ESB-2021.1574 – [Debian] python-django: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1574
python-django security update
7 May 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: python-django
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Overwrite Arbitrary Files — Existing Account
Create Arbitrary Files — Existing Account
Access Confidential Data — Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-31542

Reference: ESB-2021.1522

Original Bulletin:
http://www.debian.org/lts/security/2021/dla-2651

– ————————–BEGIN INCLUDED TEXT——————–

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

– – ————————————————————————-
Debian LTS Advisory DLA-2651-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
May 06, 2021 https://wiki.debian.org/LTS
– – ————————————————————————-

Package : python-django
Version : 1:1.10.7-2+deb9u13
CVE ID : CVE-2021-31542
Debian Bug : #988053

It was discovered that there was potential directory-traversal
vulnerability in Django, a popular Python-based web development
framework.

The MultiPartParser, UploadedFile and FieldFile classes allowed
directory-traversal via uploaded files with suitably crafted file
names. In order to mitigate this risk, stricter basename and path
sanitation is now applied. Specifically, empty file names and paths
with dot segments are rejected.

For Debian 9 “Stretch”, this problem has been fixed in version
1:1.10.7-2+deb9u13.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

– —–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmCTtQ0ACgkQHpU+J9Qx
Hlh0Wg/8DGkgyGOP8oeIWwy7uU3+HycLgB9Z1KvQ3B05H3Bj4sgWBsU3jJ7r9raI
VbC/A3S5aauL3AfjMK4Akd4pkMYhDMBhRCioHrPqMf9dpJvQzKZMU+MhDBlGoPks
UzlZv6uAbgafasXKIY2jdTbOwbjz5F6+prP4+CoYhkibkyY/R8MnpDKZgnE7i1oS
GS5E4qvCyaP2bqoXPEN8uwbV/ZTBYZ45TRTOzTfOXjevjFJBHch7dCwYVyxRaClG
X3Me1cC2lFE2N8FcZZgv5MPysAl83PFbc5sTKntnGKcZSN83Th0iSkwOFpD2sMDE
jZeEGhuZBkPZmZkKsBtIWYe91ZgWqQzifdjWA0hPJ8ZXTsA11mkCGCJRsw9swxrz
rjf+EN7OwKUc627oyEupegTSLd0VQ/n5pE7m27cCMBWrO5CU96/65AJwGWjmd3ZH
jTNa0Mz5npxSfTooDv7PoWiMBCgPqvhdj/UC3cyPAwhFaAfzFy9rnCrg7l+wY3QP
JS9RfylAOs9Vr9Dwdh+GDkIl6NnjLdZ9mqmvImZb2MRXZOtKEVQSCskMwT5Zu5Iu
a0OWC+QUhvEi6LVm+CgWnDSC/eSrYwepJQoGDbp9wKAMQnesg1TnvhxX87GqjE6a
t9zSsOgJtnBaPvKNEB4Yi3TmyIiTE6Eccc46hgU+VP+NfwlJdw8=
=2YmT
– —–END PGP SIGNATURE—–

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYJSLouNLKJtyKPYoAQh1bA//dL5HL+dsZJzUdN2M6m5xKxLJZkGtCHBY
M91BR0IByVgU5f30zCsbapongXqUY82TW/ccom2cfhUMWDh/KphXH4tfqAti7Vwj
EjN0XGIPcVt7Dxsen7+doLOCfP93KgDW7L9yeqEi17AMVTOngxixPdD+1iOayN3R
0HwUuzWJ+V4HRz8clPH6Rgbb9oLwXGaYi2aWshOE2BlA5sDcpiFkMkAqd6p9djPU
aH8d+Mz9wvXLjO3e+88aTpWWrKDAINe/7HHXxwpUL0R6+olMw7CsupyZVFMvStZV
twvlUwzvCTylAl/m8cYQNJN/vCgaT3sTt5x00GdP+9yNIc1IcizwTB22opXR1oCH
DcxJG4AErwQOEzyXTwgG85661FCpWfDKxBBurp+1jkqNvs3iRBOJgJFT1mK2nPE5
d4gks3koawIJDdBSWj0m4NXVRNZLVjFtUx1gZkjTDZ/aQxIEQc0UDPBUyWq6XExt
AHrSEO7KEtK2b9raLxyzk10rNGuDeqqpw9ELSV7oQV5KRyW1AhjtoS8xBJTOdkNK
ZXawnyqGKesSeF+EJCBrq/zQ4X1vyBIv1DFKIHfF61Gl8Py8fNJMlfLw79D7SXUb
RTukBUIoWmSX8e1vaZ1J92V5MjNRt+albn39cxllmTsuq884jqhOpU3U06YLwGnm
yQjyScuI3/M=
=7I7a
—–END PGP SIGNATURE—–

Read More

The post ESB-2021.1574 – [Debian] python-django: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/05/07/esb-2021-1574-debian-python-django-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1574-debian-python-django-multiple-vulnerabilities

ESB-2021.1575 – [Debian] unbound: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1575
unbound1.9 security update
7 May 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: unbound
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands — Remote/Unauthenticated
Overwrite Arbitrary Files — Existing Account
Denial of Service — Remote/Unauthenticated
Reduced Security — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-25042 CVE-2019-25041 CVE-2019-25040
CVE-2019-25039 CVE-2019-25038 CVE-2019-25037
CVE-2019-25036 CVE-2019-25035 CVE-2019-25034
CVE-2019-25033 CVE-2019-25032 CVE-2019-25031

Reference: ESB-2021.1570

Original Bulletin:
http://www.debian.org/lts/security/2021/dla-2652

– ————————–BEGIN INCLUDED TEXT——————–

– ————————————————————————-
Debian LTS Advisory DLA-2652-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
May 06, 2021 https://wiki.debian.org/LTS
– ————————————————————————-

Package : unbound1.9
Version : 1.9.0-2+deb10u2~deb9u2
CVE ID : CVE-2019-25031 CVE-2019-25032 CVE-2019-25033 CVE-2019-25034
CVE-2019-25035 CVE-2019-25036 CVE-2019-25037 CVE-2019-25038
CVE-2019-25039 CVE-2019-25040 CVE-2019-25041 CVE-2019-25042

Several security vulnerabilities have been discovered in Unbound, a validating,
recursive, caching DNS resolver, by security researchers of X41 D-SEC located
in Aachen, Germany. Integer overflows, assertion failures, an out-of-bound
write and an infinite loop vulnerability may lead to a denial-of-service or
have a negative impact on data confidentiality.

For Debian 9 stretch, these problems have been fixed in version
1.9.0-2+deb10u2~deb9u2.

We recommend that you upgrade your unbound1.9 packages.

For the detailed security status of unbound1.9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/unbound1.9

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

– —–BEGIN PGP SIGNATURE—–

iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmCUZoFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQhJxAAs45lLX0f7ccVvjO1+enKtuikNRYq2XgsUtiPe42RfMzGc6qrwExIR3mG
+4JbLbrieyolkZbaCWzyFzNOEpnJmRKiyJeIKGnv/ESjj+VSVisr4nOwrGkea4Ue
0XwBj4AuVdPP4j3SoVOF4A7R9umolLNwbOhOXi8cvpFq2rzN56dSKlb2vUxdQ4K3
lApO4iK7hFdBKMa6B7fM/LtVRLTZNamhjXh843rydN8mUhGAf5ORm1qfBtEe48vT
3KCcI+ukNFPZ5mMmC4HV0Y+wlcJq6aTlWEdplS5D1m0ZHV9BQAtwG1dSBqYH1ZaH
0r6Hflq/gG1mXdLAWDlYhjwiRZyPc5Yr6tozzJ4ivOh45lTrZZKNCODwbtgH1Fre
aoiYvIpQ9yIwLrshmjt0b9JhroiqzWWRka5w7TOz4em2mKrIRYpTMu7uZ7wcgT+g
nIxwzYaBUBJT8UeXENnIL8k49rHCKz+99mPo/Iu5j97paUW1oWnhsHFtXBnuN/MU
dgH/3FcWFwNqYM1UYLebx53XSo1U7ZlTM515m5T+OHOU6A1FKGlLB3mYAFzCQlnv
1Ti7n/PFt+KhtI3udf4cboNeOkKL5NlrItFMK7zYnJMFkRYJoHkMrmrgG3zc6iog
24fuBIuPEcF/I9aNRBehnYCNffhcQq6v2+2bjjwSnOwZ2xfJiSg=
=h3aO
– —–END PGP SIGNATURE—–

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYJSLsONLKJtyKPYoAQjlnQ//bbnThxDSy+OooWf2cGMtte0U685JBK4C
ohrg4O+zpVJia03Z2uxeLTdIh2BAJhH7ib2XxncyGwq/H0pR8DAFvnFB34SiKpIe
il3O9f0FUu8TSHRFKfLOxyUIeEUTZbiCfSpiO4ZqmPuWDtlMMbh+84+CS452Jgnm
oGLstGwPh8rUC6Zl3aozRqJOrWuWo0B81RnX01FrSjb8i0D/dsaRJ5cf8YP+FH35
wPr7OCsJvRcA7oD56VgNbe49ZmbOMJL5O6Fu2E5tIoN0amSqRQcLpzqJObYCuP0/
ewRYVNTmFhwBX12V3cmOD2IRflXjzEIbSWIdmqVzvFPkk6QY3Us4foNjvAgkJO3t
Sj1TqRcBQfnheXfePcTMS0GTfhcSBRDbFxvU7P2KVX/v7tABFF7T2/vB/FPBStZc
fpiKA5Xis7zVpLwpgXrO79ESh9tn1IFM1ienkdeiFZ1SMllaDxwVGe+C/lU5u+dn
P0BDQzS+sc7ZtVzVs8/N8xONaqTmoi6ws8snwIsM0zSocuX0RmZQbh1LEVwyEjGE
CrxLcaG4ASjPYtvNBbTtW4fAjfdID9j31+KUEk8+o19qf8QlY8dVhrmsDZCd01Pw
aMaWvh2OwoVcNTagIWDc4bnlIzvIIz/CyqhI7Gbu6RfS7MCazvPRRUylSuskXXo1
zbWcZtymLiw=
=Pb8l
—–END PGP SIGNATURE—–

Read More

The post ESB-2021.1575 – [Debian] unbound: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/05/07/esb-2021-1575-debian-unbound-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1575-debian-unbound-multiple-vulnerabilities

Achieving PCI DSS Compliant Firewalls within a Small Business

The most important and integral part of any data security begins with having firewalls installed in the environment. Not just that, installing firewalls is an essential requirement of the Payment Card Industry Data Security Standard (PCI DSS). However, simply installing a firewall on the network perimeter will not make your organization PCI DSS compliant.

PCI DSS draws out specific requirements pertinent to firewalls under requirement 1 and its sub-requirements on how firewalls should be installed, updated, maintained along with other firewall rules. Elaborating more on this, we have explained in this article basic PCI DSS firewall requirements, and the need for small businesses to install firewalls. But before getting into the details of it, let us first understand the meaning of a PCI DSS compliant firewall.

What is a PCI DSS Compliant Firewall?

Firewalls are used to segment or isolate networks and are an essential component to limit cyber threats and protect internal networks from the internet and untrusted networks. In a merchant’s point-of-sale environments (POS), a firewall’s purpose to restrict only specific permitted network traffic into and out of the POS network environment.

However, if misconfigured and unmaintained, a firewall could fail to adequately protect networks and IT systems that process payment cards. The PCI Security Standards Council have provided requirements and guidance for firewalls to ensure the merchants and service providers, correctly deploy and maintain firewalls.

PCI Firewall Requirements
The PCI DSS firewall requirements cover both technical specifications and physical access controls requirements within PCI DSS requirements 1 & 9.  This includes planning for future updates, reconfiguration, limiting only relevant inbound network traffic, etc. The physical access requirements are more about ensuring that companies limit physical access to the Cardholder Data Environment (CDE). This would include inspecting card reading devices for identifying any tampering of devices, installing monitoring devices, the requirement of unique IDs for authorized access, and visitor logs to name a few. 

To understand the technical requirements, let understand the PCI DSS firewall requirements summarised below for your better understanding.

Ref.

Requirements

Description

1

Protect cardholder data with a firewall.

Firewalls are a key protection mechanism for securing the network and Cardholder Data Environment.

1.1

Establish and implement firewall and router configuration standards.

Ensure establishing firewall and router configuration standards and other documentation to verify that standards are complete and implemented.

1.1.1

Establish a formal process to validate and test all network connections, changes to firewall and router configurations.

Established documented procedures to verify there is a formal process for testing and approving network connections, changes to firewall and router configurations. This would even include interviewing responsible personnel and examining records periodically to verify that, network connections and a sample of actual changes made to firewall and router configurations are approved and tested.

1.1.2

Establish a network diagram to identify all connections between the cardholder data environment and other networks, including any wireless networks

Create network diagrams that describe how networks are configured, and identify the location of all network devices. This prevents the possibility of any area being overlooked and unknowingly left out of the security controls implemented for PCI DSS and vulnerable to compromise

1.1.3

Establish a data flow diagram that shows all cardholder data flows across systems and networks.

Create a data-flow diagram to identify the location of all cardholder data in the environment. This will help you in understanding and tracking the flow of the data in the environment across systems and networks. Further, the data flow must be kept up to date as needed depending on the changes to the environment.

1.1.4

Establish firewalls at each Internet connection between the DMZ and the local network.

The firewall on every Internet connection coming into the network, and between any DMZ and the internal network, allows the organization to monitor and control access. This further minimizes the chances of malicious unauthorized access to the internal network via an unprotected connection.

1.1.5

Create descriptions of groups, roles, and responsibilities for managing network components.

Establish roles and responsibilities for the management of network components. This is to ensure that personnel is aware of their roles and responsibilities pertaining to the security of all network components. This helps facilitates better accountability for the security of the CDE.

1.1.6

Document the security measures implemented and protocols considered unsafe and the business rationale for using all services, protocols, and ports allowed.

 

Implementing documentation of services, protocols, and ports that are necessary for business can prevent a compromise that is otherwise caused due to the unused or insecure service and ports. Further, the use of any necessary protocol and ports should be justified, and the security features that allow these protocols to be used securely should be documented and implemented.

1.1.7

Review firewall and router rules at least every six months

 

Organizations must periodically review firewall and router rules at least every six months to clearly unwanted outdated, or incorrect rules and ensure establishment rule that allows only authorized services and ports that match the documented business justifications.

1.2

Restrict connections between untrusted networks and all system components in the cardholder data environment with firewall and router configurations

Install network protection between the internal, trusted network and any untrusted network that is external and/or out of one’s ability to control or manage. This is to limit traffic and prevent any kind of vulnerability and unauthorized access by malicious individuals or software.

1.2.1

Restrict inbound and outbound traffic to only that is necessary for the cardholder data environment, and limit all other traffic.

Examine all inbound and outbound connections and set restrictions of traffic based on the source and/or destination address. This helps filter out unnecessary traffic and prevents malicious individuals from accessing the network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner.

1.2.3

Install perimeter firewalls between all wireless networks and the cardholder data environment and configure these firewalls to filter only the authorized traffic for business purposes.

Firewalls must be installed between all wireless networks and the CDE, which may include, but is not limited to, corporate networks, retail stores, guest networks, warehouse environments, etc. Installing firewalls at the network perimeter works as a filter to limit only authorized traffic. This restricts malicious individuals from gaining unauthorized access to the wireless network and the CDE to compromise account information.

1.3

Prohibit direct public access between the internet and any system components in the cardholder data environment.

 

Firewalls must be installed to manage and control all connections between public systems and internal systems, especially those that store, process or transmit cardholder data. This prevents bypassing and compromise of system components and card data.

1.3.1

 1.3.2

Create a demilitarized zone (DMZ) to limit incoming traffic to system components that only provide publicly accessible authorized services, protocols, and ports.

Implementing DMZ prevents malicious individuals from accessing the organization’s internal network from the Internet, or from using services, protocols, or ports in an unauthorized manner.

1.3.3

Implement anti-spoofing measures to detect and prevent fraudulent source IP addresses from entering the network.

Implement anti-spoofing measures to filter forged IP addresses entering the internal network and causing compromise.

1.3.4

Do not allow unauthorized traffic from the cardholder data environment to the internet.

Evaluate all traffic outbound from the cardholder data environment to the internet to ensure that it follows established, authorized rules and restricts traffic to only authorized communications.

1.3.5

Allow only established connections to the network.

Examine the firewall and router configurations to verify that the firewall permits only established connections into the internal network and blocks any inbound connections not associated with a previously established session. This prevents malicious traffic from trying to trick the firewall into allowing the connection.

1.4

Install personal firewall software on all portable computing devices connected to the internet and access the CDE while off the network.

Installing personal firewall software or equivalent functionality on any portable computing device protect devices from Internet-based attacks, that use the device to gain access to the organization’s systems and data once the device is reconnected to the network.

1.5

Ensure that security policy and operational procedures for the management of firewalls are documented in use and are known to all parties concerned.

Ensure that the security policies and operational procedures for managing firewalls are documented, in use, and personnel responsible are aware of it. This is to manage and prevent unauthorized access to the network.

Why does a small business need to have PCI Compliant Firewall?
Poor firewall implementation and maintenance is a common factor in cyber attacks and payment card data thefts within small businesses, which is often due to poor IT security understanding and suitable resources by IT and business management. All business connectivity with the internet poses the greatest risk to safeguard with a firewall. PCI DSS requirement all

internet connectivity to be protected with a firewall, which effectively creates a ‘buffer zone’ between the business’s IT network or systems, and untrust external networks and systems. Other reasons why firewalls are essential for small business include:

Access Controls
The firewall operates at the network layer, filtering all incoming requests based on IP address and the service being accessed such as web or email or some customised ports. So, installing firewalls to a great extent restricts unauthorized access and prevents entry of any malicious individuals gaining unauthorised access to the network and compromise any data.

Cloud Security
Connectivity with third parties and cloud service providers can also be controlled through a firewall policy, to safeguard from supply chain threats and protect sensitive data from exposure.

Malware Protection
Firewalls are much more than just filtering network traffic based on IP addresses. ‘Next Generation firewalls provide security controls beyond the traditional firewall controls of IP address and port filtering. Such as providing VPNs, web filtering capabilities, anti-malware screening of incoming traffic, and intrusion detection/prevention which is another PCI DSS requirement. 

Application and Database Protection
Some firewalls have web application screening capability and are known as Web Application Firewalls (WAF). A correctly configured WAF provides protection from application-layer threats such as web-based attacks like SQL injections, where an attacker manipulates a web application to expose the back-end database. PCI DSS requirement 6.6 requires installing an automated technical solution that detects and prevents web-based attacks (e.g., a web application firewall) as one of two ways to address vulnerabilities to public-facing web applications.

Monitoring and Responding to Malicious Activity

Firewalls monitor and report suspicious attacks, with the support of a ‘Security Information and Event Management’ (SIEM) tool, the business is able to detect and quickly respond to cyber-attacks, which is covered by PCI DSS requirement 10.

Conclusion
Smaller businesses are considered easy prey by hackers, due to the tendency of such firms not having sufficiently robust IT security controls in place. Small businesses which process payment cards are specifically targeted by cybercriminals, as they can quickly turnaround stolen credit card data into cash via the dark web. Installing and maintain a firewall is a fundamental and basic IT security pillar that should never be neglected and underestimated in its importance, along with configuring IT systems to be secure, implementing access control, deploying anti-virus, and keeping all software up-to-date. PCI DSS provides a highly descriptive set of security industry good practice IT controls, which if completely adhered to on a continual 24/7/365 basis, is sufficient to protect your business from payment card compromises by cybercriminals.

Author Bio
Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

The post Achieving PCI DSS Compliant Firewalls within a Small Business appeared first on Security Boulevard.

Read More

The post Achieving PCI DSS Compliant Firewalls within a Small Business appeared first on Malware Devil.

https://malwaredevil.com/2021/05/07/achieving-pci-dss-compliant-firewalls-within-a-small-business/?utm_source=rss&utm_medium=rss&utm_campaign=achieving-pci-dss-compliant-firewalls-within-a-small-business

Biden Administration EO on Cyber – Jim Langevin – PSW #693

US Congressman Jim Langevin joins to talk about Executive Orders, International Interest in Cyber, & more in this gripping interview!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw693

The post Biden Administration EO on Cyber – Jim Langevin – PSW #693 appeared first on Malware Devil.

https://malwaredevil.com/2021/05/07/biden-administration-eo-on-cyber-jim-langevin-psw-693/?utm_source=rss&utm_medium=rss&utm_campaign=biden-administration-eo-on-cyber-jim-langevin-psw-693

Network Security News Summary for Friday May 7th, 2021

Azure Blob Scans; Qualcomm MSM Vuln.; Google 2SF Default; Celebrite UFED Patch

Scans for Exposed Azure Storage Containers
https://isc.sans.edu/forums/diary/Exposed+Azure+Storage+Containers/27396/

Qualcomm MSM Vulnerability
https://research.checkpoint.com/2021/security-probe-of-qualcomm-msm/

Google to Automatically enroll users in 2SF
https://blog.google/technology/safety-security/a-simpler-and-safer-future-without-passwords/

New Cellebrite Vulnerabilities Announced
https://www.ehackingnews.com/2021/05/new-vulnerabilities-in-cellebrites.html

keywords: cellebrite; google; 2sf; 2fa; mfa; qualcomm; msm; azure; blog

The post Network Security News Summary for Friday May 7th, 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/05/07/network-security-news-summary-for-friday-may-7th-2021/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-friday-may-7th-2021

[U.S. General Services Administration] high – TAMS registration details API for admins open at https://tamsapi.gsa.gov/user/tams/api/usermgmnt/pendingUserDetails/

Google Chrome

Download latest

Mozilla Firefox

Download latest

Opera

Download latest

Apple Safari

Upgrade your OS

Microsoft Internet Explorer

Download latest

Read More

The post [U.S. General Services Administration] high – TAMS registration details API for admins open at https://tamsapi.gsa.gov/user/tams/api/usermgmnt/pendingUserDetails/ appeared first on Malware Devil.

https://malwaredevil.com/2021/05/07/u-s-general-services-administration-high-tams-registration-details-api-for-admins-open-at-https-tamsapi-gsa-gov-user-tams-api-usermgmnt-pendinguserdetails/?utm_source=rss&utm_medium=rss&utm_campaign=u-s-general-services-administration-high-tams-registration-details-api-for-admins-open-at-https-tamsapi-gsa-gov-user-tams-api-usermgmnt-pendinguserdetails

Building a Risk-Based Vulnerability Management Program – Bob Erdman – PSW #693

Risk-based vulnerability management is more than just a vulnerability scan or assessment. It incorporates relevant risk context and analysis to prioritize the vulnerabilities that pose the greatest risk to your organization This segment will explore the elements of a successful vulnerability management program and impactful ways to build upon your foundation.

Segment Resources:

https://www.coresecurity.com/blog/how-mature-your-vulnerability-management-program
https://www.coresecurity.com/blog/when-use-pen-test-and-when-use-vulnerability-scan
https://www.digitaldefense.com/blog/infographic-risk-based-vulnerability-management/

This segment is sponsored by Core Security, A Help Systems Company.

Visit https://securityweekly.com/coresecurity to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw693

The post Building a Risk-Based Vulnerability Management Program – Bob Erdman – PSW #693 appeared first on Malware Devil.

https://malwaredevil.com/2021/05/07/building-a-risk-based-vulnerability-management-program-bob-erdman-psw-693/?utm_source=rss&utm_medium=rss&utm_campaign=building-a-risk-based-vulnerability-management-program-bob-erdman-psw-693

Exposed Azure Storage Containers, (Fri, May 7th)

A couple months ago, we already covered the topic of exposed Azure Blob Storage in two separate ISC diaries, “Exposed Blob Storage in Azure” and “Preventing Exposed Blob Storage in Azure“. The information therein is still relevant and valid, so if you are using Azure Storage, and haven’t read these two diaries yet, please do.

There is no doubt that having an Azure Storage Container that is shared publicly at level “Container” is usually a bad idea, because everyone who knows the Container name can then trivially enumerate the contents, by simply tucking a /?comp=list&restype=container onto the URL.

But the container names themselves cannot be enumerated quite as easily, so some users of Azure Storage seem to feel safe-ish behind this layer of obscurity. But recently, we noticed a significant uptick in attempts to blindly enumerate existing storage containers. You can think of it as a dictionary attack of sorts, because the log files show the bad guys sequentially probing

storageaccount.blob.core.windows.net/backup
storageaccount.blob.core.windows.net/backups
storageaccount.blob.core.windows.net/test
storageaccount.blob.core.windows.net/data
[…]
etc, you get the drift.

The question is, how does this work? How do the attackers even distinguish between a Container that doesn’t exist at all, and one that does exist, but has access restrictions set to “Blob”?  Well, here is how:

See it? “Blob not found” versus “Resource not found”. This tells us that the container “/files/” exists, whereas “/othercontainer/” doesn’t.  We could call this an example of CWE-209 https://cwe.mitre.org/data/definitions/209.html aka “Error Message Containing Sensitive Information”.  It is similar to a lesson learned two decades ago when error messages were distinguishing between “login incorrect” and “password incorrect” and indirectly facilitated brute-force breakin attempts by allowing an attacker to more readily identify valid accounts.

As a “countermeasure”, you can

Stop any public access by making your Storage Account “private”. This should be the default, and is the only safe option. Refer to the two mentioned earlier diaries on how to do so, and how to implement prevention that works. If a Storage Account is set to “Private”, the response will always be “Resource Not Found”, irrespective of whether the attempt hits an existing container name or not.
If you “have” to keep something shared at Blob level, maybe consider increasing the obscurity and smoke screen. Don’t call your container “backup” or “data” or the like, call it “akreiqfasvkkakdff” or some such. While this doesn’t really secure your data and only kicks the can down the obscurity road, it still makes it less likely that a brute force enumeration attempt will quickly find your container.
Keep your eye on the new Azure Security Center alert titled “PREVIEW – Anonymous scan of public storage containers” (Azure Alerts Reference) that politely warns you whenever someone tries to enumerate containers in your storage account.

Here’s an example of how this new “PREVIEW” alert looks like. Note the terms that were included in this particular enumeration attempt. If your Container shared at level “Blob” happens to be called one of these names, assume that it already has been “found”.

 

 

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post Exposed Azure Storage Containers, (Fri, May 7th) appeared first on Malware Devil.

https://malwaredevil.com/2021/05/07/exposed-azure-storage-containers-fri-may-7th/?utm_source=rss&utm_medium=rss&utm_campaign=exposed-azure-storage-containers-fri-may-7th

Exploiting Partial Order of Keys to Verify Security of a Vehicular Group Protocol

Read More

The post Exploiting Partial Order of Keys to Verify Security of a Vehicular Group Protocol appeared first on Malware Devil.

https://malwaredevil.com/2021/05/06/exploiting-partial-order-of-keys-to-verify-security-of-a-vehicular-group-protocol-2/?utm_source=rss&utm_medium=rss&utm_campaign=exploiting-partial-order-of-keys-to-verify-security-of-a-vehicular-group-protocol-2

SmartScan: An approach to detect Denial of Service Vulnerability in Ethereum Smart Contracts

Read More

The post SmartScan: An approach to detect Denial of Service Vulnerability in Ethereum Smart Contracts appeared first on Malware Devil.

https://malwaredevil.com/2021/05/06/smartscan-an-approach-to-detect-denial-of-service-vulnerability-in-ethereum-smart-contracts-2/?utm_source=rss&utm_medium=rss&utm_campaign=smartscan-an-approach-to-detect-denial-of-service-vulnerability-in-ethereum-smart-contracts-2

Android: Memory Disclosure, OOB Write, and Double Free in NFC’s Felica Tag Handling

Read More

The post Android: Memory Disclosure, OOB Write, and Double Free in NFC’s Felica Tag Handling appeared first on Malware Devil.

https://malwaredevil.com/2021/05/06/android-memory-disclosure-oob-write-and-double-free-in-nfcs-felica-tag-handling-2/?utm_source=rss&utm_medium=rss&utm_campaign=android-memory-disclosure-oob-write-and-double-free-in-nfcs-felica-tag-handling-2

Identify a Facebook user by his phone number despite privacy settings set

Read More

The post Identify a Facebook user by his phone number despite privacy settings set appeared first on Malware Devil.

https://malwaredevil.com/2021/05/06/identify-a-facebook-user-by-his-phone-number-despite-privacy-settings-set-2/?utm_source=rss&utm_medium=rss&utm_campaign=identify-a-facebook-user-by-his-phone-number-despite-privacy-settings-set-2

Security Vulnerability Detection Using Deep Learning Natural Language Processing

Read More

The post Security Vulnerability Detection Using Deep Learning Natural Language Processing appeared first on Malware Devil.

https://malwaredevil.com/2021/05/06/security-vulnerability-detection-using-deep-learning-natural-language-processing/?utm_source=rss&utm_medium=rss&utm_campaign=security-vulnerability-detection-using-deep-learning-natural-language-processing

SmartScan: An approach to detect Denial of Service Vulnerability in Ethereum Smart Contracts

Read More

The post SmartScan: An approach to detect Denial of Service Vulnerability in Ethereum Smart Contracts appeared first on Malware Devil.

https://malwaredevil.com/2021/05/06/smartscan-an-approach-to-detect-denial-of-service-vulnerability-in-ethereum-smart-contracts/?utm_source=rss&utm_medium=rss&utm_campaign=smartscan-an-approach-to-detect-denial-of-service-vulnerability-in-ethereum-smart-contracts

Exploiting Partial Order of Keys to Verify Security of a Vehicular Group Protocol

Read More

The post Exploiting Partial Order of Keys to Verify Security of a Vehicular Group Protocol appeared first on Malware Devil.

https://malwaredevil.com/2021/05/06/exploiting-partial-order-of-keys-to-verify-security-of-a-vehicular-group-protocol/?utm_source=rss&utm_medium=rss&utm_campaign=exploiting-partial-order-of-keys-to-verify-security-of-a-vehicular-group-protocol

Qualcomm Chip Bug Opens Android Fans to Eavesdropping

A malicious app can exploit the issue, which could affect up to 30 percent of Android phones.
Read More

The post Qualcomm Chip Bug Opens Android Fans to Eavesdropping appeared first on Malware Devil.

https://malwaredevil.com/2021/05/06/qualcomm-chip-bug-opens-android-fans-to-eavesdropping/?utm_source=rss&utm_medium=rss&utm_campaign=qualcomm-chip-bug-opens-android-fans-to-eavesdropping

JupiterOne, Signal Ad Banned, Series F Funding, & Imperva Acquires CloudVector – ESW #226

This week in the Enterprise Security News: Code42 enhances Incydr to help identify insider risk related to file uploads to unsanctioned websites, Imperva acquires CloudVector to provide visibility and security for API traffic, ThreatQuotient launches ThreatQ TDR Orchestrator to accelerate detection and response, KnowBe4 Launches Artificial Intelligence-Driven Phishing Feature, and some funding and acquisition updates from Thoma Bravo, Proofpoint, Darktrace, JupiterOne, and more!

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw226

The post JupiterOne, Signal Ad Banned, Series F Funding, & Imperva Acquires CloudVector – ESW #226 appeared first on Malware Devil.

https://malwaredevil.com/2021/05/06/jupiterone-signal-ad-banned-series-f-funding-imperva-acquires-cloudvector-esw-226/?utm_source=rss&utm_medium=rss&utm_campaign=jupiterone-signal-ad-banned-series-f-funding-imperva-acquires-cloudvector-esw-226

Applications Are Your Lifeblood – Carlos Morales – ESW #226

Web applications have never been more critical to your business. Yet, the everchanging threat landscape, from the move towards the cloud, to the explosion of devices on the internet, to the effects of the pandemic, keeps shifting the playing field. Join Carlos Morales, CTO Security Services, Neustar, to hear about how cyber criminals are taking advantage of these changes and considerations for how best to de-risk your application environment, no matter where your apps are hosted.

Segment Resources:
Learn more about [Security Solutions at Neustar] https://www.home.neustar/security-solutions

See our [Video]
https://www.home.neustar/resources/videos/security-you-can-trust

Read our new white paper: [The Changing Face of Web Application Security] https://www.home.neustar/resources/whitepapers/web-application-security-threats

This segment is sponsored by Neustar.

Visit https://securityweekly.com/neustar to learn more about them!
Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw226

The post Applications Are Your Lifeblood – Carlos Morales – ESW #226 appeared first on Malware Devil.

https://malwaredevil.com/2021/05/06/applications-are-your-lifeblood-carlos-morales-esw-226/?utm_source=rss&utm_medium=rss&utm_campaign=applications-are-your-lifeblood-carlos-morales-esw-226

Facebook Dating Service Issues | Avast

Facebook is piloting a new video speed dating service, Sparked, that will connect people for four minute virtual “dates.” They’re presenting it as a kinder approach to online dating, with no swipes or “BS.” Participants agree to have their private profile shared with compatible people and everyone has to write a little blurb about how they’re a “kind” dater when they sign up.

The post Facebook Dating Service Issues | Avast appeared first on Security Boulevard.

Read More

The post Facebook Dating Service Issues | Avast appeared first on Malware Devil.

https://malwaredevil.com/2021/05/06/facebook-dating-service-issues-avast/?utm_source=rss&utm_medium=rss&utm_campaign=facebook-dating-service-issues-avast

Who’s responsible for cloud security?

Without question, there has been noted fallout from rapid cloud migration. Gartner estimates that by 2022, Cloud Security Provider (CSP) customers will be at fault for at least 95% of cloud security failures. As the Gartner analyst Kasey Panetta explains, “The challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology. In nearly all cases, it is the user, not the cloud provider, who fails to manage the controls used to protect an organization’s data,” adding that, “CIOs must change their line of questioning from ‘Is the cloud secure?’ to ‘Am I using the cloud securely?’”

The post Who’s responsible for cloud security? appeared first on Security Boulevard.

Read More

The post Who’s responsible for cloud security? appeared first on Malware Devil.

https://malwaredevil.com/2021/05/06/whos-responsible-for-cloud-security/?utm_source=rss&utm_medium=rss&utm_campaign=whos-responsible-for-cloud-security