Smashing Security podcast #276: Webcam extortion, Michael Fish, and food foul-ups

Read Time:21 Second

A browser extension bug let malicious websites spy on webcams, hackers threaten the global food supply chain, and Michael Fish (not that one…) hacked into his female classmates’ online accounts, hunting for nude photos and videos.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley.

Read More

Microsoft security vulnerabilities drop after five-year rise

Read Time:42 Second

The total number of Microsoft vulnerabilities reported in 2021 dropped by 5%, reversing a five-year trend that saw such vulnerabilities rising sharply, according to a new report from identity management and security vendor BeyondTrust.

A total of 1,212 new vulnerabilities were discovered in 2021, but their severity, as well as their location in the Microsoft family of software products, has changed substantially year over year. Vulnerabilities rated as “critical” on the CVSS standard dropped by 47% in the past year, reaching their lowest levels since BeyondTrust began issuing this report, nine years ago.

Vulnerabilities on Windows, Windows Server drop

Windows and Windows Server both saw sharp drops in total vulnerabilities detected, by 40% and 50%, respectively, while vulnerabilities affecting Microsoft’s Edge and Internet Explorer browsers hit a record high.

To read this article in full, please click here

Read More

Drupal core – Moderately critical – Third-party libraries – SA-CORE-2022-010

Read Time:1 Minute, 15 Second
Project: 
Date: 
2022-May-25
Vulnerability: 
Third-party libraries
CVE IDs: 
CVE-2022-29248
Description: 

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.

We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has already published information about the vulnerability, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated this vulnerability as high-risk.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

If you are using Drupal 9.3, update to Drupal 9.3.14.
If you are using Drupal 9.2, update to Drupal 9.2.20.

All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 is not affected.

Reported By: 
Fixed By: 
cilefen of the Drupal Security Team
Jess of the Drupal Security Team
Dezső BICZÓ
Greg Knaddison of the Drupal Security Team
Benji Fisher, provisional member of the Drupal Security Team
Damien McKenna of the Drupal Security Team
Alex Pott of the Drupal Security Team

Read More

Advancing our Secure Home Platform with DNS over HTTPS

Read Time:2 Minute, 33 Second

On the internet, the Domain Name System (DNS) is the way regular people access websites such as ESPN.com or BBC.com. However, the internet uses a unique series of Internet Protocol (IP) addresses to access websites which are tricky for humans to remember.  Web browsers typically interact with websites through IP addresses, and DNS translates websites into IP addresses so browsers can access Internet resources. Historically, this has been done in the form of unencrypted clear text that ISPs and security providers such as McAfee can read and act upon to sort through risky websites or to improve network performance and intelligence.

However, this also opens up vulnerabilities of security and privacy.  As an industry, (Apple, Microsoft, Google, and others) participants are moving toward encrypting this traffic to and from DNS servers with protocols such as DNS over TLS (DoT) and DNS over HTTPS (DoH). Unless the ISP offers DoT/DoH decryption (translation) capabilities, traffic could go directly to outside DNS providers such as Google DNS and Cloudflare who do. Without this visibility, unsafe websites cannot be seen and blocked using DNS filtering technology. Customers can visit sites created by criminals that can trick them to steal their account credentials, download ransomware, or show inappropriate content to their kids.

We’re advancing our Secure Home Platform (SHP) technology to future proof the ability for our partners to protect their customers, their families, and their connected home devices. McAfee is the first in the market to build and introduce this technology. McAfee and OpenXchange have partnered to provide an integration of a forwarder/translator (PowerDNS) with the home router-based SHP product that will make it possible to keep the traffic within the ISP network, as shown in the diagram below – allowing DNS filtering even in encrypted DNS environments.

The ISP can continue to read the traffic and stands to benefit in several ways:

Continued ability to offer security protections such as anti-virus, malware filtering, blocking phishing attempts, distinguishing legitimate services, content caching, and parental controls. McAfee Secure Home Platform protects customers/homes from potential harm from an average of 70 potential threats per week
Helps defend against DDoS, man-in-the-middle, and botnet attacks
More streamlined DoH connections – more private and secure, especially important to sophisticated consumers
Locate content based on user demand, and hence improve performance
The ISP is not burdened by support issues caused by traffic going outside their network and purview, e.g., to a third-party DNS provider – fewer unhappy customers and support calls due to fewer security incidents.
Help comply with Government regulations – block bad actors, terrorist websites, illegal file-sharing, child abuse, national security, court-ordered regulatory blocklists, ban foreign gambling, etc.

Consumers in turn benefit from these additional capabilities that ISPs can provide in security, privacy, and performance.

If you are interested in McAfee’s exciting new DoT-DoH technology for the Secure Home Platform, please contact your McAfee Account Representative for further details.

The post Advancing our Secure Home Platform with DNS over HTTPS appeared first on McAfee Blog.

Read More