USN-5435-1: Thunderbird vulnerabilities

Read Time:52 Second

Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
bypass permission prompts, obtain sensitive information, bypass security
restrictions, cause user confusion, or execute arbitrary code.
(CVE-2022-29909, CVE-2022-29911, CVE-2022-29912, CVE-2022-29913,
CVE-2022-29914, CVE-2022-29916, CVE-2022-29917)

It was discovered that Thunderbird would show the wrong security status
after viewing an attached message that is signed or encrypted. An attacker
could potentially exploit this by tricking the user into trusting the
authenticity of a message. (CVE-2022-1520)

It was discovered that the methods of an Array object could be corrupted
as a result of prototype pollution by sending a message to the parent
process. If a user were tricked into opening a specially crafted website
in a browsing context, an attacker could exploit this to execute
JavaScript in a privileged context. (CVE-2022-1529, CVE-2022-1802)

Read More

USN-5434-1: Firefox vulnerabilities

Read Time:15 Second

It was discovered that the methods of an Array object could be corrupted
as a result of prototype pollution by sending a message to the parent
process. If a user were tricked into opening a specially crafted website,
an attacker could exploit this to execute JavaScript in a privileged
context.

Read More

USN-5433-1: Vim vulnerabilities

Read Time:1 Minute, 36 Second

It was discovered that Vim incorrectly handled parsing of filenames in its
search functionality. If a user were tricked into opening a specially crafted
file, an attacker could crash the application, leading to a denial of
service. (CVE-2021-3973)

It was discovered that Vim incorrectly handled memory when opening and
searching the contents of certain files. If a user were tricked into opening
a specially crafted file, an attacker could crash the application, leading to
a denial of service, or possibly achieve code execution with user privileges.
(CVE-2021-3974)

It was discovered that Vim incorrectly handled memory when opening and editing
certain files. If a user were tricked into opening a specially crafted file,
an attacker could crash the application, leading to a denial of service, or
possibly achieve code execution with user privileges. (CVE-2021-3984,
CVE-2021-4019, CVE-2021-4069)

It was discovered that Vim was using freed memory when dealing with regular
expressions inside a visual selection. If a user were tricked into opening a
specially crafted file, an attacker could crash the application, leading to a
denial of service, or possibly achieve code execution with user privileges.
(CVE-2021-4192)

It was discovered that Vim was incorrectly performing read and write
operations when in visual block mode, going beyond the end of a line and
causing a heap buffer overflow. If a user were tricked into opening a
specially crafted file, an attacker could crash the application, leading to a
denial of service, or possibly achieve code execution with user privileges.
(CVE-2022-0261, CVE-2022-0318)

It was discovered that Vim was using freed memory when dealing with regular
expressions through its old regular expression engine. If a user were tricked
into opening a specially crafted file, an attacker could crash the application,
leading to a denial of service, or possibly achieve code execution with user
privileges. (CVE-2022-1154)

Read More

Forging Australian Driver’s Licenses

Read Time:1 Minute, 16 Second

The New South Wales digital driver’s license has multiple implementation flaws that allow for easy forgeries.

This file is encrypted using AES-256-CBC encryption combined with Base64 encoding.

A 4-digit application PIN (which gets set during the initial onboarding when a user first instals the application) is the encryption password used to protect or encrypt the licence data.

The problem here is that an attacker who has access to the encrypted licence data (whether that be through accessing a phone backup, direct access to the device or remote compromise) could easily brute-force this 4-digit PIN by using a script that would try all 10,000 combinations….

[…]

The second design flaw that is favourable for attackers is that the Digital Driver Licence data is never validated against the back-end authority which is the Service NSW API/database.

This means that the application has no native method to validate the Digital Driver Licence data that exists on the phone and thus cannot perform further actions such as warn users when this data has been modified.

As the Digital Licence is stored on the client’s device, validation should take place to ensure the local copy of the data actually matches the Digital Driver’s Licence data that was originally downloaded from the Service NSW API.

As this verification does not take place, an attacker is able to display the edited data on the Service NSW application without any preventative factors.

There’s a lot more in the blog post.

Read More

USN-5432-1: libpng vulnerabilities

Read Time:32 Second

It was discovered that libpng incorrectly handled memory when parsing
certain PNG files. If a user or automated system were tricked into opening
a specially crafted PNG file, an attacker could use this issue to cause
libpng to crash, resulting in a denial of service, or possible execute
arbitrary code. (CVE-2017-12652)

Zhengxiong Luo discovered that libpng incorrectly handled memory when parsing
certain PNG files. If a user or automated system were tricked into opening
a specially crafted PNG file, an attacker could use this issue to cause
libpng to crash, resulting in a denial of service, or possible execute
arbitrary code. (CVE-2018-14048)

Read More

How to stay ahead of the Cybersecurity labor crisis and keep growing your business

Read Time:6 Minute, 58 Second

This blog was written by an independent guest blogger.

Cybersecurity is a complex task that is never complete. It’s an ongoing proactive practice of securing, monitoring, and mitigating threats. It’s a constant cycle where threats and vulnerabilities are detected, teams investigate and mitigate any issues, then network cybersecurity systems are reinforced to combat the next potential threat. 

Business operations increasingly rely on numerous devices and digital tools to accomplish daily tasks. Laptops, smartphones, desktops, business applications, and software are used to protect sensitive data in an era of remote and hybrid working options. In today’s world, business endpoint security is an absolute requirement to prevent costly breaches. 

There’s no question that cybersecurity should be a number one focus for businesses that want to keep growing. But it’s challenging to improve and scale cybersecurity efforts in an environment that is constantly changing, with new threats and technologies constantly being developed. To make things worse, the cybersecurity labor crisis only intensifies. 

If your organization is struggling to maintain adequate cybersecurity personnel with the necessary knowledge and expertise to protect your organization’s most valuable assets, then look at these tips to help your company stay ahead of the cybersecurity labor crisis and keep growing your business. 

What is the cybersecurity labor crisis?

As the demand for cybersecurity services increases, the number of knowledgeable cybersecurity professionals looking for full-time employment dwindles. The US Bureau of Labor Statistics expects “IT security analyst” to be one of the top 10 fastest growing occupations over the next decade. Cybersecurity only accounts for 13% of the IT market overall, yet the amount of cybersecurity job postings is three times greater than other IT positions. 

2020 marked a significant shift as remote work became a reality in nearly every industry. This has led to increased cybersecurity needs as companies add numerous devices to their networks to accommodate remote workers. The result? Overworked technology professionals and IT teams. 

Despite the number of open cybersecurity positions, companies are having difficulty finding talent to fill in the gaps. Right now, it’s a workers’ game. Without adjusting to the needs of cybersecurity workers, businesses will be left without and could leave their networks vulnerable to damaging cyber-attacks. 

Tips to keep growing your business during the cybersecurity labor crisis

The past few years have pushed cybersecurity professionals to their limits. In one of the most in-demand industries, they experience heavy workloads, long hours, and limited flexibility. It’s no wonder that technology professionals are burning out and seeking work-from-home opportunities like freelancing, consulting, building their own small businesses, or working for competitors with a better offer. 

To overcome the cybersecurity labor shortage, companies must realign their business models to a customer-centric perspective. Instead of making business decisions purely for profits and productivity, companies should also improve their company cultures to enhance their employees’ work experiences. Here are some tips to help you stay ahead of the cybersecurity labor shortage and attract top talent to your organization:

Update your benefits package

Arguably, the first thing businesses should do is update their benefits package. The values of workers have changed since the onset of the pandemic. Cybersecurity professionals now seek flexibility and remote working options that allow them to more efficiently manage their work-life balance. 

Recent surveys reveal the benefits that employees want the most: 

95% want better health care benefits
71% value retirement benefits
50% need family leave benefits
29% expect a more flexible work environment

Businesses should also take a look at their compensation and benefits packages. If your competitors offer the same salary with more time off, better 401(k) options, and six months of paid parental leave, you can guess where valued employees might end up. Adjust the salaries of your cybersecurity professionals to reflect the value they bring to your company and open up your company to a broader talent pool. 

Seek out diverse talent

Job experts say that there are plenty of opportunities to bring new talent to tech positions like cybersecurity. The best way to do that is through diversity. DE&I has been a hot topic for organizations in light of recent social movements calling for equality across people of different experiences, races, and genders. But committing to seeking out diverse talent is more than just the right thing to do. It can also be a smart business move for companies that want to grow during the cybersecurity labor shortage. 

Although gender equality in the workplace has come a long way since the 60s, when women couldn’t even open a bank account, only 25% of cybersecurity professionals are women in 2022. 

Even more shocking, only 3% of cybersecurity professionals are Black. Subconscious bias plays a big part in how recruiters evaluate potential candidates, so companies should work toward more equitable recruiting practices. 

Organizations should also look at the diversity represented across their existing teams. Look for crucial skills in historically underrepresented groups such as minorities and people with disabilities. And provide plenty of opportunities for training, advancement and high-level positions for people with diverse identities. 

Leverage third party monitoring and support

Another great way to continue scaling your business is to leverage technology. There are many different types of software and managed services that help businesses maintain their cybersecurity ecosystem without an in-house IT team or to help fill in talent gaps. Digital tools that utilize automation, machine learning, and AI can help reduce the number of tedious processes that workers have to devote time to so that they can focus on higher-value activities. 

A great example of an application that helps mitigate security risks through intuitive tools and automation is Visualping. Website defacement monitoring tool makes it easy to track visual or code changes, as well as monitor links and other sensitive elements on your organization’s website. Instead of cybersecurity personnel monitoring changes 24/7, this streamlined application allows teams to get security alerts through text, email, Slack, and more. 

Invest in professional development

While spending money is the last thing that business owners looking to scale want to do, it is often the best way to ensure that you have all the resources necessary to level up. And when it comes to personnel, your investment can mean the difference between growing or lagging. 

Companies should invest in their current employees just as much as (if not more than) acquiring new talent. By providing education and cross-training for roles in your organization, you can arm yourself against the cybersecurity labor shortage. Programs such as one-on-one coaching, in-house training, and shadowing help your current employees upskill while on the job. And you build a team of talented cybersecurity professionals. 

Professional development is a great way to retain employees and improve their skills simultaneously. Organizations should outline clear career paths for each role and offer competitive compensation to attract driven individuals that are eager to learn. This gives your workers a goal to work towards, as well as builds a sense of ownership and loyalty among employees. 

Partner with higher education

Another great way to stay ahead of the labor shortage and enhance your operations is to develop partnerships with higher education and other industry-related programs. Top companies know this secret to success and consistently offer funding and resources in exchange for a direct funnel into cybersecurity positions. Companies can offer internships, speak at industry events, and recruit at universities to find unique talent that can help scale your business. 

There are many ways that organizations can get involved in the education sector. Look at your competitors and discover the ways that they are encouraging young college students to look into the field of cybersecurity or how you can create a direct funnel of talented individuals to your organization. 

Final thoughts

The demand for, and demands on cybersecurity professionals has left workers burnt-out, tired, and willing to leave their positions to seek out better opportunities on their own. Companies that want to keep growing their business are facing challenges as the cybersecurity workforce dwindles. According to a recent study, 57% of organizations feel the negative impacts of the cybersecurity labor shortage. To attract and retain knowledgeable cybersecurity professionals, companies need to develop new employment models that give workers the things they need to be satisfied and successful. 

Read More

IDaaS explained: How it compares to IAM

Read Time:49 Second

It is often said that identity is the new perimeter in the world of cloud-native ecosystems and zero trust. Identity is inarguably at the center of everything we do in modern systems and it is key to facilitating zero trust architectures and proper access control. That said, running identity and access management (IAM) at scale can be a daunting task, which is why more organizations are adopting identity-as-a-service (IDaaS) solutions.

IDaaS has its pros and cons, but first let’s clarify what IDaaS is.

What is IDaaS?

IDaaS is a cloud-based consumption model for IAM. Much like everything else in today’s modern technology ecosystem, IAM can be offered as a service. While there are some exceptions, IDaaS is typically delivered via the cloud and can be offered as a multitenant offering or dedicated delivery model depending on the organizational requirements and the capabilities of the provider in question.

To read this article in full, please click here

Read More