gzip-1.10-6.fc35

Read Time:19 Second

FEDORA-2022-6746dde2a0

Packages in this update:

gzip-1.10-6.fc35

Update description:

zgrep applied to a crafted file name with two or more newlines can no longer overwrite an arbitrary, attacker-selected file.

reproducer:

$ touch foo.gz
$ echo foo | gzip > “$(printf ‘|n;e touch pwnedn#.gz’)”
$ zgrep foo *.gz

(the unfixed version of zgrep creates the file called pwned)

Read More

gzip-1.11-3.fc36

Read Time:19 Second

FEDORA-2022-eeb6c686c7

Packages in this update:

gzip-1.11-3.fc36

Update description:

zgrep applied to a crafted file name with two or more newlines can no longer overwrite an arbitrary, attacker-selected file.

reproducer:

$ touch foo.gz
$ echo foo | gzip > “$(printf ‘|n;e touch pwnedn#.gz’)”
$ zgrep foo *.gz

(the unfixed version of zgrep creates the file called pwned)

Read More

gzip-1.10-5.fc34

Read Time:19 Second

FEDORA-2022-6b512ae9e5

Packages in this update:

gzip-1.10-5.fc34

Update description:

zgrep applied to a crafted file name with two or more newlines can no longer overwrite an arbitrary, attacker-selected file.

reproducer:

$ touch foo.gz
$ echo foo | gzip > “$(printf ‘|n;e touch pwnedn#.gz’)”
$ zgrep foo *.gz

(the unfixed version of zgrep creates the file called pwned)

Read More

Upcoming Speaking Engagements

Read Time:30 Second

This is a current list of where and when I am scheduled to speak:

I’m speaking at Future Summits in Antwerp, Belgium on May 18, 2022.
I’m speaking at IT-S Now 2022 in Vienna on June 2, 2022.
I’m speaking at the 14th International Conference on Cyber Conflict, CyCon 2022, in Tallinn, Estonia on June 3, 2022.
I’m speaking at the RSA Conference 2022 in San Francisco, June 6-9, 2022.
I’m speaking at the Dublin Tech Summit in Dublin, Ireland, June 15-16, 2022.

The list is maintained on this page.

Read More

Industrial Control System Malware Discovered

Read Time:21 Second

The Department of Energy, CISA, the FBI, and the NSA jointly issued an advisory describing a sophisticated piece of malware called Pipedream that’s designed to attack a wide range of industrial control systems. This is clearly from a government, but no attribution is given. There’s also no indication of how the malware was discovered. It seems not to have been used yet.

More information. News article.

Read More

Smashing Security podcast #270: Bearded Barbie, EDR scams, and hobbyist crime detectives

Read Time:23 Second

Pulchritudinous women with glossy long hair are targeting Israeli officials via Facebook – but why? Scammers have found a new way to gain access to your most sensitive information – but how? And armchair detectives are helping investigating cold cases involving DNA – but should they?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Read More

Ballooning growth of digital identities exposing organizations to greater cybersecurity risk

Read Time:39 Second

A wave of digital initiatives by organizations worldwide has created an explosion of human and machine identities that are increasing the exposure of those organizations to ransomware and supply chain threats, according to CyberArk’s 2022 Identity Security Threat Landscape report released Tuesday.

The report found that nearly four out of five of the 1,750 IT security decision makers surveyed for the report (79%) agreed that security was taking a back seat to other IT and digital initiatives. Those initiatives—especially those prioritizing remote or hybrid working, new digital services for customers and citizens, and increased outsourcing of remote vendors and suppliers—have created hundreds of thousands of new digital identities in each organization, which can increase their exposure to cybersecurity risk.

To read this article in full, please click here

Read More

Balooning growth of digital identities exposing organizations to greater cybersecurity risk

Read Time:39 Second

A wave of digital initiatives by organizations worldwide has created an explosion of human and machine identities that are increasing the exposure of those organizations to ransomware and supply chain threats, according to CyberArk’s 2022 Identity Security Threat Landscape report released Tuesday.

The report found that nearly four out of five of the 1,750 IT security decision makers surveyed for the report (79%) agreed that security was taking a back seat to other IT and digital initiatives. Those initiatives—especially those prioritizing remote or hybrid working, new digital services for customers and citizens, and increased outsourcing of remote vendors and suppliers—have created hundreds of thousands of new digital identities in each organization, which can increase their exposure to cybersecurity risk.

To read this article in full, please click here

Read More