Kaspersky on U.S. security threat list, malware found in NPM open-source library and more.
Welcome to Cyber Security Today. It’s Monday, March 28th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Russian-based cybersecurity company Kaspersky and the American divisions of two Chinese telecommunications companies have been added to an American government list of companies deemed a threat to national security. China Telecom Americas and China Mobile International USA were also put on the list last Friday by the Federal Communications Commission. The move follows a 2017 decision by Washington to forbid federal agencies from using Kaspersky products and services. In response Kaspersky said the decision was made on political grounds.
The open-source community works in part by having software developers contribute software libraries that others can use in creating full applications. But the system is open to abuse. The latest example comes from the discovery of more than 200 malicious packages dropped into the NPM library of open-source material. All are aimed at compromising apps designed for the Microsoft Azure platform and stealing personal information. According to security researchers at JFrog, the attacker behind this scheme is trying to fool developers by giving their files names that are similar to real packages. NPM was alerted and the bad files have been removed from the library. If you are a developer of apps for Azure who recently downloaded resources from NPM, check where they came from. This incident is another example of why developers have to not only be careful of the source of external code but also use tools to closely scan outside code before adding to their applications.
Lots of companies do cybersecurity surveys to burnish their credibility. However, some ask the wrong questions, or ask the right questions to the wrong people. Let me give you an example. Earlier this month a company released a survey of small businesses owners – the company didn’t say if the respondents were from the U.S. or around the world. One question was about their cybersecurity practices. Thirty per cent of respondents said their firm has no cybersecurity measures in place. That can’t be right: Assuming most use Windows, it comes with a firewall and antivirus. So its probably more accurate to say they have inadequate cyber security – although experts might say that’s the same as having nothing. The company doing the survey may have assumed a small business owner knows his firm. Maybe. But the survey would have had more credibility for me if it asked questions of whoever does the IT work.
One thing in the survey did ring true, though: Of the 30 per cent of business owners who said they had no cybersecurity measures in place about 60 per cent said the reason why is because they think they’re too small to be a target. That’s not true. Thirty per cent said their online business is limited so they don’t need cybersecurity – another misconception. Almost 20 per cent said cybersecurity is just too expensive for them to spend on.
I have a bunch of security updates to tell you about:
Users of Western Digital’s MyCloud OS 5 storage devices should make sure the firmware is updated. There are security updates to be installed. You can do that by clicking on the firmware update notification you get when running a backup.
Network administrators who have the Sophos Firewall in their environments should make sure its running the latest version. Sophos had to issue a security update to fix an authentication bypass vulnerability. If the firewall is set to automatically install hotfixes the fix should already be there.
Finally, Chrome users should note Google issued a security update on Friday for a major vulnerability. Make sure your browser is running the latest version, which starts with the number 99 and ends in .84
Remember links to details about podcast stories are in the text version at ITWorldCanada.com.
You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.