Latest news with #CVEProgram
Forbes
22-04-2025
- Business
- Forbes
The Wiretap: Trump's Cybersecurity Agency Avoided A Near Disaster
The Wiretap is your weekly digest of cybersecurity, internet privacy and surveillance news. To get it in your inbox, subscribe here. getty An essential, constantly-updated database of cybersecurity vulnerabilities almost went offline last week. Run by Mitre, the Common Vulnerabilities and Exposures (CVE) database has become vital to all manner of digital defenders, from those on enterprise IT teams to those keeping tabs on national security threats. It's proven particularly helpful in understanding the severity of a software or hardware flaw, determining whether it's actively being exploited by hackers, and assessing whether a fix is urgently needed. Mitre had warned users that funding for the CVE project, which came via the DHS Cybersecurity and Infrastructure Security Agency (CISA), was going to run out on Wednesday April 16. In a last minute reprieve, though, CISA confirmed it would continue to provide financial backing for it. Inside CISA, staff told Forbes it was a whirligig week where, within 24 hours, the agency had gone from causing a disaster to averting one. 'It would have been devastating for defenders,' said one CISA employee. 'What a mess,' said another. Beyond saying that 'the CVE Program is invaluable to the cyber community and a priority of CISA,' the agency is yet to offer any kind of explanation for the brinksmanship. CISA is currently without a permanent director, with Sean Plankey, Trump's nominee, yet to be approved by Congress. The sooner the agency has some stability, the less likely such snafus come close to causing catastrophic damage to American cybersecurity. Got a tip on surveillance or cybercrime? Get me on Signal at +1 929-512-7964. Getty Images Palantir, the $20 billion surveillance company, is upping its work with Immigration Customs Enforcement (ICE) via contracts asking it to build a 'complete target analysis of known populations,' reports 404 Media. A subsequent leak of internal Palantir communications revealed that it's going to be helping locate people in the country illegally, while planning for a backlash externally and internally. Staff have been given guidance on the ethics of working on such large-scale work with an agency like ICE, showing how Palantir is worried about the optics of the contracts. Read the whole story here. Cops across America are starting to utilize AI agents to help spy on social media, according to a Wired and 404 Media report. Among the agents advertised to cops by providers were a fake college protester and a potential child sex trafficking victim. Pedestrian crosswalks were hacked in Seattle last week to have a fake Jeff Bezos start spouting tongue-in-cheek pro-billionaire spiel. 'Please, please don't tax the rich. Otherwise, all the other billionaires will move to Florida too,' it said, referencing the Amazon founder's residency change that saved him an estimated $1 billion. A draft bill currently in the Florida legislature would, if it passed, require social media companies to build backdoors that would allow law enforcement to decrypt messages. Secretary of Defense Pete Hegseth has all but confirmed new reports suggesting he shared sensitive information about U.S. attack plans in Yemen in a second Signal group chat. Forbes 30 Under 30 Europe list was launched last week. One lister was a Ukrainian cybersecurity startup, LetsData. Launched in 2022, it's an AI-driven company that claims it can spot and tackle disinformation campaigns. Michael McMahon, a retired NYPD sergeant turned private detective, has been sentenced to 18 months in prison for his part in harassing and stalking a Chinese expatriate named Xu Jin, who is wanted by his homeland's government. It's alleged McMahon helped his client even though he knew it appeared to be part of a Chinese government plot to get Jin to return to China.
WIRED
19-04-2025
- Politics
- WIRED
Florida Man Enters the Encryption Wars
Just three months into the Trump administration's promised crackdown on immigration to the United States, Immigrations and Customs Enforcement now has a $30 million contract with Palantir to build a 'near-real time' surveillance platform called ImmigrationOS that would track information about people self-deporting (electing to leave the US). Meanwhile, the Department of Homeland Security has been sending aggressive emails telling people with temporary legal status to leave the US. It is unclear who has actually been sent the messages, though, given that a number of people who are US-born citizens have reported receiving them. The US Cybersecurity and Infrastructure Security Agency briefly seemed poised this week to cancel funding for the critical software vulnerability tracking project known as the CVE Program. CISA eventually came through with the funding, but some members of the CVE Program's governing board are planning to make the project into an independent nonprofit. A lawsuit over the Trump administration's Houthi Signal group chat is revealing details on steps that federal departments did—and did not—take to preserve the messages per records laws. WIRED took a look at the most dangerous hackers you've never heard of, diving deep on the unrelenting and two-faced Russian intelligence group Gamaredon; the incredibly prolific Chinese Smishing Triad text message scammers; the dangerous members of fallen ransomware giant Black Basta; the Iranian critical infrastructure hackers known as CyberAv3ngers; the TraderTraitor North Korean cryptocurrency hackers responsible for a staggering number of massive heists; and the notorious, longtime Chinese criminal and state-backed crossover hackers known as Brass Typhoon. On top of all of that, a suspected 4chan hack may have devastating consequences for the controversial image board. The AI company Massive Blue is helping cops generate AI-powered social media bots to pose as sympathetic figures and talk to people of interest. And the New Jersey attorney general is suing Discord, claiming that the platform doesn't have adequate safeguards in place to protect children under 13 from sexual predators and harmful content. But wait, there's more! Each week, we round up the security and privacy news we didn't cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there. A draft bill in the state of Florida would require social media companies to provide law enforcement with encryption backdoors so cops could access users' accounts. The bill advanced unanimously from committee this week and will now go to the state Senate for a vote. If passed, the Social Media Use by Minors bill, which is sponsored by state senator Blaise Ingoglia, would require 'social media platforms to provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena.' The bill would also ban disappearing messages in accounts designed for children and would require social media companies to create a mechanism for parents or guardians to access children's accounts. Experts have long warned that encryption backdoors make everyone less secure, including those they are intended to help. Yet waves of attacks on encryption have repeatedly emerged over the years, including a recent trend in the European Union and United Kingdom. A Nevada district judge said this week that the practice of 'tower dumps,' in which law enforcement pulls vast quantities of personal caller data from cell towers, violates the Fourth Amendment and is, thus, unconstitutional. Cell towers collect large quantities of information about users, including phone numbers and phone locations, so when cops request data from a tower during a specific time period, they often receive information on thousands of devices or more. In spite of the decision this week, though, Judge Miranda M. Du said that law enforcement could still use the evidence they had collected through a tower dump in their case. China claimed this week that the US National Security Agency perpetrated 'advanced' cyberattacks against critical industries in February during the Asian Winter Games. Law enforcement from the northeastern city of Harbin put three alleged NSA agents—Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson—on a wanted list and claimed that the University of California and Virginia Tech were involved in the attacks. 'We urge the US to take a responsible attitude on the issue of cyber security and … stop unprovoked smears and attacks on China,' ministry spokesperson Lin Jian said during a news briefing about multiple topics, according to Reuters. The US government frequently calls out Chinese state-backed hacking and names individual alleged perpetrators, but China has been less consistent about such statements. The move this week comes amid escalating tensions between the two countries, including the Trump's administration's trade war. CBP is using multiple artificial intelligence tools to scan social media and identify people of interest online, according to information from the agency and marketing materials reviewed by 404 Media from the contractors. CBP released information about the platforms this week in parallel to the US Department of Homeland Security's announcement that it will 'begin screening aliens' social media activity for Antisemitism.' That statement also says that US Citizenship and Immigration Services is conducting 'antisemitism' social media searches. CBP told 404 Media in an email that 'neither tool is used for vetting or travel application processing,' referring to Dataminr and Onyx, but did not elaborate beyond that. The platforms use AI to parse large troves of data and can be used to develop leads on people who may be in violation of US immigration laws.
WIRED
16-04-2025
- Business
- WIRED
‘Stupid and Dangerous': CISA Funding Chaos Threatens Essential Cybersecurity Program
Apr 16, 2025 4:10 PM The CVE Program is the primary way software vulnerabilities are tracked. Its long-term future remains in limbo even after a last-minute renewal of the US government contract that funds it. Illustration:In an eleventh-hour scramble before a key contract was set to expire on Tuesday night, the United States Cybersecurity and Infrastructure Security Agency renewed its funding for the longtime software vulnerability tracking project known as the Common Vulnerabilities and Exposures Program. Managed by the nonprofit research-and-development group MITRE, the CVE Program is a linchpin of global cybersecurity—providing critical data and services for digital defense and research. The CVE Program is governed by a board that sets an agenda and priorities for MITRE to carry out using CISA's funding. A CISA spokesperson said on Wednesday that the contract with MITRE is being extended for 11 months. 'The CVE Program is invaluable to the cyber community and a priority of CISA,' they said in a statement. 'Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience.' MITRE's vice president and director of the Center for Securing the Homeland, Yosry Barsoum, said in a statement on Wednesday that, 'CISA identified incremental funding to keep the Programs operational.' With the clock ticking down before this decision came out, though, some members of the CVE Program's board announced a plan to transition the project into a new nonprofit entity called the CVE Foundation. 'Since its inception, the CVE Program has operated as a US government-funded initiative, with oversight and management provided under contract. While this structure has supported the program's growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor,' the Foundation wrote in a statement. 'This concern has become urgent following an April 15, 2025 letter from MITRE notifying the CVE Board that the US government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.' It is unclear who from the current CVE board is affiliated with the new initiative other than Kent Landfield, a longtime cybersecurity industry member who was quoted in the CVE Foundation statement. The CVE Foundation did not immediately return a request for comment. CISA did not respond to questions from WIRED about why the fate of the CVE Program contract had been in question and whether it was related to recent budget cuts sweeping the federal government as mandated by the Trump administration. Researchers and cybersecurity professionals were relieved on Wednesday that the CVE Program hadn't suddenly ceased to exist as the result of unprecedented instability in US federal funding. And many observers expressed cautious optimism that the incident could ultimately make the CVE Program more resilient if it transitions to be an independent entity that isn't reliant on funding from any one government or other single source. 'The CVE Program is critical and it's in everyone's interest that it succeed," says Patrick Garrity, a security researcher at VulnCheck. 'Nearly every organization and every security tool is dependent on this information and it's not just the US, it's consumed globally. So it's really, really important that it continues to be a community-provided service and we need to figure out what to do about this because losing it would be a risk to everyone.' Federal procurement records indicate that it costs in the tens of millions of dollars per contract to run the CVE Program. But in the scheme of the losses that can occur from a single cyberattack exploiting unpatched software vulnerabilities, experts tell WIRED, the operational costs seem negligible versus the benefit to US defense alone. Despite CISA's last-minute funding, the future of the CVE Program is still unclear for the long term. As one source, who requested anonymity because they are a federal contractor, put it: 'It's all so stupid and dangerous.'
Forbes
16-04-2025
- Business
- Forbes
CVE Program Funding Cut—What It Means And What To Do Next
U.S. President Donald Trump has cut funding for the global database of security flaws, the Common ... More Vulnerabilities and Exposures database from Apr. 16. U.S. President Donald Trump has cut funding for the global database of security flaws, the Common Vulnerabilities and Exposures database from Apr. 16. The not-for-profit organization that runs the database, MITRE, confirmed its contract with the U.S. Department of Homeland Security to operate the CVE Program has not been renewed. The funding cut for the 25 year old CVE program — which is globally relied upon to identify and mitigate security flaws — is part of a cost-cutting drive by the Trump administration. The move to cut CVE funding is certainly a concern — especially given how suddenly it seems to have happened. Here is what happened, what it means for global security and what to do next. MITRE vice president Yosry Barsoum confirmed that U.S. government funding for the CVE database and the Common Weaknesses Enumeration programs will expire now, warning that it could be a disaster for security. The news came via a letter on social network BlueSky. "On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire,' Barsoum wrote in a letter published on Bluesky. 'If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure." It comes as the U.S. Department of Homeland Security's national security research subdivision, the Science and Technology Directorate, will stop current grants and refocus its mission priorities. "CISA is the primary sponsor for the CVE program, which is used by government and industry alike to disclose, catalog, and share information on technology vulnerabilities that can put the nation's critical infrastructure at risk,' a CISA spokesperson told me via email. Although CISA's contract with the MITRE Corporation will lapse after Apr. 16, CISA said it is 'urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.' Known by all in the security community inside the U.S. and out, the CVE system is a global reference method for publicly-known security flaws. Launched in 1999, the CVE system is maintained by the U.S. National Cybersecurity FFRDC, operated by The MITRE Corporation, with funding from the US National Cyber Security Division of the US Department of Homeland Security. CVE IDs are listed on MITRE's system as well as in the U.S. National Vulnerability Database. The CVE database is 'critical for anyone doing vulnerability management or security research,' and for 'a whole lot of other uses,' security journalist Brian Krebbs wrote on Mastodon. 'There isn't really anyone else left who does this, and it's typically been work that is paid for and supported by the U.S. government, which is a major consumer of this information, btw.' America's abrupt pullback from leadership roles 'in this case coordinating the near global issue of CVEs for vulnerabilities' will 'place a heavy burden on global cyber defenses,' says Ian Thornton-Trump, CISO at Inversion6. It will impact global response capabilities to CVE exploitation such as 'HeartBleed' among vulnerability and attack surface management companies, says Thornton-Trump. Thornton-Trump concedes the immediate impacts might be 'minimal' but says the move is now 'helpful to our adversaries.' Cutting the CVE program funding is 'a huge blow to the cybersecurity community,' says William Wright, CEO of penetration testing firm, Closed Door Security. 'Many of today's ransomware attacks and data breaches are executed by adversaries exploiting vulnerabilities. Without a common destination to log vulnerabilities, so organizations can take steps to patch them, they could be more vulnerable to attack.' However, the news might not be quite as bad as it seems. It's important to understand that MITRE does not operate the National Vulnerability Database, this is run by the U.S. National Institute of Standards and Technology, says Sean Wright, an independent security researcher. 'This is an important distinction since most vulnerability scanners use the NVD as the source of vulnerabilities to do their scanning.' While MITRE does assign CVEs IDs, there are also CVE Naming Authority, that can also assign CVE IDs, says Wright. 'It is important to note that while MITRE is the source of CVE IDs, most security tooling leverages the National Vulnerability Database for their source of vulnerabilities. This is operated by NIST, and to the best of our knowledge at this time, the operation of this database will not be impacted.' He says the recent news about MITRE's contract would likely only affect new vulnerabilities. 'Historical vulnerabilities should not be affected. It's important to call this distinction out, as there's already been some confusion." The question remains if the contract for MITRE is not renewed, how or if the organization will continue the CVE program, asks Wright, 'Given that we now have a larger number of CVE numbering authorities now also issuing CVEs, it is possible that the impact of this recent news may not be as big as first thought. However with the limited information that we have, it's not possible to tell.' MITRE said historical CVE records will be available on GitHub, but future CVEs still hang in the balance. Hopefully another organization will step in to provide the funding, or countries will band together to offer support, says Closed Door Security's Wright. 'But until then, the world may have lost one of its greatest security resources.' It is possible funding will move to one of the big players in global cybersecurity, or perhaps a consortium. 'The health of the CVE MITRE database is undoubtedly of global benefit," says Matt Saunders, DevOps lead at The Adaptavist Group. 'There's an opportunity here for the private sector, who will benefit the most from this, to step up and keep it going in the public interest — though there are also inevitable concerns around it falling into the hands of a single private entity.' Businesses can prepare by diversifying their threat intelligence sources and monitoring vendor-specific vulnerability feeds, says Jamie Akhtar, CEO and co-founder at cybersecurity outfit CyberSmart. 'Organizations should lean more heavily on resources like CISA's Known Exploited Vulnerabilities list, the NVD (if it remains online), and coordinate closely with software vendors. However, there is no true replacement for CVE.' For now, the best thing to do is hold tight and use the resources available to you. The CVE funding cut isn't the end of the world, but it's still a worrying move that potentially reduces security for everyone.
