USN-5348-1: Smarty vulnerabilities

Read Time:1 Minute, 11 Second

David Gnedt and Thomas Konrad discovered that Smarty was incorrectly
sanitizing the paths present in the templates. An attacker could possibly
use this use to read arbitrary files when controlling the executed
template. (CVE-2018-13982)

It was discovered that Smarty was incorrectly sanitizing the paths
present in the templates. An attacker could possibly use this use to read
arbitrary files when controlling the executed template. (CVE-2018-16831)

It was discovered that Smarty was incorrectly validating security policy
data, allowing the execution of static classes even when not permitted by
the security settings. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2021-21408)

It was discovered that Smarty was incorrectly managing access control to
template objects, which allowed users to perform a sandbox escape. An
attacker could possibly use this issue to send specially crafted input to
applications that use Smarty and execute arbitrary code. (CVE-2021-26119)

It was discovered that Smarty was not checking for special characters
when setting function names during plugin compile operations. An attacker
could possibly use this issue to send specially crafted input to
applications that use Smarty and execute arbitrary code. (CVE-2021-26120)

It was discovered that Smarty was incorrectly sanitizing characters in
math strings processed by the math function. An attacker could possibly
use this issue to send specially crafted input to applications that use
Smarty and execute arbitrary code. (CVE-2021-29454)

Read More

Post Title

Read Time:18 Second

A vulnerability has been discovered in Google Chrome that could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data.

Read More

Formulating proper data destruction policies to reduce data breach risks

Read Time:7 Minute, 4 Second

This blog was written by an independent guest blogger.

As Morgan Stanley Bank now knows, ignoring certified data destruction policies can be disastrous. The bank made news in 2020 when it was fined over $60 million for not using proper oversight when decommissioning two of its data centers. Regulators found that the organization had not addressed the risks associated with decommissioning hardware effectively. 

An ever-increasing number of IoT and Business Connect devices allows for numerous entry points for hackers electronically, but companies should also take care that they decommission their hardware. Unfortunately, studies show that many companies lack the necessary precautions for data destruction. 

What is data destruction?

Data destruction is a process that involves destroying information and records such as paper documents and digital information stored on hard drives, SSDs, optical disks, memory chips, and the like. The goal of digital data destruction is to eliminate any information that was previously held on the server or hardware so that it can’t ever be recovered by a third party or someone from within the organization. 

The increased cybersecurity events of 2020 and 2021 have highlighted the need for proper data destruction protocols across industries. Additionally, emphasizing the circular economy, sustainability, and eco-friendly practices means that more refurbished devices will be recycled and resold to new owners. If data is not completely destroyed, then that information is at risk. 

What happened at Morgan Stanley?

A lack of secure data destruction protocols can have profound implications. 

In 2016, Morgan Stanley hired a vendor to wipe all data from the servers. But they didn’t monitor their vendor or keep adequate documentation. As a result, the vendor failed to completely erase all the data from the hardware before selling it to recyclers. 

In 2019, a few of Morgan Stanley’s decommissioned servers went missing, and the disks were left with unencrypted customer data. This incident was attributed to a software flaw but still reflects a lack of oversight over one of the most critical business data practices.

These data flubs could have had a significant impact on the online privacy of their clients, but the bank maintains that none of their customers’ data was breached in either instance. Still, the data left on these devices could have easily been accessed by anyone in possession of the servers and other hardware. 

A person with sensitive customer information such as account and social security numbers, birthdates, contact information, and other crucial data could wreak havoc on customers and the organization as a whole. 

Benefits of secure data destruction

Improper data destruction protocols can leave customer and business data wide open to be stolen and used for malicious intentions. 

Businesses of all sizes need to ensure that their financial statements and documents such as profit and loss statement templates, invoices, third-party data, and everything in between are all safely secured using the correct data destruction activities. 

Here are just a few of the benefits of secure and certified data destruction policies and practices:

Complete removal of data — certified data destruction helps remove data from hardware without leaving a single trace of its existence. A simple delete is not enough to completely remove data from a device. Data destruction protects the data and the device owner.
DARP — Even encryption and firewall security are not enough to ensure that your data at rest is protected. Data at Rest Protection (DARP) through data destruction is the most secure way to ensure data that is no longer in use and isn’t serving any real purpose. 
Prevent cybersecurity incidents — Devices, both business and personal, no longer needed have to be permanently wiped with a certified data destruction tool that meets data erasure standards. Without it, they could be vulnerable to a breach resulting in financial and reputational losses, including fines and penalties. 
Meet compliance and regulation guidelines — Data protection laws worldwide such as GDPR, SOX, and HIPAA state clear rules for consumers’ right to erasure and to be forgotten. Data destruction policies ensure that these guidelines are met. 
Sustainable hardware refurbishing — Reducing e-waste has become a top priority as the circular economy comes into focus. Old devices like smartphones and laptops are not the only ones businesses can recycle. A new emphasis on recycling servers and other hardware means an increased need for complete data destruction. 

Methods for data destruction

Organizations use many methods to destroy data at rest permanently. Media wiping tools are essential for companies that use refurbished IT assets or recycle their hardware. These electronic devices must all be adequately wiped before safely passing on to their next owner: 

Computers
Smartphones
Tablets
Digital cameras
Media players
Printers
Monitors
Hard drives
Gaming consoles
External hardware
Peripheral devices

Secure and dispose of electronic devices, servers, and hardware by using these data destruction methods:

Delete or reformat

The two most common ways to attempt to rid a device of its data are by deleting or reformatting files. 

Deleting a file from a device will remove it, but it doesn’t destroy the data. The information within the deleted file will remain on the device’s hard drive or memory trip. 

Reformatting the disc also produces similar results. Reformatting will not wipe the data from the device, and it just replaces an existing file system with a brand new one. 

Using these methods to destroy data is ineffective and does not represent proper data destruction, but it is worth mentioning since it is often used as the first response. 

Wipe

Data wiping involves overwriting data on a device so that no one can read it. It is usually accomplished by connecting the affected media to a wiping device, but it can also be done internally. 

However, data wiping is time-consuming, especially for a business with lots of information across numerous devices. It’s a more practical approach for individuals. 

Overwriting data

Overwriting data and wiping data are very similar approaches to data destruction. Overwriting data refers to writing a pattern of ones and zeroes over the current data to hide it and prevent it from being read. 

However, if the data in question is a high-security risk, it may be worth taking a few extra passes at overwriting it. It ensures that the data is completely destroyed and not a single bit of shadow or remnant of pre-existing information can be detected. 

Overwriting data is by far the most common data destruction method used by organizations, but it is also very time-consuming. Additionally, you can only overwrite data on an undamaged device that still allows data to be written into it. 

Erasure

Another term for overwriting, complete erasure destroys all data stored on a hard drive and delivers a certificate of destruction. This certificate proves that data has been successfully erased from an electronic device. 

Erasure is a suitable method for businesses that purchase equipment such as desktops, enterprise data centers, and laptops off-lease.

Degaussing

Degaussing uses a high-powered magnet to destroy data. It is a quick and effective method to destroy sensitive data, but it has some disadvantages. 

Once a device has been degaussed, its hard drive is no longer operable. Besides that, there is no way to know whether all the data has been destroyed without an electron microscope. 

Physical destruction

It turns out that taking a hammer to a hard drive is a very effective data destruction method for businesses of all sizes. However, not all companies can afford to spend money on replacing hard drives that have been pummeled in the name of data privacy, so this is not always an ideal solution. 

Shredding 

Another method similar to physical destruction, shredding is the most secure and cost-effective data destruction strategy. Shredding involves reducing electronic devices to tiny pieces, no larger than a couple of millimeters. 

This method is ideal for high-security environments and is most commonly used when an organization has a stockpile of old media to destroy. 

Final thoughts

Many businesses will outsource their data destruction needs to a dedicated data destruction company. But beware, just like in Morgan Stanley’s case, you could still be held responsible for any data that remains. 

You may think that your organization isn’t susceptible to a major data breach from decommissioned data centers and other equipment. However, small businesses are the number one target for cybersecurity breaches. 

That’s why businesses of all sizes must take the correct steps to destroy data and ensure their customers’ information stays secure.

Read More

USN-5342-1: Python vulnerabilities

Read Time:29 Second

David Schwörer discovered that Python incorrectly handled certain inputs.
An attacker could possibly use this issue to expose sensitive information.
This issue only affected Ubuntu 18.04 LTS. (CVE-2021-3426)

It was discovered that Python incorrectly handled certain FTP requests.
An attacker could possibly use this issue to expose sensitive information.
This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS.
(CVE-2021-4189)

It was discovered that Python incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2022-0391)

Read More

What can March Madness and 538 teach us about cybersecurity risk?

Read Time:53 Second

I love this time of year, with March Madness excitement in the air and my Notre Dame Fighting Irish still in the tournament (as of the writing of this column)! More importantly – yes, more importantly – I love monitoring the 538 March Madness prediction website to see how the chances of winning change through the days, after games, and even within their 40 minutes of activity.

I like doing this because it is a better representation of how cybersecurity risk works than the way we typically think in our field. So, we can watch – even in real-time – how the chances of success (winning the game, moving on to the next round) and failure (losing) change with the variables during the game and the context outside of them (other games). As I watch those probabilities change – sometimes swinging wildly — I think of how cybersecurity-related risk changes in a similar manner, with the real-time activity in our computing environments – sessions, messages, transactions, flows, etc. — being established or sent.

To read this article in full, please click here

Read More

5 old social engineering tricks employees still fall for, and 4 new gotchas

Read Time:42 Second

Blame it on pandemic fatigue, remote work or just too much information, but employees appear to be lowering their guard when it comes to detecting social engineering tricks. Attackers were more successful with their social engineering schemes last year than they were a year earlier, according to Proofpoint. More than 80% of organizations suffered a successful email-based phishing attack in 2021, according to a survey of 3,500 professionals. That’s a 46% jump from 2020.

“So many people, especially today with all the distractions and noise of the world, are on autopilot – just going through the motions,” says Kevin Beaver, principal consultant at security firm Principle Logic. “Their subconscious mind has taken over making what are often critical decisions. The bad guys know they have the upper hand.”

To read this article in full, please click here

Read More