CISA joins forces with Women in CyberSecurity to break up the boy's club
Also, the FBI just admitted to bypassing warrants by buying cellphone location data, and this week's actionable items
in brief Cybersecurity and Infrastructure Security Agency's director Jen Easterly has been outspoken in her drive to bring more women into the security industry, and this year for International Women's Day her agency formalized that pledge by announcing a partnership with nonprofit Women in CyberSecurity (WiCyS).
The US department of Homeland Security agency and WiCyS signed a memorandum of understanding on Wednesday to help raise awareness of job opportunities for women in cybersecurity and build "a pipeline for the next generation of women" able to fill those roles, the agency said.
Easterly, who was chosen by President Biden to head CISA in 2021, said that inspiring women and girls to join the cybersecurity field is one of her top priorities. Easterly was a keynote speaker at WiCyS' 2022 annual conference, where she called for half of cybersecurity professionals to be women and underrepresented minorities by 2030. By most recent count, the number is just half that - around a quarter of cybersecurity roles are occupied by women.
WiCyS was founded in 2014 through a National Science Foundation grant to Dr Ambareen Siraj from Tennessee Tech University to start WiCyS as a conference. By 2018 the group had grown enough to spin up its own nonprofit organization, and began offering other services to women in the security community, like a job board, professional affiliate opportunities, training assistant programs, apprenticeship placement services and more.
CISA said in its announcement of the partnership that one of its first joint initiatives will be CISA's participation in WiCyS' mentorship program. Open to all WiCyS members, the nine-month program groups mentees into cohorts for virtual meetings with cybersecurity industry mentors, of whom CISA employees will presumably now be part. Last year, the program included 746 learners from entry to senior levels.
Interested students or potential mentors can enroll now, but the window closes on March 22.
Of the partnership, WiCyS executive director Lynn Dohm said CISAs goal of developing a stronger, more inclusive cybersecurity workforce aligns perfectly with her group's mission. "Our collaboration will ensure that more women and other under-represented groups will have the tools and resources to jumpstart their career in cyber and be supported throughout their journey," Dohm said.
This week's actionable items
As we noted a few weeks ago, we added this section to the weekly security roundup as a way to ensure The Register readers were aware of the critical vulnerabilities in a timely manner. We've expanded the section to also include some of the other smaller, but nonetheless actionable, security items of the week that didn't make it to print.
CISA caught five more known vulnerabilities being exploited in the wild this week, but only three of them were rated critical:
- CVSS 8.5 - CVE-2021-39144: the XStream library is vulnerable to a RCE that could allow a remote attacker to manipulate the processed input stream to execute commands as the host.
- CVSS 8.8 - CVE-2022-33891: When ACLs are enabled in Apache Spark, a code path is opened in HttpSecurityFilter that allows for impersonation whenever a user provides an arbitrary username.
- CVSS 9.8 - CVE-2022-35914: Open source service management platform GLPI contains a PHP test file in its htmlawed module that allows for PHP code injection.
CISA also released a pair of critical industrial control system vulnerabilities, too:
- CVSS 8.8 - CVE-2023-0228: ABB Ability Symphony Plus software contains an improper authentication bug that could allow an unauthorized client to connect to an operations server and act as a legitimate client.
- CVSS 9.8 - Multiple CVEs: All versions of the Akuvox E11, a doorbell camera phone, are affected by vulnerabilities including the use of hardcoded encryption keys, an no-authentication web server, no file extension checks, and a bunch of other reasons to update, or just dump the thing, ASAP.
Here's a quick summary of the other items we've been following this week:
- The FBI is warning that, while the world may have moved on from crypto in favor of the AI craze, cybercriminals are still creating fake blockchain games to steal crypto.
- Oh, look: It's not just BetterHelp selling customer data to advertisers: Telehealth firm Cerebral said this week it's been doing the same thing - but by accident, it claims.
- The IceFire ransomware has mutated, and now infects Linux systems, too.
- Wanna see ChatGPT generate polymorphic malware? Sure you do, which is why the folks at Hyas released a PoC of just that. Now go learn what it's capable of so you can be proactive against it.
- Cybersecurity ratings company Bitsight said one in 12 companies it tracks have an unsecured internet-facing webcam or similar device - maybe now's the time to check yours?
- GitHub Actions was coded with a bit of a security oversight: It turns out bad actors can use commits from forked repositories to bypass allowed workflow settings and hide malicious code. The lesson? Sign all your commits.
The FBI paid for location data to circumvent warrant rules
While speaking before the US Senate, FBI director Christopher Wray made an unsurprising, but still somewhat startling, admission: G-men hampered from getting geolocation data warrants have simply resorted to buying the data they need from brokers.
Wray made a very carefully worded statement to the effect that the FBI no longer buys location data, but that it used to.
"To my knowledge, we do not currently purchase commercial database information that includes location data derived from internet advertising. I understand that we previously — as in the past—purchased some such information for a specific national security pilot project. But that's not been active for some time," Wray said in the hearing.
Note his qualification in that statement: the FBI doesn't currently buy data that includes location data derived from internet advertising. As for location data derived from elsewhere? Well, the FBI relies on court-authorized processes to get that data, Wray said.
Wray's admission marks the first time a federal agency has copped to what Congress has been worried about for some time, namely that US federal agencies are circumventing the fourth amendment rule against unreasonable searches, which the Supreme Court decided in 2018 included location data, by simply buying it on the commercial market.
Senator Ron Wyden, whose question elicited Wray's confirmation of the judicial side step, wrote letters to the Departments of Homeland Security, Defense and Justice asking them to investigate alleged warrantless collection of location data in their agencies. Now that we know they were doing so, it just remains to be seen if Congress can actually manage to change the law to prevent it from happening - even if it's not going on right now. ®