 7% annually across public and private sectors, a higher annual increase than allotted for its military budget. The China Development Bank is preparing $60 billion in loans for over 1000 tech firms, and has raised $30 billion for a new semiconductor investment fund. China hopes to produce 70% of core components needed by domestic chipmakers by 2025.
(NYTimes)
Report finds sensitive data abounds on GitHub
This report comes from the security firm GitGuardian, which analyzed all public commits made on GitHub since 2017, finding a 20% year over year increase on sensitive data like API keys, private keys, certificates, usernames and passwords in 2020. Overall 15% of leaks on GitHub occur within public repositories owned by organizations with 80% on developers’ personal repositories. Google keys were the most commonly leaked, representing 27.6% of data, followed by development tools and data storage with around 15% each.
Americans don’t think organizations are serious about cybersecurity
A survey by Lynx Software found that 51% of respondents said their employers don’t take cybersecurity seriously, with 60% saying they were not prohibited by IT departments for using tools that did not have high security standards. 48% said they were not aware of any stricter IT practices in place since the start of the COVID-19 pandemic. Three-quarters of respondents said they use personal devices for work purposes some of the time, with 54% saying their biggest cybersecurity concern was having personal data leaked.
