Read Time:4 Second
Finnish ministries of foreign affairs and defense forced offline earlier today by DDoS attacks
Daily Archives: April 8, 2022
blender-2.68a-9.el7
Read Time:42 Second
FEDORA-EPEL-2022-4a24f39c87
Packages in this update:
blender-2.68a-9.el7
Update description:
Security fix for CVE-2017-12102, CVE-2017-12103, CVE-2017-12104, CVE-2017-12081, CVE-2017-12082, CVE-2017-12086, CVE-2017-12099, CVE-2017-12100, CVE-2017-12101, CVE-2017-12105, CVE-2017-2908, CVE-2017-2899, CVE-2017-2900, fix CVE-2017-2901, CVE-2017-2902, CVE-2017-2903, CVE-2017-2904, CVE-2017-2905, CVE-2017-2906, CVE-2017-2907, CVE-2017-2918.
Includes manual backports of the following upstream commits:
a6700362 “Memory: add MEM_malloc_arrayN() function to protect against overflow.”
d30cc1ea “Fix buffer overflows in TIFF, PNG, IRIS, DPX, HDR and AVI loading.”
07aed40 “Fix buffer overflow vulernability in thumbnail file reading.”
e6df028 “Fix buffer overflow vulnerabilities in mesh code.”
e6df028 “Fix buffer overflow vulnerability in curve, font, particles code.”
#ISC2Events: Supply Chain Security is a Multifaceted Challenge
Read Time:5 Second
Orgs must know range of factors when managing supply chain risk, says (ISC)2’s CISO, Jon France
AirTags Are Used for Stalking Far More than Previously Reported
Read Time:1 Minute, 0 Second
Ever since Apple introduced AirTags, security people have warned that they could be used for stalking. But while there have been a bunch of anecdotal stories, this is the first vaguely scientific survey:
Motherboard requested records mentioning AirTags in a recent eight month period from dozens of the country’s largest police departments. We obtained records from eight police departments.
Of the 150 total police reports mentioning AirTags, in 50 cases women called the police because they started getting notifications that their whereabouts were being tracked by an AirTag they didn’t own. Of those, 25 could identify a man in their lives — ex-partners, husbands, bosses — who they strongly suspected planted the AirTags on their cars in order to follow and harass them. Those women reported that current and former intimate partners — the most likely people to harm women overall — are using AirTags to stalk and harass them.
Eight police departments over eight months yielded fifty cases. And that’s only where the victim (1) realized they were being tracked by someone else’s AirTag, and (2) contacted the police. That’s going to multiply out to a lot of AirTag stalking in the country, and the world.
Fuzzing tool company launches initiative to secure open-source software
Read Time:46 Second
ForAllSecure, maker of a next-generation fuzzing solution called Mayhem, announced a $2 million program Wednesday aimed at making open-source software (OSS) more secure. The company is offering developers a free copy of Mayhem and will pay them $1,000 if they integrate the software into a qualified OSS GitHub project.
“We’re on a mission to automatically find and fix the world’s exploitable bugs before attackers can succeed,” David Brumley, CEO and co-founder of ForAllSecure, said in a statement.
[ Related reading: 10 top fuzzing tools: Finding the weirdest application errors. ]
“OSS developers need help and don’t have access to the tools they need to quickly and easily find vulnerabilities,” Brumley continued. “Our Mayhem Heroes program democratizes software security testing, will make tens of thousands of OSS projects safer, and ultimately impact the security of systems used by everyone around the world.”
Qualys Multi-Vector EDR update prioritizes alert response
Read Time:35 Second
Cloud security and compliance software company Qualys has announced the latest version of its Multi-Vector endpoint detection and response (EDR) platform, with added threat hunting and risk mitigation capabilities and a clear focus on alert prioritization and reducing the time needed to respond to threats.
“Qualys Multi-Vector EDR acts as a force multiplier for customers—ultimately allowing them to consolidate vendors and agents via the Qualys Cloud Platform.” said Hiep Dang, vice president of EDR at Qualys. “This eliminates the need to manually analyze data across multiple sources to identify potential threats, and instead, allows security teams to prioritize events and take quicker action.”
YouTube Fraudsters Steal $1.7m in Crypto ‘Giveaway’
Take LAPSUS$ teens seriously
Read Time:42 Second
The ransomware group LAPSUS$, now well-known as the hackers responsible for the recent Okta breach, has returned from what they refer to as a “vacation,” this time with a leak impacting Globant, a large software company based in Luxembourg.
The group, who, according to media reports is largely comprised of teens in the United Kingdom, broadcast the announcement to the 50,000 members of their Telegram channel. Known for stealing data from large organizations then and threatening to publish it if ransom demands are not met, the group leaked 70GB of material from Globant that consisted of extracted data and credentials from the company’s DevOps infrastructure. Some of the stolen data includes administrator passwords found in the firm’s Atlassian suite, including Confluence and Jira, and the Crucible code review tool.