Malware Devil

[Free Virtual Event] Managing Apps in a Multi-Cloud Environment

More Insights

Webcasts

[Forrester Research] The State of Data Security & Privacy

White Papers

Special Report: The Changing Face of Threat Intelligence

Reports

2019 Threat Hunting Report

The post The No Good, Very Bad Week for Iran’s Nation-State Hacking Ops appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/the-no-good-very-bad-week-for-irans-nation-state-hacking-ops/?utm_source=rss&utm_medium=rss&utm_campaign=the-no-good-very-bad-week-for-irans-nation-state-hacking-ops

GitHub Tool Spots Security Vulnerabilities in Code

Scanner, which just became generally available, lets developers spot problems before code gets into production.

A code-scanning capability that GitHub has been testing for the past several months is now generally available for organizations using the platform as part of their software development process.

The scanner is based on CodeQL, a code analysis technology that GitHub acquired from its purchase of Semmle last year. It gives developers a way to scan code for security vulnerabilities during development and to address the issues before the code gets into production.

GitHub released the first beta of the natively integrated code scanner at its GitHub Satellite virtual event earlier this year. Since then, more than 6,000 user accounts — belonging to both individuals and organizations — have enabled code scanning on their GitHub repositories, says Justin Hutchings, product manager at GitHub.

Over 12,000 repositories on GitHub have been scanned a total of 1.4 million times since the scanner went into beta. Over that period, the scanner has helped uncover more than 20,000 security issues in code stored on GitHub, including remote execution flaws, SQL injection errors, and cross-site scripting flaws, according to GitHub.

“Thanks to their testing and feedback, we’re confident that code scanning is ready for the wider community,” Hutchings says. “The code-scanning beta proved the hypothesis that if you build security tooling for developers first, developers will use it. According to Hutchings, GitHub made multiple improvements to the product based on feedback from beta users of the code scanner so it meets requirements of the open source community and commercial organizations.

More source code is currently stored on GitHub than any other platform. Some 50 million developers and 2.9 million businesses worldwide collectively use GitHub to host a staggering 100 million code repositories. Since launching as a place for individual developers to securely host and manage code revisions back in 2008, GitHub has grown into the most widely used platform for managing software development projects worldwide.

In 2011 GitHub launched an enterprise version of the platform that organizations can use on-premise to manage software projects. In 2017, it launched an enterprise cloud version of the technology. Microsoft acquired GitHub for $7.5 billion in 2018. Some of its better-known customers include Facebook, American Airlines, Dow Jones, and 3M.

Ongoing Effort
Hutchings says the new code-scanning feature is part of GitHub’s ongoing effort to help secure the open source software ecosystem. In 2019, GitHub launched Security Lab, an initiative under which it working with security researchers, developers, and others to detect and report bugs in popular open source projects. Among those participating in the effort are Microsoft, Google, HackerOne, and Intel.

Such efforts are important because in recent years a high number of data breaches have resulted from vulnerabilities, such as SQL injection efforts, input validation mistakes, and cross-site scripting flaws in web applications. Vulnerabilities in open source software in particular have been of high concern because of how widely used these components are in modern applications.

CodeQL, on which GitHub’s new scanner is based, is a semantic code analysis tool that lets developers query software code like it was data. GitHub has described the tool as allowing developers to write a query for all variants of a security vulnerability and then sharing the query with others so they can look for the same issues in their code as well.

Code scanning is free for public repositories and available as an add-on as part of GitHub Advanced Security for GitHub Enterprise Server and GitHub Enterprise Cloud, Hutchings says. Its unique proposition is in shifting security left, or earlier, in the security development life cycle. “It allows enterprise security teams to scan every commit made to their applications and to provide feedback automatically during code review,” Hutchings says.

Such feedback can help developers address issues faster. In the last 30 days of GitHub’s beta, developers and maintainers using the platform fixed 72% of the security issues they identified in their code he says. “We were extremely pleased to see this direct positive impact … given industry data shows that less than 30% of all flaws are fixed one month after discovery.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

Maximizing Database Performance to Improve Customer Experience

More Insights

Webcasts

[Forrester Research] The State of Data Security & Privacy

White Papers

IT Automation Transforms Network Management

Reports

Making the Financial Case for Outsourcing Endpoint Protection

The post GitHub Tool Spots Security Vulnerabilities in Code appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/github-tool-spots-security-vulnerabilities-in-code/?utm_source=rss&utm_medium=rss&utm_campaign=github-tool-spots-security-vulnerabilities-in-code

Cloud Misconfiguration Mishaps Businesses Must Watch

Cloud security experts explain which misconfigurations are most common and highlight other areas of the cloud likely to threaten businesses.

IT security teams are well aware of the dangers of cloud misconfigurations. Poorly configured cloud infrastructure, applications, and storage have proved to be a major threat as attackers capitalize on an opportunity to sneak into enterprise environments and steal information or move laterally.

Misconfigurations have only grown more common amid the COVID-19 pandemic and a global rush to shift organizations into fully virtualized workforces. The accelerated jump to the cloud has led to careless mistakes and, consequently, opportunistic attacks to take advantage of them.

“You get this combination of cloud security issues that are primarily the users of the cloud – not the cloud providers themselves – misconfiguring, embedding credentials inappropriately, leaving passwords, not hardening their cloud because they’re moving so quickly … that’s led to several compromises,” explains Jim Reavis, co-founder and CEO of the Cloud Security Alliance.

Organizations hastily moving to the cloud often lack a strategic view and fail to consider factors such as threats that could put them at risk and high-priority security functionalities, Reavis says. They forget to lock down storage buckets and databases, leave credentials viewable in Github, and fail to patch or maintain good security hygiene in virtual machines and containers, he adds.

“Out of this, you give the attackers an ability to really be able to do some pretty quick scanning of cloud environments, finding several things that are insecure, and then being able to go do a deeper dive hack,” Reavis continues. Configuration management can help prevent these threats.

IT and security teams are discovering several unexpected gaps resulting from the rapid transition to cloud. Now they have to consider tactical solutions and a more strategic architectural shift. Many have accepted the operational changes resulting from COVID-19 are here to stay. As a result, they should consider how to better strengthen their cloud security.

“A lot of it goes back to the shared responsibility model and understanding that this is a combined responsibility for us to secure the cloud,” Reavis says.

When dealing with products like infrastructure-as-a-service, it’s incumbent on cloud consumers to understand they’re given a blank slate. It’s on them to worry about encryption, identity management, and other parts of their cloud environments.

[Check out Jim Reavis’ upcoming talk, “Practical Solutions for Securing Your Cloud Services,” on Oct. 5 during the Cybersecurity Crash Course at next week’s Interop Digital]

Misconfigurations can help attackers get into your cloud environment and achieve their goals once inside, explains Josh Stella, co-founder and CTO at Fugue Security. What they care about is exploiting misconfigurations, typically in services like identity and access management (IAM). These credentials can help them navigate the network and quietly exfiltrate data they’re looking for.

“The blast radius of these is devastation,” he says. “You can have a very small crack in your defenses, and if it’s cloud misconfiguration-related, that can mean in five minutes all your data is gone.”

Stella points to a few examples of places where security teams can double-check their assets for configuration mistakes. The first step is to understand your security posture: Know where you stand and learn where errors are. Businesses will inevitably slip up when configuring the cloud.

“I guarantee you mistakes have been made because it’s just too hard to not,” he says.

A common mistake is placing too much trust in the “block public access” feature for AWS S3 buckets. Many people think when they turn this feature on, they’re protected from attackers. But while it’s a good step to take, it’s “vastly incomplete,” Stella says. An organization can have an exception to “block public access” that could expose its private information to the Internet.

Similarly, Stella says he often sees the issue of overly permissive IAM roles. Amazon’s Elastic Compute Cloud (EC2) has many possible permissions in IAM; when confronted with all these choices, people often choose big chunks, he explains. The problem is, these permissions are all very detailed and may be granting a level of access that someone shouldn’t necessarily have.

Stella also urges organizations to ensure they limit the ability of their cloud infrastructure to list and describe other parts of their cloud infrastructure. Security admins often think having list permissions is safe; this capability lists the contents of their EC2 fleet or containers, or lists data storage service options, buckets, and other objects.

“These are extremely dangerous things to leave on because hackers’ first, and often most difficult, job is discovery,” Stella explains. “If you give them a map to your safe, that’s a bad idea. They can probably break into your safe.” Security teams should limit the ability of their cloud infrastructure to know about the other cloud infrastructure they’re running, he says.

In his upcoming Interop Digital talk, “Simulating Real-Time Cloud Misconfiguration Attacks to Improve Cloud Security,” Stella will simulate an attack against his own infrastructure and, in doing so, demonstrate how these small, simple mistakes can have major consequences.

“It’s really important to view your own infrastructure from the perspective of someone who is going to [venture] into it and do bad things,” he says. Businesses can put bars on their front windows and lock the doors, but attackers will find a small open basement window to sneak in.

“What you should be doing – what everyone should be doing – is not sleeping well until you find some of those because they’re there,” Stella adds. “You have to think that way.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

Maximizing Database Performance to Improve Customer Experience

More Insights

Webcasts

[Free Virtual Event] Managing Apps in a Multi-Cloud Environment

[Forrester Research] The State of Data Security & Privacy

White Papers

2020 State of DevOps Report

Reports

Special Report: Computing’s New Normal, a Dark Reading Perspective

The post Cloud Misconfiguration Mishaps Businesses Must Watch appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/cloud-misconfiguration-mishaps-businesses-must-watch/?utm_source=rss&utm_medium=rss&utm_campaign=cloud-misconfiguration-mishaps-businesses-must-watch

OAuth Consent Phishing Ramps Up with Microsoft Office 365 Attacks

Attackers gain read-only permissions to snoop around Office 365 accounts, including emails, contacts and more.
Read More

The post OAuth Consent Phishing Ramps Up with Microsoft Office 365 Attacks appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/oauth-consent-phishing-ramps-up-with-microsoft-office-365-attacks/?utm_source=rss&utm_medium=rss&utm_campaign=oauth-consent-phishing-ramps-up-with-microsoft-office-365-attacks

What Legal Language Should I Look Out for When Selecting Cyber Insurance?

At times, vague coverage can actually work for you.

Question: What legal language should I look out for when selecting cyber insurance?

Andrea Luoni, CEO and founder of RateCraft: This is a great question because a higher premium does not always equal better protection when it comes to cybersecurity insurance. That’s because money does not guarantee protection – language does. Many coverages can actually be added or increased by adapting the language with little to no change in premium.

Although it may not seem like it in the moment, vague coverage surrounding cybersecurity can be better in some cases, as it can give business insurance attorneys more room to find an opening for coverage in the case of a legal conflict with the carrier.

Conversely, if the language is very specific, be cautious of what it is or is not saying. For example, if the policy lists coverage for being hacked or a ransomware attack, these are good things to be included that could be of great concern to a business. However, that may mean other cybersecurity issues, such as social engineering, are not covered. The business may not even know to look for social engineering coverage or whether the carrier offers the coverage but under a different name.

Read the fine print, or exclusions, too. It could have a clause that voids coverage for “insider compromise” or that unknowingly requires social engineering coverage to have dual authentication implemented. A cyber policy should also have universal triggering definitions between first- and third-party coverages. Many policies can lack this, which can cause problems if claims are covered on one side of a policy and not the other.

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Recommended Reading:

[Forrester Research] The State of Data Security & Privacy

More Insights

Webcasts
More Webcasts

White Papers

Email Security Threat Report 2020

Reports

Threat Intelligence Spotlight: Hunting Evasive Malware

The post What Legal Language Should I Look Out for When Selecting Cyber Insurance? appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/what-legal-language-should-i-look-out-for-when-selecting-cyber-insurance/?utm_source=rss&utm_medium=rss&utm_campaign=what-legal-language-should-i-look-out-for-when-selecting-cyber-insurance

A Guide to the NIST Cybersecurity Framework

With cybersecurity threats growing exponentially, it has never been more important to put together an efficient cyber-risk management policy, and NIST’s framework can help.

Just before lockdown it was reported that 46% of UK businesses had suffered cyber attacks in 2019, up 9% from 2018. Although businesses had plenty more to worry about in the intervening months with the COVID-19 pandemic, cybersecurity is still uppermost in the minds of many CEOs. One of the main ways in which businesses measure their preparedness in managing cyber-related security risks is to benchmark themselves against the Cybersecurity Framework developed by the NIST (National Institute of Standards and Technology, U.S. Department of Commerce). With cybersecurity threats growing exponentially, it has never been more important to put together an efficient cyber-risk management policy – the NIST Framework can help businesses do so.

What Is NIST?
Founded in 1901, the National Institute of Standards and Technology (NIST) is a non-regulatory US government agency responsible for driving innovation and competitiveness through technology and metrics.

NIST measurements support a range of technologies, “from nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair, up to earthquake-resistant skyscrapers and global communication networks.”

NIST also helps federal agencies meet the requirements of FISMA – The Federal Information Security Management Act, which relates to the protection of government information and operation assets against natural or man-made threats.

With industry stakeholders, NIST has also created the Cybersecurity Framework (sometimes referred to as the NIST Framework) to help businesses manage cybersecurity and reduce their cyber risk. The stakeholders are described as “U.S. private-sector owners and operators of critical infrastructure,” while its user base includes “communities and organizations across the globe.”

The Cybersecurity Framework
Created and ratified by the US Congress in 2014, the Cybersecurity Framework is used by over 30% of US organisations and was projected to reach 50% this year. Among those organisations are JP Morgan Chase, Microsoft, Boeing and Intel. Meanwhile, overseas organisations using the framework include the Bank of England, Nippon Telegraph and Telephone Corporation, and the Ontario Energy Board.

The aim of the framework is to:

integrate industry standards and best practices to help organisations and businesses manage their cybersecurity risks;
provide a common language that allows staff to develop a shared understanding of their cybersecurity risks;
give guidance on how to reduce these risks;
give advice on how to respond and recover from cybersecurity attacks and learn from those incidents.

Although voluntary and not intended to be an exhaustive checklist, the framework covers five critical areas of cybersecurity:

Identify: looking at current data use and then evaluating and identifying risk;
Protect: the elements that help protect a business;
Detect: being aware of problems as they happen;
Respond: the bases needing to be covered to make an adequate response to a problem;
Recover: the steps needed to make an effective recovery of lost data.

All of these elements make up the “Core” element of the framework, represented in a simplified form (without subcategories) here:

The Core’s role is to highlight desired cybersecurity outcomes and show how to manage risks in a way that complements existing processes.

The framework then directs the user to Implementation Tiers – these help organisations decide on the rigour of their cybersecurity measures. It’s very much up to the individual organisation to decide what is appropriate, within existing guidelines of course, such as GDPR in Europe.

NIST outlines the Tiers as follows:

Tier 1: Partial – cybersecurity practices are adequate for the cybersecurity risks experienced.
Tier 2: Risk-Informed – the company/organisation is aware of some risks and is planning how to respond to them.
Tier 3: Repeatable – the company/organisation has clearly defined and regularly repeatable cybersecurity processes.
Tier 4: Adaptive – the company/organisation is proactively instigating cybersecurity measures.

Finally, NIST’s CFS results in Framework Profiles, used to prioritise what actions are taken.

The NIST website describes the profile as “an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core.”

NIST advises contrasting a “current” and a “target” profile to identify ways of improving cybersecurity. Though emphasising the voluntary status of the framework, and that there is “no ‘right’ or ‘wrong’ way to do it,” it is suggested to use the subcategories of the Core to arrive at these profiles.

Here’s an example, from NIST’s website, of some of the subcategories that jump off from the Core:

A case study of CSF implementation can be found here, as well as a list on the CSF’s own site, here.

The 2018 Cybersecurity Framework Update
Four years after it was created, NIST’s Cybersecurity Framework was updated in 2018, based on feedback from the public.

Version 1.1 included updates on:

authentication and identity;
self-assessing cybersecurity risk;
managing cybersecurity within the supply chain;
vulnerability disclosure.

Commenting on the changes, the CSF’s Program Manager, Matt Barrett, said: “This update refines, clarifies and enhances Version 1.0. It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”

If you want to see what kinds of issues might shape future versions of the framework, you can visit CSF’s “Roadmap” page.

Meanwhile, you can also view an up-to-date timeline of CSF news.

UK Equivalents of the Cybersecurity Framework
While other countries have directly incorporated the CSF into their legislation, the UK has not officially done so. Instead, there are a number of pieces of legislation that replicate the aims of the CSF. Although these are not directly aimed at, for example, SMEs and startups, they contain examples of best practice similar to the NIST guidelines that are universally useful in building a risk management strategy.

The existing legislation includes:

The Minimum Cyber Security Standard (MCSS). Published in June 2018 and applicable to UK government departments, the MCSS is very close to the CSF.
Health and safety executive (HSE) operational guidance on Industrial Automation and Control Systems (IACS). Published in 2017 and aimed at preventing accidents resulting from cybersecurity breaches, this legislation primarily impacts electricity providers and distributors and businesses involved in the manufacture, use or storage of hazardous and explosive chemicals and microbiological substances.
Networks and Information Systems (NIS) directive. Introduced by the EU in July of 2016 for countries to benchmark against, the NIS Directive is aimed at critical infrastructure such as businesses within the sectors of oil, gas, energy, transportation, banking, water, food and telecommunications, and also companies providing an online service or platform, such as cloud computing or search facilities.

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things and more.

Julian Hall is a freelance journalist and copywriter, Textual Healing.

IFSEC Global, part of the Informa Network, is a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, … View Full Bio

Recommended Reading:

[Free Virtual Event] Managing Apps in a Multi-Cloud Environment

More Insights

Webcasts

[Forrester Research] The State of Data Security & Privacy

White Papers

DNS Network Traffic Volumes During the 2020 Pandemic

Reports

2019 Threat Hunting Report

Continue reading “Three Lessons from an ID Theft Kingpin’s Fraud Factory”

The post A Guide to the NIST Cybersecurity Framework appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/a-guide-to-the-nist-cybersecurity-framework/?utm_source=rss&utm_medium=rss&utm_campaign=a-guide-to-the-nist-cybersecurity-framework

Three Lessons from an ID Theft Kingpin’s Fraud Factory

Brian Krebs recently posted “Confessions of an ID Theft Kingpin,” recounting the cybercrime career of Hieu Minh Ngo, who began dabbling in online fraud as a teenager in his native Vietnam before operating a series of online services popular with worldwide identity thieves looking to get their hands on “fullz,” or stolen identity records containing …

The post Three Lessons from an ID Theft Kingpin’s Fraud Factory appeared first on BehavioSec.

The post Three Lessons from an ID Theft Kingpin’s Fraud Factory appeared first on Security Boulevard.

The post Three Lessons from an ID Theft Kingpin’s Fraud Factory appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/three-lessons-from-an-id-theft-kingpins-fraud-factory/?utm_source=rss&utm_medium=rss&utm_campaign=three-lessons-from-an-id-theft-kingpins-fraud-factory

Android Spyware Variant Snoops on WhatsApp, Telegram Messages

The Android malware comes from threat group APT-C-23, also known as Two-Tailed Scorpion and Desert Scorpion.
Read More

The post Android Spyware Variant Snoops on WhatsApp, Telegram Messages appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/android-spyware-variant-snoops-on-whatsapp-telegram-messages/?utm_source=rss&utm_medium=rss&utm_campaign=android-spyware-variant-snoops-on-whatsapp-telegram-messages

AWS User Management

Introduction In order to keep your AWS environment secure while allowing your users to properly utilize resources, you must ensure that users are correctly created with proper permissions. Also, you…

Go on to the site to read the full article

The post AWS User Management appeared first on Security Boulevard.

The post AWS User Management appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/aws-user-management/?utm_source=rss&utm_medium=rss&utm_campaign=aws-user-management

Browser Forensics: Google Chrome

Introduction Browsers have become an inherent part of our virtual life and we all make use of browsers for surfing the internet in some or the other way. Also, browsers can be used not only for…

Go on to the site to read the full article

The post Browser Forensics: Google Chrome appeared first on Security Boulevard.

The post Browser Forensics: Google Chrome appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/browser-forensics-google-chrome/?utm_source=rss&utm_medium=rss&utm_campaign=browser-forensics-google-chrome

Browser Forensics: Firefox

Introduction Browsers have become an inherent part of our virtual life and we all make use of browsers for surfing the internet in some or the other way. Also, browsers can be used not only for…

Go on to the site to read the full article

The post Browser Forensics: Firefox appeared first on Security Boulevard.

The post Browser Forensics: Firefox appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/browser-forensics-firefox/?utm_source=rss&utm_medium=rss&utm_campaign=browser-forensics-firefox

2020-09-30 – Emotet infection with Trickbot

The post 2020-09-30 – Emotet infection with Trickbot appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/2020-09-30-emotet-infection-with-trickbot/?utm_source=rss&utm_medium=rss&utm_campaign=2020-09-30-emotet-infection-with-trickbot

Cloud RADIUS 101

RADIUS has long served the IT industry, securing networks and end user access to them. Now, cloud RADIUS provides the same benefits without the setup.

The post Cloud RADIUS 101 appeared first on JumpCloud.

The post Cloud RADIUS 101 appeared first on Security Boulevard.

The post Cloud RADIUS 101 appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/cloud-radius-101/?utm_source=rss&utm_medium=rss&utm_campaign=cloud-radius-101

ESB-2020.3397 – [RedHat] libxslt: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3397
                          libxslt security update
                             30 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libxslt
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Denial of Service        -- Remote with User Interaction
                   Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-18197 CVE-2019-11068 

Reference:         ESB-2020.2960
                   ESB-2019.2395
                   ESB-2019.1309
                   ESB-2019.1207

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:4005

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: libxslt security update
Advisory ID:       RHSA-2020:4005-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4005
Issue date:        2020-09-29
CVE Names:         CVE-2019-11068 CVE-2019-18197 
=====================================================================

1. Summary:

An update for libxslt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

libxslt is a library for transforming XML files into other textual formats
(including HTML, plain text, and other XML representations of the
underlying data) using the standard XSLT stylesheet transformation
mechanism. 

Security Fix(es):

* libxslt: xsltCheckRead and xsltCheckWrite routines security bypass by
crafted URL (CVE-2019-11068)

* libxslt: use after free in xsltCopyText in transform.c could lead to
information disclosure (CVE-2019-18197)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.9 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1709697 - CVE-2019-11068 libxslt: xsltCheckRead and xsltCheckWrite routines security bypass by crafted URL
1770768 - CVE-2019-18197 libxslt: use after free in xsltCopyText in transform.c could lead to information disclosure

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
libxslt-1.1.28-6.el7.src.rpm

x86_64:
libxslt-1.1.28-6.el7.i686.rpm
libxslt-1.1.28-6.el7.x86_64.rpm
libxslt-debuginfo-1.1.28-6.el7.i686.rpm
libxslt-debuginfo-1.1.28-6.el7.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
libxslt-debuginfo-1.1.28-6.el7.i686.rpm
libxslt-debuginfo-1.1.28-6.el7.x86_64.rpm
libxslt-devel-1.1.28-6.el7.i686.rpm
libxslt-devel-1.1.28-6.el7.x86_64.rpm
libxslt-python-1.1.28-6.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
libxslt-1.1.28-6.el7.src.rpm

x86_64:
libxslt-1.1.28-6.el7.i686.rpm
libxslt-1.1.28-6.el7.x86_64.rpm
libxslt-debuginfo-1.1.28-6.el7.i686.rpm
libxslt-debuginfo-1.1.28-6.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:
libxslt-debuginfo-1.1.28-6.el7.i686.rpm
libxslt-debuginfo-1.1.28-6.el7.x86_64.rpm
libxslt-devel-1.1.28-6.el7.i686.rpm
libxslt-devel-1.1.28-6.el7.x86_64.rpm
libxslt-python-1.1.28-6.el7.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
libxslt-1.1.28-6.el7.src.rpm

ppc64:
libxslt-1.1.28-6.el7.ppc.rpm
libxslt-1.1.28-6.el7.ppc64.rpm
libxslt-debuginfo-1.1.28-6.el7.ppc.rpm
libxslt-debuginfo-1.1.28-6.el7.ppc64.rpm
libxslt-devel-1.1.28-6.el7.ppc.rpm
libxslt-devel-1.1.28-6.el7.ppc64.rpm

ppc64le:
libxslt-1.1.28-6.el7.ppc64le.rpm
libxslt-debuginfo-1.1.28-6.el7.ppc64le.rpm
libxslt-devel-1.1.28-6.el7.ppc64le.rpm

s390x:
libxslt-1.1.28-6.el7.s390.rpm
libxslt-1.1.28-6.el7.s390x.rpm
libxslt-debuginfo-1.1.28-6.el7.s390.rpm
libxslt-debuginfo-1.1.28-6.el7.s390x.rpm
libxslt-devel-1.1.28-6.el7.s390.rpm
libxslt-devel-1.1.28-6.el7.s390x.rpm

x86_64:
libxslt-1.1.28-6.el7.i686.rpm
libxslt-1.1.28-6.el7.x86_64.rpm
libxslt-debuginfo-1.1.28-6.el7.i686.rpm
libxslt-debuginfo-1.1.28-6.el7.x86_64.rpm
libxslt-devel-1.1.28-6.el7.i686.rpm
libxslt-devel-1.1.28-6.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:
libxslt-debuginfo-1.1.28-6.el7.ppc64.rpm
libxslt-python-1.1.28-6.el7.ppc64.rpm

ppc64le:
libxslt-debuginfo-1.1.28-6.el7.ppc64le.rpm
libxslt-python-1.1.28-6.el7.ppc64le.rpm

s390x:
libxslt-debuginfo-1.1.28-6.el7.s390x.rpm
libxslt-python-1.1.28-6.el7.s390x.rpm

x86_64:
libxslt-debuginfo-1.1.28-6.el7.x86_64.rpm
libxslt-python-1.1.28-6.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
libxslt-1.1.28-6.el7.src.rpm

x86_64:
libxslt-1.1.28-6.el7.i686.rpm
libxslt-1.1.28-6.el7.x86_64.rpm
libxslt-debuginfo-1.1.28-6.el7.i686.rpm
libxslt-debuginfo-1.1.28-6.el7.x86_64.rpm
libxslt-devel-1.1.28-6.el7.i686.rpm
libxslt-devel-1.1.28-6.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
libxslt-debuginfo-1.1.28-6.el7.x86_64.rpm
libxslt-python-1.1.28-6.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-11068
https://access.redhat.com/security/cve/CVE-2019-18197
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3OkhtzjgjWX9erEAQiaYQ/8Ddu8zx1vTcgYQSakE1LQGQysE6v1ZiWz
MKE+QecR9z/BLhS4E6F365Sx5uPTmBXEmCc8SgMqMyk9Nf3Aaq8ACAHH5tC8duxq
A/v3olow5+UBNKlkS3MC8nN7zIruvDtsDEE8MKtKKp8mULwgK9ZXApG8ecOMjDb3
VgaO7T/+K7QZYP14qWIz2nmgsU49YE+eAKkhb3lvtNHbbDMKrjY65Ugc9bP6sS+m
sHV6GcBnhNG4gMqc0XMe0wO7VCtYtepreUoKS0cb+MkZJswwYXBtwTnEZXKlW8Y6
vVA4h8pujCXGcAwD7bD2n974p1uhOI/43o4j14BkRMDhsmr86NHgTQz4/tMfJ9tC
+/eDNQZRSA92g3GN6isOt6V4cUG0FjY4fFT79XRyCgN1tL819agsTOZ9VvMiH9cj
IklM39gNieOdLmB64VtqnA37K3VMWgpReZ53noJdXMJxk9p3dt6rPMrTaS3Jo2UU
a51fwmjqw/g+S7Q1g4R7kSP8eyT7VMwkiN9PqHOu7Io9LCPoGJCPovGXF2W0+Zqy
p7G2BjNbzJ1tZe5DLS6cSkttSElfXAnP6688QU1AFbp13t/0naCUJBYejxmQl/4S
QxZ5nNbI+yYuuLp2YE7XuOVbe9AzXgPTVXLKBVB+tJN+zZtN8DQTultJ/0gBKcjU
7pw67kPB30k=
=9t5V
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3QYTeNLKJtyKPYoAQhFmA//UZGas3b4J6xezMfCLF2tMGpSEbEOeVni
mRUgLeOSg1O5A43tCxblVN6VkyYuXcQtT50b1ttR6tu0effnQUNs1fAuLan7nv+E
7lL86mWXJr5vLIyvvMzquKSGpCDoQkmx5d0UXjnP+xc3g1PjjlaPv5DiM9Yb/sSG
2CitpArzxt+1mn8dUhhuCk68EAKM3b9XCoFpilYLLSXlB5GYLmKz0p6DPE+pO+K+
g1D+XohD5e0CRBV5m5M0TeY93SN7UCJVxo5PzIEwCUBnzQsGWix79FyUAO3Z15pK
DjC2ifHWGA3w/5ihR0V3vXa3/zGeXS+dRRoS80y5mDn88jMqX937lpKG+x7uIEJT
bMJMdYI5AwX7WIdMa1Yu6gCHrzviHAp8f98bB+oaznoMiQ+2CB8oS19H6NXT6dlD
lAOx+M/0j4aEROkBzZS5Lbi+Hib/Afmy1lMeaY+P7fn36e+iPSSVtxEgftKOdRzx
UsEzwKW9JrEiW3ttcOhQBnMkV8DWKyhg3S0yq021lbxHK1uEedsccCM2XxojOz3G
3gdMEV3mNtS/gPtITQo7myibbeOAqzfPcM0mRJ/Kuexak++fWyAY2/DWtt5e/rWg
ePThXTzXNx7iNhsEnhPD90AJsmQNlKnuplSA3mtd6XdvVQZwVILujH8KVZ0i/Wqw
S3MVlaSlJJU=
=pYwp
-----END PGP SIGNATURE-----

The post ESB-2020.3397 – [RedHat] libxslt: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/esb-2020-3397-redhat-libxslt-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3397-redhat-libxslt-multiple-vulnerabilities

ESB-2020.3394 – [RedHat] exiv2: Denial of service – Remote with user interaction

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3394
                           exiv2 security update
                             30 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           exiv2
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-17402  

Reference:         ESB-2020.1203
                   ESB-2019.4534
                   ESB-2019.3923

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:4030

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: exiv2 security update
Advisory ID:       RHSA-2020:4030-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4030
Issue date:        2020-09-29
CVE Names:         CVE-2019-17402 
=====================================================================

1. Summary:

An update for exiv2 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

The exiv2 packages provide a command line utility which can display and
manipulate image metadata such as EXIF, LPTC, and JPEG comments.

Security Fix(es):

* exiv2: out-of-bounds read in CiffDirectory::readDirectory due to lack of
size check (CVE-2019-17402)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.9 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1773683 - CVE-2019-17402 exiv2: out-of-bounds read in CiffDirectory::readDirectory due to lack of size check

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
exiv2-0.27.0-3.el7_8.src.rpm

x86_64:
exiv2-0.27.0-3.el7_8.x86_64.rpm
exiv2-debuginfo-0.27.0-3.el7_8.i686.rpm
exiv2-debuginfo-0.27.0-3.el7_8.x86_64.rpm
exiv2-libs-0.27.0-3.el7_8.i686.rpm
exiv2-libs-0.27.0-3.el7_8.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
exiv2-doc-0.27.0-3.el7_8.noarch.rpm

x86_64:
exiv2-debuginfo-0.27.0-3.el7_8.i686.rpm
exiv2-debuginfo-0.27.0-3.el7_8.x86_64.rpm
exiv2-devel-0.27.0-3.el7_8.i686.rpm
exiv2-devel-0.27.0-3.el7_8.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
exiv2-0.27.0-3.el7_8.src.rpm

x86_64:
exiv2-0.27.0-3.el7_8.x86_64.rpm
exiv2-debuginfo-0.27.0-3.el7_8.i686.rpm
exiv2-debuginfo-0.27.0-3.el7_8.x86_64.rpm
exiv2-libs-0.27.0-3.el7_8.i686.rpm
exiv2-libs-0.27.0-3.el7_8.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
exiv2-doc-0.27.0-3.el7_8.noarch.rpm

x86_64:
exiv2-debuginfo-0.27.0-3.el7_8.i686.rpm
exiv2-debuginfo-0.27.0-3.el7_8.x86_64.rpm
exiv2-devel-0.27.0-3.el7_8.i686.rpm
exiv2-devel-0.27.0-3.el7_8.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
exiv2-0.27.0-3.el7_8.src.rpm

ppc64:
exiv2-0.27.0-3.el7_8.ppc64.rpm
exiv2-debuginfo-0.27.0-3.el7_8.ppc.rpm
exiv2-debuginfo-0.27.0-3.el7_8.ppc64.rpm
exiv2-libs-0.27.0-3.el7_8.ppc.rpm
exiv2-libs-0.27.0-3.el7_8.ppc64.rpm

ppc64le:
exiv2-0.27.0-3.el7_8.ppc64le.rpm
exiv2-debuginfo-0.27.0-3.el7_8.ppc64le.rpm
exiv2-libs-0.27.0-3.el7_8.ppc64le.rpm

s390x:
exiv2-0.27.0-3.el7_8.s390x.rpm
exiv2-debuginfo-0.27.0-3.el7_8.s390.rpm
exiv2-debuginfo-0.27.0-3.el7_8.s390x.rpm
exiv2-libs-0.27.0-3.el7_8.s390.rpm
exiv2-libs-0.27.0-3.el7_8.s390x.rpm

x86_64:
exiv2-0.27.0-3.el7_8.x86_64.rpm
exiv2-debuginfo-0.27.0-3.el7_8.i686.rpm
exiv2-debuginfo-0.27.0-3.el7_8.x86_64.rpm
exiv2-libs-0.27.0-3.el7_8.i686.rpm
exiv2-libs-0.27.0-3.el7_8.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
exiv2-doc-0.27.0-3.el7_8.noarch.rpm

ppc64:
exiv2-debuginfo-0.27.0-3.el7_8.ppc.rpm
exiv2-debuginfo-0.27.0-3.el7_8.ppc64.rpm
exiv2-devel-0.27.0-3.el7_8.ppc.rpm
exiv2-devel-0.27.0-3.el7_8.ppc64.rpm

ppc64le:
exiv2-debuginfo-0.27.0-3.el7_8.ppc64le.rpm
exiv2-devel-0.27.0-3.el7_8.ppc64le.rpm

s390x:
exiv2-debuginfo-0.27.0-3.el7_8.s390.rpm
exiv2-debuginfo-0.27.0-3.el7_8.s390x.rpm
exiv2-devel-0.27.0-3.el7_8.s390.rpm
exiv2-devel-0.27.0-3.el7_8.s390x.rpm

x86_64:
exiv2-debuginfo-0.27.0-3.el7_8.i686.rpm
exiv2-debuginfo-0.27.0-3.el7_8.x86_64.rpm
exiv2-devel-0.27.0-3.el7_8.i686.rpm
exiv2-devel-0.27.0-3.el7_8.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
exiv2-0.27.0-3.el7_8.src.rpm

x86_64:
exiv2-0.27.0-3.el7_8.x86_64.rpm
exiv2-debuginfo-0.27.0-3.el7_8.i686.rpm
exiv2-debuginfo-0.27.0-3.el7_8.x86_64.rpm
exiv2-libs-0.27.0-3.el7_8.i686.rpm
exiv2-libs-0.27.0-3.el7_8.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
exiv2-doc-0.27.0-3.el7_8.noarch.rpm

x86_64:
exiv2-debuginfo-0.27.0-3.el7_8.i686.rpm
exiv2-debuginfo-0.27.0-3.el7_8.x86_64.rpm
exiv2-devel-0.27.0-3.el7_8.i686.rpm
exiv2-devel-0.27.0-3.el7_8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-17402
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3Oh3NzjgjWX9erEAQhDig/7BzKtq2TfA2bn3wYdk8U2N7m+qirD6fSO
aJ/Eyh6Kmp+KLAihzYmENXa4DK7LlecgYI6Y9xIka8G57RmaD0y9KOh4ICdLHoeu
aSoZlCYrk67lAttEUNxVr+7O5+nEKW7Q3f0KMUc7Ih9nLqqFtZg5ZzlXbopCFGP/
M3yHBDNTWS673uurgfQBJOqZAkuWkSpEv5sogcMpYxLKUKPQoIasdHq2PBoHi5PS
Doz0W4NfHPcYxCO4cJn7nj1LBppMe3+TnnosvMJEO7CX2PAWngqh5wagvT+6btc1
r5oBTOEcWFDh8N5dMu1lo18HmqWYXmNXDccB5q+tyn2hBli8giKKJChiWR2Zg/2y
2tKkBXSY9Rr9eL1UZQPxKNclPs/bhRTomCmy0hd4uyNmeFEAEbTF17BTC6jmHr13
+941Cr615iqeweAkSyeJ0Yv+SknxyUONp6ETMYQQ7nVQ/MR/HM/7XUyor3uHNLKx
XBoolaYU1f0iJRyEt0bBsFr2psaEvbtcbVrWXQfzID/yS+26fcL6eQaxBkFmQ5mm
f29VdjoVbuGgDCznxwLc6O5l9YQo0IcBtybfqhCfHR+9iVJRP/bTSX1PgfpaNN7a
aKPjNBtycfUrVtycRPTpK3/Nd56LyfA+wTOXa1D/LhxVK9zFBfZKAesXobtBIjvt
uyQK3yZKV6o=
=nxf4
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3QW+ONLKJtyKPYoAQi21hAAnTl5cRCAsa4DyrVZq4VLLPVYf7gf4kTZ
qKhlC/bJmqalEs6XuD4MjZSX3Ic2T8J5lPnOxIAwhgoSN76wWz7WtQmUzpyqFOnP
MUKF6U7UVU5BGA1rk6Eq0RsJxEJZOZW8e90IT+RRiXBVh13EFQc15/gt3cPYWD8V
wDwEwTnRufII73GU8nVPJl13WgIi4f8PNWxbwXxiyhIYdHVah/2FJN4+9SAcsI4a
arXI7jCV1EcjpiMKE6uzcohWAPNT1dEhjUFgcTJ01gw0IF+RNB12oQFtI7DUK9DZ
2poAD1Wdgxj5EziLHQjtIAijq+1uJ/WdH6ZbLLNXUwXJAOnB+QTPTt/61jPUJN63
ZVZUs4v6lAwcZRe7j8o+Oj1pergTOx7bRVNCIJCxYdb+Tb7L5AXroQBV/UUj1+HX
CfDX6vwWcdCPr+/h+pLMUyT4sogWXxJANYPshyuA2tQht4Ff6zr3qzcBp3Hq5eKF
jiCzVgEoBoHXlSEZ57JsnQG2Pqgv3LUWkY2/OUeEoHgN9oOdjOJbcgq9lXI2jAsW
J1Wc7Br27X7dD9Cwu1h08Yw228XnrLCryVIwCLCutrZsX3GyWDOZYpvkuCw07P88
ntnXli4dqYB8LstA5Q6pHG/U8V9ycDSvqg9DBzNuOqRkDm/G2t2MmAkAK/XuV/zq
lAUPVC/p/Vo=
=8haB
-----END PGP SIGNATURE-----

The post ESB-2020.3394 – [RedHat] exiv2: Denial of service – Remote with user interaction appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/esb-2020-3394-redhat-exiv2-denial-of-service-remote-with-user-interaction/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3394-redhat-exiv2-denial-of-service-remote-with-user-interaction

See Everything: Continuous Visibility Across Your Hybrid Network | The 5 Critical Success Factors to Agile NSPM

We’re in the middle of a business model revolution. Transformation, automation, and globalization are enabled by emerging technologies like artificial intelligence, IoT, mobile, and cloud-native apps. As a result, the typical enterprise network is a mish-mash of environments that are always changing as connections to devices and other networks are established and dropped. This is Read more…

The post See Everything: Continuous Visibility Across Your Hybrid Network | The 5 Critical Success Factors to Agile NSPM appeared first on FireMon.

The post See Everything: Continuous Visibility Across Your Hybrid Network | The 5 Critical Success Factors to Agile NSPM appeared first on Security Boulevard.

The post See Everything: Continuous Visibility Across Your Hybrid Network | The 5 Critical Success Factors to Agile NSPM appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/see-everything-continuous-visibility-across-your-hybrid-network-the-5-critical-success-factors-to-agile-nspm/?utm_source=rss&utm_medium=rss&utm_campaign=see-everything-continuous-visibility-across-your-hybrid-network-the-5-critical-success-factors-to-agile-nspm

Network Security News Summary for Wednesday September 30 2020

The post Network Security News Summary for Wednesday September 30 2020 appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/network-security-news-summary-for-wednesday-september-30-2020/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-wednesday-september-30-2020

Tuesday, September 29, 2020

Why Web Browser Padlocks Shouldn’t Be Trusted

Popular ‘safe browsing’ padlocks are now passe as a majority of bad guys also use them.
Read More

The post Why Web Browser Padlocks Shouldn’t Be Trusted appeared first on Malware Devil.

https://malwaredevil.com/2020/09/29/why-web-browser-padlocks-shouldnt-be-trusted/?utm_source=rss&utm_medium=rss&utm_campaign=why-web-browser-padlocks-shouldnt-be-trusted

Microsoft: Ransomware & Nation-State Attacks Rise, Get More Sophisticated

Malware-based attacks are out, phishing is in, along with credential stuffing and business email compromise. Microsoft recommends defensive tactics in its new report on rising threats.

Attackers continue to improve their tactics and tools, demonstrating growing sophistication, including the creation of one-off web addresses to foil blocklists, a jump in ransomware infections, a focus on reconnaissance and credential harvesting, and an uptick in targeting connected devices, according to Microsoft’s annual “Digital Defense Report,” published on Sept. 29.

The report, which replaces Microsoft’s annual “Security Intelligence Report,” uses data from Microsoft’s vast reach, encompassing more than 1.2 billion PCs, servers, and connected devices; 1.8 petabytes of cloud and network logs; and more than a billion users of applications and services. The company found that attackers have moved further away from malware-based attacks and toward phishing, credential stuffing, and business email compromise with more refined attacks. In addition, attackers are increasingly moving downstream to infect third parties and exploiting the trust between companies — and developers use of open source components — as a weakness.

The increase in sophistication prompted Microsoft to create a list of defensive technologies and processes that can help companies harden their business against such attacks. Patching software, adopting multifactor authentication, limiting privileges on systems, enforcing network segmentation, and ensuring good email hygiene are the defenses that can help prevent attackers from causing damage, Tom Burt, corporate vice president of customer security and trust for Microsoft, wrote in a blog post today.

“Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace,” Burt wrote. “[T]hat all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies and, especially, enabling multi-factor authentication (MFA).”

The recommendations are a shift for Microsoft, from merely reviewing the tactics and tools of attackers to focusing — as the change to the name of the report suggests — to how companies can defend against the latest attacks. Each of the defensive recommendations is classified by which problem — cybercrime, nation-state attackers, or remote workforce security — it can help mitigate.

For example, the company recommends MFA as a way to stop all sorts of attacks that rely on credentials to gain access to a victim’s account.

“During the first half of 2020, we saw an increase in identity-based attacks using brute force on enterprise accounts,” Burt wrote. “Given the frequency of passwords being guessed, phished, stolen with malware or reused, it’s critical for people to pair passwords with some second form of strong credential. For organizations, enabling MFA is an essential call to action.”

The report does mark a number of trends in attacker sophistication. Attacks using e-mail, text message, and other forms of communication increased, with 13 billion emails blocked in 2019, of which 1 billion included URLs that were set up just for the attack and didn’t have a previous malicious reputation.

“In past years, cybercriminals focused on malware attacks, [but m]ore recently, they have shifted their focus to phishing attacks as a more direct means to achieve their goal of harvesting people’s credentials,” Burt wrote, pointing to the technique of rapidly creating variants of a specific attack. “Morphing is being used across sending domains, email addresses, content templates and URL domains. The goal is to increase the combination of variations to remain unseen.”

While spear-phishing attachments and links made up the largest share of attacks (44%) followed by the exploitation of public-facing applications (24%), attacks that compromised some segment of the supply chain accounted for 7% of attacks between June 2019 and March 2020.

“The increased number of supply chain attacks over the past few years has become an important topic in many cybersecurity conversations and is a growing source of concern across the global supply chain,” the report states. “The past 12 months have been an unprecedented time of focus on supply chain security, given the acceleration of interdependencies resulting from changes in global remote workforces in response to COVID-19, as well as new and evolving regulations in the United States and Europe.”

The much-reported spike in COVID-19-themed phishing attempts lasted only about a month — from late February to late March — with a second, shorter spike in late May and early June, according to Microsoft’s data. The company did see a number of other phishing campaigns that used health organizations — such as the World Health Organization and the Centers for Disease Control and Prevention (CDC) — as a lure, and the groups behind two families of malware, Trickbot and Emotet, created nearly 80 different variants using the pandemic to spread in the first half of 2020.

Much longer lasting, however, is the move to remote work. Almost three-quarters of firms have experienced a leak of sensitive data in the past 12 months, according to a survey of chief information security officers conducted by Microsoft.

“Traditional security policies within an organization’s perimeter have become much harder to enforce across a wider network made up of home and other private networks and unmanaged assets in the connectivity path,” Burt wrote. “As organizations continue to move applications to the cloud, we’re seeing cybercriminals increase distributed denial of service (DDoS) attacks to disrupt user access and even obfuscate more malicious and harmful infiltrations of an organization’s resources.”

State-sponsored attacks also accounted for more than 13,000 incidents that required notification to customers, according to Microsoft. More than half of such attacks were related to Russia (52%), with Iran-linked attacks coming in second (25%), followed by China (12%). During the coronavirus pandemic, Microsoft detected more than 16 different nation-state actors targeting vaccine research and healthcare policy agencies.

“Common targets have included nongovernmental organizations (NGOs), advocacy groups, human rights organizations and think tanks focused on public policy, international affairs or security,” Burt wrote. “This trend may suggest nation-state actors have been targeting those involved in public policy and geopolitics, especially those who might help shape official government policies.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

[Forrester Research] The State of Data Security & Privacy

More Insights

Webcasts
More Webcasts

White Papers

The State of IT Operations and Cybersecurity Operations 2020

Reports

Collective Offense Calls for Collective Defense