I even get dizzy after seeing that name. memory safe error.
But even if a sea change is years away, there is growing momentum inside and outside government to address the issue.
Bugs can be devastating, leading to malware and cyberattacks, hospitals, Josh Ass, who leads a project to promote memory safety in critical infrastructure, told me. “It’s really nice to get this kind of attention.”
What is it and what are the risks?
The underlying problem is: Memory must be allocated for computer code to execute instructions, and some older programming languages, such as his C and C++ languages from decades ago, allow developers to manually move that memory.
“That freedom also creates risks and allows for various bugs.” An Atlantic Council paper explained last year. “These problems, called memory safety errors, can be caused by simple typos or forgotten lines of code, or unexpected interactions with complex memory structures.”
In contrast, newer programming languages such as Python, Java, and Rust allocate memory automatically. Many of them are designed to virtually eliminate memory safety errors or make them impossible.
Examples of potential impacts: memory safe error was involved In the 2017 global ransomware WannaCry attack, the U.S. government blame North Korean hackers.
“By exploiting this kind of memory problem, a malicious actor who is not bound by normal expectations of software usage can enter abnormal input into a program and access, write, or use memory in unexpected ways. You may find that you can assign or de-assign it,” the National Security Agency said in a November cybersecurity alert. “In some cases, malicious actors can exploit these memory management errors to access sensitive information, execute unauthorized code, or cause other adverse effects.”
Google said in a December blog post that memory safety errors will account for 86% of the “critical” (worst) vulnerabilities in the Android operating system in 2022.
What’s changed and why
In addition to the NSA, Lawmakers and officials from the Cybersecurity and Infrastructure Security Agency I started emphasizing memory safety. recent parliament including provisions In the appropriation bill to ask the National Cyber Director Chris Inglisoffice to investigate memory safety, then brief key legislators within the next six months.
Consumer Reports also jumped into the fray last week with a survey on the future of memory-safe languages.
According to Aas, new programming languages have been proven to be both fast and safe, facilitating the argument in favor of memory-safe code.
Aas, executive director of the Internet Security Research Group and lead of the Prossimo project that drives the associated memory, said: – Safe code for critical software. “I think memory safety has become a very popular topic today, mainly because we are no longer faced with that choice.”
He further said that memory-safe languages were not as flexible as they used to be. Dan LorenkCEO of Chainguard, a software supply chain company.
“There have always been memory-safe programming languages, but they weren’t versatile enough,” Lorenc, whose company has worked on memory-safety issues, told me. “It wasn’t available in all situations. More importantly, they couldn’t be used in lower-level operations. Only years.”
Lorenk said the federal government can help by continuing to raise awareness.
But it also has great power. As one of the largest software buyers on the planet, the company can apply market pressure by making it clear that government agencies need or prefer memory-safe language products. said he.
How long will it take for things to improve?
There are signs that memory-safe languages are already making an impact. In a December blog post, Google said that shifting its focus to memory-safe code had paid off, with annual memory-safe vulnerabilities in the Android operating system dropping from 223 in 2019 to 85 last year. .
Android Security Engineer Jeffrey Vander Stoop I have written.
The Prossimo project may fall short of its goal of converting its most important software to a memory-safe language for another five to ten years, Aas said.
“We’ll probably see a lot of progress next year,” Lorenc said. He added that the Prossimo project has completed his one of its smaller goals years ahead of schedule. “I’m optimistic, but things are moving much faster than anyone thought.” He said.
Russian Hackers Target Ukraine’s Energy Sector With New Malware
Sandworm, one of the most notorious Russian hacking groups, deployed new data-wiping malware against Ukrainian energy companies last October, and the Russian military launched missiles against the country’s energy infrastructure. said a researcher at Slovak cybersecurity firm ESET in a report released on Tuesday.
“While we cannot show that these events were coordinated, it does suggest that the Sandworm and the Russian military have related objectives,” the researchers wrote.
- According to the US government, Sandworm is a branch of Russia’s military intelligence agency. The group has long targeted organizations in Ukraine and other countries.
Researchers have named this new malware strain ‘NikoWiper’. Hackers have created a wiper based on a Microsoft tool used to delete files known as SDelete.His ESET report mentioning new wipers comes after the company last week Identified another Sandworm attack It occurred on January 25th and targeted the Ukrainian public sector.
A year into the war in Ukraine, Russian hackers targeted Ukrainian systems along with larger-scale armed attacks, including taking Ukrainian government websites and banks offline the day before the Russian invasion. .
Google Fi says hackers got access to customer information
Google’s cellular network provider, Google Fi, emailed customers Monday that it suffered a data breach in which hackers gained access to millions of customer information, including phone and SIM numbers. TechCrunch”■ Carly Page reports.
According to an email obtained by TechCrunch, Google said it did not steal customer personal data, including credit card information, passwords, text messages and phone calls.
“The timing of the notification and the fact that Google Fi uses a combination of T-Mobile and US Cellular for network connectivity confirms that the breach is related to the incident at T-Mobile that occurred two weeks ago. suggests,” Page wrote. According to T-Mobile, the incident maliciously obtained the personal data of about 37 million customers, including billing addresses, dates of birth, and T-Mobile account details.
US and India launch high-level defense and technology initiatives
The United States and India formally launched an important and emerging technology initiative known as iCET on Tuesday to facilitate joint production of defense equipment such as military jet engines, long-range artillery and armored infantry vehicles. postReported by Ellen Nakajima.
action later President Biden and Indian Prime Minister Narendra Modi In May, we committed to building such a relationship.national security adviser Jake Sullivan It will serve the strategic interests of both countries amid Russia’s invasion of Ukraine and clashes with common enemies like China, he told reporters on Tuesday.
However, he said: That is the core of the president’s holistic approach to the presidency. So while the Chinese and Russian elements are real, the idea of building a deep democratic ecosystem with advanced technology is also real. ”
UK government minister tells council to remain silent after ransomware attack (The Record)
TikTok flip-flops: Australian state ministry banned and then lifted ban on social media app over spy fears (The Age)
How Surveillance Technology Helped Protect Power and Drug Trafficking in Honduras (Coda Story)
Ransomware attack on Indianapolis Housing Authority leaks sensitive information about 200,000 residents (The Record)
Ransomware attack closes Nantucket school (CNN)
Threat campaign exploits Microsoft’s Verified Publisher status to proliferate malicious OAuth apps and target business executives (SC Magazine)
Republican report shows plans to focus on unfair election fraud claims (Amy Gardner and Isaac Arnsdorf)
US new ransomware strategy puts victims first, but could make cybercriminals harder to catch (CNN)
Space chief fears ‘backdoor’ to attack satellite communications (DefenseScoop)
Latest software cybersecurity rules attract jeering from government agencies (Bloomberg Government)
- US cyber ambassador Nathaniel Fick Speaking at an event organized by the German Marshall Foundation on Thursday at 10:30 am
- California’s Privacy Protection Agency Board of Directors will meet on Thursday to discuss possible actions on the proposed cybersecurity regulation.
thank you for reading. see you tomorrow.