Tag Archive for: Failure

China suspends Alibaba Cloud over failure to report internet bug

/in



China has suspended Alibaba Cloud’s services for six months after failing to report about the serious Internet bug — which has put millions of systems and devices at hacking risk — with the Ministry of Industry and Information Technology (MIIT).


Chinese media outlets report that Alibaba Cloud was suspended after they reported the ‘Log4J’ vulnerability to its provider Apache before the ministry.





“Recently, after discovering serious security vulnerabilities in the ‘Apache Log4j2’ component, Alibaba Cloud failed to report to the telecommunications authorities in a timely manner and did not effectively support the Ministry of Industry and Information Technology to carry out cyber security threats and vulnerability management,” according to local media reports.


According to 21st Century Business Herald, the cyber security administration of the MIIT “was suspending its information-sharing partnership with Alibaba Cloud for six months, specifically citing the failure to report Log4J as the reason why,” reports ZDNet.


Cyber criminals are making thousands of attempts to exploit vulnerabilities involving a Java logging system called ‘Apache log4j2’.


As the world scrambles to plug serious security bugs that can derail the Internet for millions, Google has said that more than 35,000 Java packages, amounting to over eight per cent of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed vulnerabilities with widespread fallout across the software industry.


Meanwhile, China has put into effect a new law that makes it mandatory for all companies to report vulnerabilities to state regulators within two days.


In November, the Cyberspace Administration of China unveiled new laws that reclassified data, along with multiple sets of fines for violations of its policy.


Alibaba was hit with a record fine of 18.2 billion yuan and 33 other mobile apps have faced criticism from Beijing for their data collection policies.


Last month, China’s market regulator fined tech giants Alibaba, Baidu, Tencent and e-commerce platform JD.com Inc and Suning…

Source…

Microsoft’s Failure to Prioritize Security Puts Everyone at Risk

/in


It has been a very busy year when it comes to Microsoft zero-day attacks. According to KrebsOnSecurity, May is the only month in 2021 that Microsoft didn’t release a patch to defend against at least one zero-day exploit. And Microsoft vulnerabilities are playing a bigger role in the spate of ransomware infections organizations are grappling with than most probably are aware of (more on that below).

Artboard 1-2The issue is not the mere presence of vulnerabilities in Microsoft code – that’s something that unfortunately is almost unavoidable when you’re dealing with billions of lines of code, and most developer shops make a serious effort to weed them out before the code goes into production. 

Until we find a way to reliably automate vulnerability remediation at scale, there are going to be exploitable bugs now and again.

The issue here is Microsoft’s lackluster track record in assuring fewer vulnerabilities make it to market so their customers can be more secure – and it’s security that is the real rub here. 

Over the last few years, Microsoft has been making huge investments in security, but those investments are not focused on making their products more secure, they are directed at developing new product offerings in the security space.

To be clear here, Microsoft as an organization has made a conscious decision to forgo improving their product security in favor of going after new revenue streams as a security vendor. 

So essentially, Microsoft – arguably the most prolific and ubiquitous IT products and services providers on the planet, and thus the biggest target for attackers – is looking to cash-in by offering to protect everyone from the vulnerabilities they introduce into the market. 

Enlarge the infographic here… 

This is akin to a fast food chain deciding not to make their food healthier but instead choosing to invest in fitness centers, or Big Tobacco funding cancer research instead of just ceasing to sell cancer-causing agents. And, after they have successfully conditioned us to accept the fact that their products are perpetually vulnerable with the monthly Patch Tuesday fire drills, they now want organizations to trust that they are the best choice to…

Source…

Ho-Chunk say they’ve engaged security experts to probe Dells casino computer system failure | Local News

/in


The Ho-Chunk Nation said Thursday that it has engaged cyber security experts to investigate an “incident” that affected the tribe’s computer systems last month, leading to a four-day shutdown of its Wisconsin Dells casino.

Still unclear is whether the incident constituted a hack and whether any customers of the tribe’s Dells casino and other businesses had their personal data exposed.

Ho-Chunk Gaming in Wisconsin Dells reopened at 1 p.m. Aug. 30 after announcing the “major computer systems failure” on its Facebook page the morning of Aug. 26. While the property’s hotel and RV park remained open, all gaming, ATM service, restaurants and other amenities were completely or partially shut down.

The tribe said nothing else about the incident until Thursday afternoon, when it released a statement saying cybersecurity experts had been hired and that “to date, the investigation found no evidence that any tribal member’s personal information is at risk because of this incident.”

“No one specific individual was targeted, and our investigation found no evidence that personal or tribal information was taken by an unauthorized person,” the statement said.

Tribe spokesperson Ken Luchterhand said he didn’t know whether the systems failure was the result of a hacking or whether the personal information of gamblers or other of the tribe’s customers might have been exposed. He referred questions from the Wisconsin State Journal to the tribe’s attorney general, Scott Seifert, whose office referred the newspaper back to Luchterhand, who had not returned another call for comment.

Source…

Twitter Security Failure Prompts Call for Regulating Internet Giants as Systemic Risks

/in


Twitter Inc. suffered from cybersecurity shortfalls that enabled a “simple” hack attributed to a Florida teenager to take over the accounts of several of the world’s most famous people in July, according to a report released on Wednesday.

The report by New York’s Department of Financial Services also recommended that the largest social media companies be deemed systemically important, like some banks following the 2008 financial crisis, with a dedicated regulator monitoring their ability to combat cyberattacks and election interference.

“That Twitter was vulnerable to an unsophisticated attack shows that self-regulation is not the answer,” said Linda Lacewell, the financial services superintendent.

Twitter did not immediately respond to a request for comment. It has acknowledged that some employees were duped into sharing account credentials prior to the hack.

New York Governor Andrew Cuomo ordered a probe following the July 15 hack of celebrity Twitter accounts, in an alleged scam that stole more than $118,000 in Bitcoin.

Those whose accounts were hacked included U.S. presidential candidate Joe Biden; former President Barack Obama; billionaires Jeff Bezos, Bill Gates and Elon Musk; singer Kanye West, and his wife Kim Kardashian, the reality TV star.

Lacewell said hackers obtained log-in credentials after calling several employees, pretending to work in Twitter’s information technology department, and claiming to be responding to problems with the company’s Virtual Private Network, which had become common because employees were working from home.

“The extraordinary access the hackers obtained with this simple technique underscores Twitter’s cybersecurity vulnerability and the potential for devastating consequences,” the report said.

Twitter’s lack at the time of a chief information security officer also made the San Francisco-based company more vulnerable, the report said.

Florida prosecutors said Graham Ivan Clark was the mastermind behind the hack, and charged the 17-year-old Tampa resident as an adult with 30 felonies.

Clark has pleaded not guilty. Federal prosecutors charged two others with aiding the hack.

(Reporting by Jonathan Stempel in New…

Source…