FEDORA-2022-98830efc68
Packages in this update:
shim-15.6-1
shim-unsigned-aarch64-15.6-1
shim-unsigned-x64-15.6-1
Update description:
This fixes several issues, most notably BZ#1955416 and CVE-2022-28737. Please test.
shim-15.6-1
shim-unsigned-aarch64-15.6-1
shim-unsigned-x64-15.6-1
This fixes several issues, most notably BZ#1955416 and CVE-2022-28737. Please test.
The cache of 18.5GB connection logs allegedly contained more than 25 million records
SAP confirmed most of the vulnerabilities have now available fixes, and advised companies to update their systems as soon as possible.
Researchers warn of a new worm that’s infecting Linux servers by brute-forcing and stealing SSH credentials. The hijacked servers are joined in a botnet and are used to mine cryptocurrency by loading mining programs directly in memory with no files on disk.
Dubbed Panchan by researchers from Akamai, the malware is written in the Go programming language, which allows it to be platform independent. It first appeared in late March and has infected servers in all regions of the world since then, though Asia does seem to have a bigger concentration. The most impacted vertical seems to be education.
“This might be due to poor password hygiene, or it could be related to the malware’s unique lateral movement capability with stolen SSH keys,” the Akamai team said in a blog post. “Researchers in different academic institutions might collaborate more frequently, and require credentials to authenticate to machines that are outside of their organization/network, than employees in the business sector. To strengthen that hypothesis, we saw that some of the universities involved were from the same country — Spain, or others from the same region, like Taiwan and Hong Kong.”
New side-channel attacks reportedly use frequency side channels to extract cryptographic keys
Charles Fol discovered that PHP incorrectly handled initializing certain
arrays when handling the pg_query_params function. A remote attacker could
use this issue to cause PHP to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2022-31625)
Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A
remote attacker could use this issue to cause PHP to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2022-31626)
This is a new vulnerability against Apple’s M1 chip. Researchers say that it is unpatchable.
Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory, however, have created a novel hardware attack, which combines memory corruption and speculative execution attacks to sidestep the security feature. The attack shows that pointer authentication can be defeated without leaving a trace, and as it utilizes a hardware mechanism, no software patch can fix it.
The attack, appropriately called “Pacman,” works by “guessing” a pointer authentication code (PAC), a cryptographic signature that confirms that an app hasn’t been maliciously altered. This is done using speculative execution—a technique used by modern computer processors to speed up performance by speculatively guessing various lines of computation—to leak PAC verification results, while a hardware side-channel reveals whether or not the guess was correct.
What’s more, since there are only so many possible values for the PAC, the researchers found that it’s possible to try them all to find the right one.
It’s not obvious how to exploit this vulnerability in the wild, so I’m unsure how important this is. Also, I don’t know if it also applies to Apple’s new M2 chip.
The US authorities have sentenced a man to 24 months in a federal prison after he was found to have run a DDoS-for-hire service that knocked websites off the internet.
Read more in my article on the Hot for Security blog.
This blog was written by an independent guest blogger.
It’s well known that there’s a pervasive cybersecurity skills shortage. The problem has multiple ramifications. Current cybersecurity teams often deal with consistently heavy workloads and don’t have time to deal with all issues appropriately. The skills shortage also means people who need cybersecurity talent may find it takes much longer than expected to find qualified candidates.
Most people agree there’s no single way to address the issue and no fast fix. However, some individuals wonder if global recruitment could be an option, particularly after human resources managers establish that there aren’t enough suitable candidates locally.
A June 2022 study from Trellix revealed that 30% of current cybersecurity professionals are thinking about changing their careers. Gathering from a wider candidate pool by recruiting people on a global level could increase the number of overall options a company has when trying to fill open positions.
However, it’s essential to learn what’s causing cybersecurity professionals to want to leave the field. Otherwise, newly hired candidates may not stick around for as long as their employers hope. It’s also important to note that the Trellix poll surveyed people from numerous countries, including the United States, Canada, India, France, and Japan.
Another takeaway from the study was that 91% of people believed there should be more efforts to increase diversity in the cybersecurity sector. The study showed that most employees in the industry now are straight, white, and male. If more people from minority groups feel welcomed and accepted while working in cybersecurity roles, they’ll be more likely to enter the field and stay in it for the long term.
Some companies have already invested in global recruitment efforts to help close cybersecurity skills gaps.
For example, Microsoft recently expanded its cybersecurity skills campaign to an additional 23 countries – including Ireland, Israel, Norway, Poland, and South Africa. All the places were identified as under high threat of cybersecurity attacks. Microsoft representatives have numerous plans to get people the knowledge they need to enter the workforce confidently and fill cybersecurity roles.
The hiring initiative also includes some Asia-Pacific (APAC) countries. That’s significant since statistics suggest it will face a labor shortage of 47 million people across all job types by 2030.
Something human resources leaders must keep in mind before hiring cybersecurity professionals is that the open positions should include attractive benefits packages that are better than or on par with what other companies in the sector provide.
Since cybersecurity experts are in such high demand, they enjoy the luxury of being picky about which jobs they consider and how long they stay in them. Even though cultural differences exist, there are some similarities in what most people look for in their job prospects. Competitive salaries and generous paid time off are among the many examples.
Global research published in 2021 by (ISC)² found that 700,000 new people had joined the cybersecurity workforce since 2020. However, the study also showed that the worldwide pool of professionals must grow by 65% to keep pace with demand.
The study’s results also suggested that one possibility is to recruit people who don’t have cybersecurity backgrounds. The data indicated that 17% of respondents came into the field from unrelated sectors.
Some experts suggest tapping into specific population groups as a practical way to address the shortage. For example, people with autism and ADHD often have skills that make them well suited for the cybersecurity industry.
Hiring people from around the world could close skill gaps in situations where it’s evident there’s a lack of talent wherever a company primarily operates. However, as the details above highlight, the skills shortage is a widespread issue.
Accepting applications from a global talent pool could also increase administrative tasks when a company is ready to hire. That’s partially due to the higher number of applications to evaluate. Additionally, there are other necessities associated with aspects like visa applications or time zone specifics if an international new hire will work remotely.
People in the IT sector should ideally see global recruitment as one of many possibilities for reducing the cybersecurity skills gap severity. It’s worth consideration, but not at the expense of ignoring other strategies.
Buy now, pay later services represent an increasingly attractive target