Traffic interception and MitM attacks among security risks of Russian TLS certs

Read Time:33 Second

Russia is offering its own Transport Layer Security (TLS) certificates to bypass sanctions imposed by Western companies and governments that are limiting citizens’ access to websites amid the nation’s invasion of Ukraine. Restrictions on foreign payments are leaving many Russian websites unable to renew certificates with international signing authorities causing browsers to block access to sites. As a result, the Russian state has launched a domestic TLS certificate authority (CA) for the independent issuing and renewal of TLS certificates. The risks of Russian-owned and -issued TLS certificates are significant and include traffic interception and man-in-the-middle (MitM) attacks.

To read this article in full, please click here

Read More

Unpacking OMB’s federal strategy for implementing Zero Trust

Read Time:3 Minute, 35 Second

This blog was written by an independent guest blogger.

The US Office of Management and Budget (OMB) has released a strategy to help the federal government embrace a zero-trust approach to cybersecurity.

Overview of OMB’s Zero Trust strategy

Released on January 26, 2022, the strategy identifies specific security goals” that heads of Federal Civilian Executive Branch (FCEB) agencies must achieve by the end of the Fiscal Year (FY) 2024. Provided below are some of these objectives.

In its Executive Order (EO) 14028, The White House states that FCEB agencies must develop their own plans for implementing a zero-trust architecture (ZTA). OMB’s strategy goes beyond this mandate by requiring FCEB agencies to incorporate additional requirements and submitting them to OMB and the US Cybersecurity & Infrastructure Security Agency (CISA) within 60 days of the memorandum taking effect. FCEB agencies also need to submit a budget estimate for FY 2024 within that period. In the shorter term, OMB explains that in-scope entities can use internal funding or seek money from alternative sources to achieve primary goals in FY 2022 and FY 2023.
OMB’s strategy notes that FCEB agencies must designate and identify a lead for implementing zero trust at their organization within 30 days of the strategy entering into force. Ultimately, OMB will use those leads to coordinate the implementation of zero trust across the federal government. It’ll also refer to them to orchestrate planning and implementation efforts within each agency. 

Identity and MFA as key tenets

The security goals identified above align with several pillars of zero trust set forth by CISA. Identity” is one of the most important of those elements. The purpose of Identity” for zero trust is to have agency staff use enterprise-managed identities to access the applications they need to perform their job duties. The best way to do that is to invest in centralized identity management systems and integrate them into both applications, and common platforms, noted OMB in its federal strategy. Specifically, agencies can implement phishing-resistant multi-factor authentication (MFA) at the application layer as well as require staff, contractors, and partners to enroll in this scheme. (This option must also be an option for public users.) Finally, agencies must design their password policies in such a way that doesn’t require the use of special characters or require regular password rotation.

A driving factor behind the importance of identity and MFA to zero trust is the growth in cloud adoption. In December 2021, 90% of O’Reilly subscribers revealed their organizations were using the cloud at that time—up from 88% a year earlier. The study went on to reveal that at least 75% of respondents in organizations across every sector were using the cloud, with retail & commerce, finance & banking, and software registering as some of the most active industries. Looking ahead, nearly half (48%) of survey participants said that their organizations were planning to migrate at least half of their applications to the cloud in the coming year. One-fifth of personnel said they intended to migrate all their applications within that period.

This growing focus on the cloud means that literally everyone is an outsider, as I told TechSpective last August. In response, organizations need to implement a scheme by which they can validate the authenticity of approved identities and their attributes for users, services, and devices.

Giving authentication and identity the emphasis they deserve

FCEB agencies and other organizations can emphasize authentication and identity protection for zero trust by laying the groundwork for an Identity and Access Management (IAM) strategy. In formulating this plan, organizations should follow the CISA’s MFA guidelines. They then need to clarify which authentication methods they’ll require of their users and plan how to roll out authentication for their users. Finally, entities can develop access rules and policies to shape who can access certain types of data and applications along with the conditions under which they can do so. 

Regarding MFA in particular, agencies and other organizations can consider combining MFA with other best practices such as Single Sign-On to improve account security while reducing user friction. To this end, they can use an integrated service or solution that offers multi-factor authentication, SSO and policy-based access.

Read More

Post Title

Read Time:57 Second

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution.

GarageBand is an audio tool
iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
Logic Pro X is a digital audio workstation
macOS Monterey is the 18th and current major release of macOS.
macOS Big Sur is the 17th release of macOS.
macOS Catalina is the 16th major release of macOS
watchOS is the mobile operating system for Apple Watch and is based on the iOS operating system.
tvOS is an operating system for fourth-generation Apple TV digital media player.
Xcode is Apple’s integrated development environment for macOS
Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.

Read More

7 old attack vectors cybercriminals still use

Read Time:33 Second

Even in today’s age of digital evolution, malicious hackers continue to use attack vectors dating back decades. Research shows notable periods of resurgence relating to certain methods deemed old-fashioned. What this indicates is that while attack specifics can change with time, points of infection, distribution and proliferation can remain and even lead to the most significant of breaches.

“Cybercriminals tend to return to ‘old favorite’ methods of attack, particularly when newer vectors get shut down or become more difficult to execute due to the efforts of law enforcement and security teams,” says Egress Threat Intelligence Vice President Jack Chapman.

To read this article in full, please click here

Read More

Why you can’t trust AI-generated autocomplete code to be secure

Read Time:58 Second

When GitHub launched the code autocomplete tool Copilot in June 2021, many developers were in awe, saying it reads their minds and helps them write code faster. Copilot looks at the variable names and comments someone writes and suggests what should come next. It provides lines of code or even entire functions the developer might not know how to write.

However, developers using unknown suggestions without verifying them can lead to security weaknesses. Researchers at the New York University’s Tandon School of Engineering put Copilot to the test and saw that 40% of the code it generated in security-relevant contexts had vulnerabilities.

“Copilot’s response to our scenarios is mixed from a security standpoint, given the large number of generated vulnerabilities,” the researchers wrote in a paper. They checked the code using GitHub’s CodeQL, which automatically looks for known weaknesses, and found that developers often get SQL-injection vulnerabilities or flaws included on the 2021 CWE Top 25 Most Dangerous Software Weaknesses list. Also, when it comes to domain-specific languages, such as Verilog, it struggles to generate code that’s “syntactically correct and meaningful.”

To read this article in full, please click here

Read More

cabal-rpm-2.0.11-1.fc34

Read Time:11 Second

FEDORA-2022-78559f99a9

Packages in this update:

cabal-rpm-2.0.11-1.fc34

Update description:

take build-tool-depends into account (#65)
‘spec’,’update’: detect autorelease and preserve autochangelog (#66)
‘spec –standalone’: strip executable
support _builddir

Read More

cabal-rpm-2.0.11-1.fc35

Read Time:11 Second

FEDORA-2022-429861c39a

Packages in this update:

cabal-rpm-2.0.11-1.fc35

Update description:

take build-tool-depends into account (#65)
‘spec’,’update’: detect autorelease and preserve autochangelog (#66)
‘spec –standalone’: strip executable
support _builddir

Read More