Security

CISA joins forces with Women in CyberSecurity to break up the boy's club

Also, the FBI just admitted to bypassing warrants by buying cellphone location data, and this week's actionable items


in brief Cybersecurity and Infrastructure Security Agency's director Jen Easterly has been outspoken in her drive to bring more women into the security industry, and this year for International Women's Day her agency formalized that pledge by announcing a partnership with nonprofit Women in CyberSecurity (WiCyS).

The US department of Homeland Security agency and WiCyS signed a memorandum of understanding on Wednesday to help raise awareness of job opportunities for women in cybersecurity and build "a pipeline for the next generation of women" able to fill those roles, the agency said.

Easterly, who was chosen by President Biden to head CISA in 2021, said that inspiring women and girls to join the cybersecurity field is one of her top priorities. Easterly was a keynote speaker at WiCyS' 2022 annual conference, where she called for half of cybersecurity professionals to be women and underrepresented minorities by 2030. By most recent count, the number is just half that - around a quarter of cybersecurity roles are occupied by women. 

WiCyS was founded in 2014 through a National Science Foundation grant to Dr Ambareen Siraj from Tennessee Tech University to start WiCyS as a conference. By 2018 the group had grown enough to spin up its own nonprofit organization, and began offering other services to women in the security community, like a job board, professional affiliate opportunities, training assistant programs, apprenticeship placement services and more. 

CISA said in its announcement of the partnership that one of its first joint initiatives will be CISA's participation in WiCyS' mentorship program. Open to all WiCyS members, the nine-month program groups mentees into cohorts for virtual meetings with cybersecurity industry mentors, of whom CISA employees will presumably now be part. Last year, the program included 746 learners from entry to senior levels. 

Interested students or potential mentors can enroll now, but the window closes on March 22. 

Of the partnership, WiCyS executive director Lynn Dohm said CISAs goal of developing a stronger, more inclusive cybersecurity workforce aligns perfectly with her group's mission. "Our collaboration will ensure that more women and other under-represented groups will have the tools and resources to jumpstart their career in cyber and be supported throughout their journey," Dohm said. 

This week's actionable items

As we noted a few weeks ago, we added this section to the weekly security roundup as a way to ensure The Register readers were aware of the critical vulnerabilities in a timely manner. We've expanded the section to also include some of the other smaller, but nonetheless actionable, security items of the week that didn't make it to print. 

CISA caught five more known vulnerabilities being exploited in the wild this week, but only three of them were rated critical:

  • CVSS 8.5 - CVE-2021-39144: the XStream library is vulnerable to a RCE that could allow a remote attacker to manipulate the processed input stream to execute commands as the host.
  • CVSS 8.8 - CVE-2022-33891: When ACLs are enabled in Apache Spark, a code path is opened in HttpSecurityFilter that allows for impersonation whenever a user provides an arbitrary username.
  • CVSS 9.8 - CVE-2022-35914: Open source service management platform GLPI contains a PHP test file in its htmlawed module that allows for PHP code injection.

CISA also released a pair of critical industrial control system vulnerabilities, too:

  • CVSS 8.8 - CVE-2023-0228: ABB Ability Symphony Plus software contains an improper authentication bug that could allow an unauthorized client to connect to an operations server and act as a legitimate client.
  • CVSS 9.8 - Multiple CVEs: All versions of the Akuvox E11, a doorbell camera phone, are affected by vulnerabilities including the use of hardcoded encryption keys, an no-authentication web server, no file extension checks, and a bunch of other reasons to update, or just dump the thing, ASAP.

Here's a quick summary of the other items we've been following this week: 

  • The FBI is warning that, while the world may have moved on from crypto in favor of the AI craze, cybercriminals are still creating fake blockchain games to steal crypto.
  • Oh, look: It's not just BetterHelp selling customer data to advertisers: Telehealth firm Cerebral said this week it's been doing the same thing - but by accident, it claims.
  • The IceFire ransomware has mutated, and now infects Linux systems, too.
  • Wanna see ChatGPT generate polymorphic malware? Sure you do, which is why the folks at Hyas released a PoC of just that. Now go learn what it's capable of so you can be proactive against it.
  • Cybersecurity ratings company Bitsight said one in 12 companies it tracks have an unsecured internet-facing webcam or similar device - maybe now's the time to check yours?
  • GitHub Actions was coded with a bit of a security oversight: It turns out bad actors can use commits from forked repositories to bypass allowed workflow settings and hide malicious code. The lesson? Sign all your commits. 

The FBI paid for location data to circumvent warrant rules

While speaking before the US Senate, FBI director Christopher Wray made an unsurprising, but still somewhat startling, admission: G-men hampered from getting geolocation data warrants have simply resorted to buying the data they need from brokers. 

Wray made a very carefully worded statement to the effect that the FBI no longer buys location data, but that it used to. 

"To my knowledge, we do not currently purchase commercial database information that includes location data derived from internet advertising. I understand that we previously — as in the past—purchased some such information for a specific national security pilot project. But that's not been active for some time," Wray said in the hearing. 

Note his qualification in that statement: the FBI doesn't currently buy data that includes location data derived from internet advertising. As for location data derived from elsewhere? Well, the FBI relies on court-authorized processes to get that data, Wray said

Wray's admission marks the first time a federal agency has copped to what Congress has been worried about for some time, namely that US federal agencies are circumventing the fourth amendment rule against unreasonable searches, which the Supreme Court decided in 2018 included location data, by simply buying it on the commercial market.

Senator Ron Wyden, whose question elicited Wray's confirmation of the judicial side step, wrote letters to the Departments of Homeland Security, Defense and Justice asking them to investigate alleged warrantless collection of location data in their agencies. Now that we know they were doing so, it just remains to be seen if Congress can actually manage to change the law to prevent it from happening - even if it's not going on right now. ®

Send us news
17 Comments

Uncle Sam's had it up to here with 'unforgivable' SQL injection flaws

Software slackers urged to up their game

NVD slowdown leaves thousands of vulnerabilities without analysis data

Security world reacts as NIST does a lot less of oft criticized, 'almost always thankless' work

More than 133,000 Fortinet appliances still vulnerable to month-old critical bug

A huge attack surface for a vulnerability with various PoCs available

JetBrains is still mad at Rapid7 for the ransomware attacks on its customers

War of words wages on between vendors divided

Microsoft confirms memory leak in March Windows Server security update

ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns

3 million doors open to uninvited guests in keycard exploit

As months go by without fixes, hotels take the scenic route to securing rooms

FBI v the bots: Feds urge denial-of-service defense after critical infrastructure alert

You better watch out, you better not cry, better not pout, they're telling you why

Mozilla fixes $100,000 Firefox zero-days following two-day hackathon

Users may have to upgrade twice to protect their browsers

Some 300,000 IPs vulnerable to this Loop DoS attack

Easy to exploit, not yet exploited, not widely patched – pick three

Hardware-level Apple Silicon vulnerability can leak cryptographic keys

Short of redesigning CPUs, the fix will seriously degrade performance

US task force aims to plug security leaks in water sector

From a trickle to a flood, threats now seen as too great to ignore

Crypto scams more costly to the US than ransomware, Feds say

Latest figures paint grim picture of how viciously the elderly are targeted