Hundreds of millions of devices around the world could be exposed to a newly revealed software vulnerability, as a senior Biden administration cyber official warned executives from major US industries Monday that they need to take action to address "one of the most serious" flaws she has seen in her career. As major tech firms struggle to contain the fallout from the incident, US officials held a call with industry executives warning that hackers are actively exploiting the vulnerability. "This vulnerability is one of the most serious that I've seen in my entire career, if not the most serious," Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), said on a phone call shared with CNN. Big financial firms and health care executives attended the phone briefing. "We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damaging incidents," Easterly said. CNN has reached out to CISA for comment on the call. CyberScoop, a technology news site, first reported on the contents of the call. It's the starkest warning yet from US officials about the software flaw since news broke late last week that hackers were using it to try to break into organizations' computer networks. It's also a test of new channels that federal officials have set up for working with industry executives after the widespread hacks exploiting SolarWinds and Microsoft software revealed in the last year. Experts told CNN it could take weeks to address the vulnerabilities and that suspected Chinese hackers are already attempting to exploit them. The vulnerability is in Java-based software known as "Log4j" that large organizations, including some of the world's biggest tech firms, use to log information in their applications. Tech giants like Amazon Web Services and IBM have moved to address the bug in their products. It offers a hacker a relatively easy way to access an organization's computer server. From there, an attacker could devise other ways to access systems on an organization's network. The Apache Software Foundation, which manages the Log4j software, has released a security fix for organizations to apply. But attackers had more than a week's head start on exploiting the software flaw before it was publicly disclosed, according to cybersecurity firm Cloudflare. Organizations are now in a race against time to figure out if they have computers running the vulnerable software that were exposed to the internet. Cybersecurity executives across government and industry are working around the clock on the issue. "We're going to have to make sure we have a sustained effort to understand the risk of this code throughout US critical infrastructure," Jay Gazlay, another CISA official, said on the phone call. Chinese-government-linked hackers have already begun using the vulnerability, according to Charles Carmakal, senior vice president and chief technology officer for cybersecurity firm Mandiant. Mandiant declined to elaborate on what organizations the hackers were targeting. "Over time, everybody can arm the damn thing," Mandiant CEO Kevin Mandia told CNN, referring to the vulnerability. "That's the problem. And there'll probably be great hackers hiding in the noise of the not-so-great." The "noise" is a real problem. For cybersecurity professionals, Twitter has been a constant churn of both useful information and, in some cases, misinformation that has nothing to do with the vulnerability. Learn more by visiting OUR FORUM.

Josh Brunty had spent more than a decade in cybersecurity — first as a digital forensics analyst for the West Virginia State Police, then as someone who taught the subject at Marshall University — when he discovered a shocking secret about his father, Butch. Butch Brunty was still paying money every year for third-party antivirus protection on his home computer, which his son felt hadn’t been necessary for most people for years. “He was talking about renewing his antivirus. I said, ‘Are you literally paying for antivirus?’” Brunty said. “I don’t know how he ended up doing it, but he ended up getting connected to Norton, spending, like $60 a year.” Brunty’s father, like a lot of other people, hadn’t gotten the message that has become intuitive to many people who work in cybersecurity: There’s just no longer any reason for regular people to pay for antivirus software for their personal devices. It’s a shift that highlights not only how computer security has evolved in the past decade but also the way many people misunderstand the greatest threats to their computer security. Antivirus software still centers on its original use: looking for and mitigating software viruses. Because modern computer systems already do that, many programs now offer additional protections, like monitoring the dark web to see whether someone posts customers’ personal information, which experts find to be of little use. But the greatest threats most users face are no longer from viruses, particularly now that so much personal computing happens over the internet. Brunty said his dad also paid for a virtual private network, which routes a computer’s internet traffic through a third party. They were once considered vital to prevent nearby hackers from spying on online activity, but security experts now say that thanks to additional built-in security protections in most major browsers, virtual private networks are useful in only a handful of specific scenarios, like streaming video that is restricted in certain countries or getting around government censors like China’s “Great Firewall.” “He had no understanding of those two technologies, really,” Brunty said. “I think he just felt like if he spent the money, the investment of paying for it was going to protect him from everything.” Some antivirus programs can offer certain benefits, such as tools that help users avoid email-based phishing campaigns that steal sensitive login credentials. Others can help prevent identity theft. But most experts agree that the built-in antivirus protections on any major system — a fully updated Windows or Apple computer or an Android phone or iPhone — already protect against viruses just as well as the major programs people can pay for. It’s important, however, for users to keep their systems protected through automatic software updates offered by all major software providers. It wasn’t always that way. For much of Microsoft’s history, computer experts worried that Windows machines were susceptible to viruses, and there was no firm consensus about what third-party programs people needed to stay safe. But Microsoft Defender, the free and automatic antivirus program now built into Windows, has gotten so effective that it’s as good as anything customers can pay for, said Simon Edwards, the founder of SE Labs, a London-based company that compares and tests antivirus programs. “We test it regularly, and it’s one of the top products we’ve seen. It has improved a lot,” Edwards said. That doesn’t mean malicious software isn’t a threat. But newer devices tend to take care of most problems on their own. Hackers are constantly devising new ways to break into operating systems, and companies have to keep updating ways to stop them. Fortunately, the days of cybersecurity engineers’ writing patches for new, safer versions of software and just hoping users will update them is largely over. “It’s almost impossible these days to not have a fully patched Windows or Mac system because they pretty much force updates,” Edwards said. While it’s a myth that Macs can’t get viruses, the myth is well-founded: Macs essentially had antivirus protections built into their operating systems from their early days. The same goes for iPhones and Android smartphones. The British government even tells its residents not to bother buying antivirus software for their phones, provided that they don’t needlessly endanger themselves by installing programs not vetted by an app store. For more detailed reading visit OUR FORUM.