In brief The bug hunters at Google’s Project Zero team have released their latest time-to-fix data and Linux is smashing the opposition.
Between 2019 and 2021 open-source developers fixed Linux issues in an average of 25 days, compared to 83 for Microsoft and Oracle pulling last place at 109 days, albeit from a very low number of cases. Furthermore Linux is showing consistent improvement in response times, from 32 days in 2019 to just 15 last year, and that improvement is being mirrored (mostly) across the industry.
“In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero,” said the team’s Ryan Schoen in the report. “This is a significant acceleration from an average of about 80 days three years ago.”
When it comes to mobile fixes Apple leads the telecoms duopoly, sorting out issues in an average of 70 days, compared to Android’s 72.
Project Zero reported more than 10 times the number of flaws in iOS than in its home operating system, and yet still Cupertino’s coders beat them to it.
As you’d expect, the Project Zero team spent a lot of time investigating Chrome, finding 40 bugs compared to 27 in the troubled WebKit, and eight in Firefox. Chrome also got fixed in a little over five days, more than double the speed of the competition.
2FA is where it’s at
Google is also claiming success after its move to require the use of two-factor authentication on some accounts, saying that account takeovers are down 50 per cent.
Last October the ad giant began moves to enrol 150 million users and two million YouTube streamers into its 2FA system and in a Safer Internet Day post said it was expanding the program ahead of the 2022 US midterm elections.
It’ll be focusing efforts on election workers, human rights workers, journalists and other high-interest targets, and is also introducing an optional safe browsing system.
“Coming next month, you will be able to opt in to Google’s account-level enhanced safe browsing feature – which provides our broadest security protection against threats you encounter on the web and against your Google Account,” said Jen Fitzpatrick, SVP of core systems and experiences at Google.
“Soon you will be able to turn this setting on when you take a Security Checkup or manually in your account settings.”
Google introduced 2FA for Gmail users more than a decade ago but takeup has been low, with only 10 per cent of customers using it as recently as four years ago.
But by taking a more forceful approach Google seems to be saving itself a lot of headaches. You have to ask – why aren’t more people signing up?
US cracking the whip on investment fund cybersecurity
The US Securities and Exchange Commission (SEC) has voted to introduce new rules requiring investment funds and financial advisers to tighten up their security practices.
Under the proposed amendment, which have been released [PDF] for public consultation, investment houses and their key staff would need to submit documented and regularly updated cybersecurity protocols to the SEC. They will also have to report “significant cybersecurity incidents” to the regulatory body.
“Cyber risk relates to each part of the SEC’s three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets,” said SEC chair Gary Gensler. “The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”
Lazarus rises again, this time against Lockheed
The Lazarus online intrusion group, thought to be run by North Korea’s state-sponsored squad of online criminals, is back and this time it’s going after aerospace techies.
Researchers at security shop Qualys have reported a new recruitment scam campaign targeting job applicants for Lockheed Martin, the US aerospace giant, using LOLBins operating system binaries. The attack is very similar to recruitment campaigns targeting Northrop Grumman and BAE Systems.
“We identified two phishing documents: ‘Lockheed_Martin_JobOpportunities.docx’ and ‘Salary_Lockheed_Martin_job_opportunities_confidential.doc’,” said Akshat Pradhan, senior engineer for Qualys threat research. “Both variants were authored by the same user, named ‘Mickey’. The methodology used for control flow hijack and the macro content is similar across both samples.”
While the online crooks sponsored by Kim Jong-un’s repressive regime have been concentrating on stealing cryptocurrency to prop up the bankrupt economy, technical information is also highly sought after, particularly since the country claims to have made major breakthroughs in hypersonics. By subverting job applicants, the attackers are no doubt hoping qualified personnel will have lots of juicy details and access credentials on their hard drives.
Random numbers through magnetism
A novel way of generating random numbers using magnetic forces has been detailed in a peer-reviewed paper published in Nature Communications
A team at Rhode Island’s Brown University has been investigating skyrmions, magnetic movements in ultra-thin 2D materials that were discovered over 60 years ago. The team created stable skyrmions and found that their size fluctuates in what looks like a truly random way.
“There has been a lot of research into the global dynamics of skyrmions, using their movements as a basis for performing computations,” said Gang Xiao, chair of the Department of Physics at Brown and senior author of the research.
“But in this work, we show that purely random fluctuations in the size of skyrmions can be useful as well. In this case, we show that we can use those fluctuations to generate random numbers, potentially as many as 10 million digits per second.”
Proper randomness is highly prized in fields like encryption, computer simulation, and even in gambling, but doing it algorithmically is fraught with problems. Harnessing the randomness of nature, and at scale, presented interesting opportunities for future development, Xiao explained. ®