« on: December 21, 2021, 03:53:25 PM »
or give the govt access to it?
Nemo
https://www.newsbreak.com/news/2461206234136/feds-scramble-to-assess-security-flaw-that-threatens-hundreds-of-millions-of-devicesFeds scramble to assess security flaw that threatens 'hundreds of millions' of devices
By Eric Geller
POLITICO
6 days ago
Updated: 12/14/2021 08:51 PM EST
"Hundreds of millions" of internet-connected devices are vulnerable to hackers because of a newly discovered security flaw in a widely used piece of computer code, a federal official said Tuesday ? though there is no indication that U.S. government agencies have been compromised.
?Across the federal government, we have no known reports of compromises using this vulnerability,? Eric Goldstein, the executive assistant director in charge of the cybersecurity division at the Cybersecurity and Infrastructure Security Agency, told reporters during a briefing about the expanding crisis around the flaw.
The vulnerability, which became widely known last week, affects a type of web server known as Apache that is ubiquitous across the internet. It could allow hackers to run malicious code on targeted computer systems for purposes including espionage and ransomware, researchers have warned.
The Biden administration remains ?deeply concerned? about what Goldstein called ?an extremely widespread, easy to exploit, and potentially highly damaging vulnerability that certainly could be utilized by adversaries to cause real harm.?
Federal scramble: The code, in a type of Apache logging software called Log4j, is so pervasive that government agencies are almost certainly using ?many? products that contain it, Goldstein said. CISA has given agencies until Dec. 24 to apply patches produced by the makers of affected software.
?Agencies have taken this with the utmost seriousness and have made extraordinary progress? in applying patches and other mitigating measures since the vulnerability?s disclosure late last week, Goldstein said.
Vast array of targets: CISA currently estimates that ?hundreds of millions? of devices are running software that uses the vulnerable code, Goldstein said, but that number is likely to grow as more software makers report their use of the code.
No major attacks yet: So far, Goldstein said, most of the attacks on vulnerable companies worldwide have involved cyber criminals seeking to deploy software that mines cryptocurrency on infected computers. CISA has not yet seen any ?highly sophisticated? attacks by advanced, state-backed hackers, he said.
CISA also hasn?t seen any impact on the nation?s infrastructure, and Goldstein said that critical infrastructure companies have so far been able to mitigate the vulnerability ?without a material impact to their critical functions or services.?
A call for help: CISA is building a catalog of software that contains the vulnerability code, but Goldstein said the agency needs the public?s help in filling in the gaps. ?One of our really important lines of effort here is ensuring that we have a complete and comprehensive list of impacted products,? he said.
What?s next: CISA expects the number of hackers exploiting the vulnerability to grow as more of them assess its value to their operations, Goldstein said. The agency is also worried about how the flaw might impact home electronics and internet-of-things devices, because consumers may not be following security guidance as much as many businesses are.
Logged
If you need a second magazine, its time to call in air support.
God created Man, Col. Sam Colt made him equal, John Moses Browning turned equality to perfection, Gaston Glock turned perfection into plastic fantastic junk.