FEDORA-2022-e81c0db364
Packages in this update:
squirrel-2.2.5-25.fc35
Update description:
backport fixes for CVE-2021-41556 and CVE-2022-30292
squirrel-2.2.5-25.fc35
backport fixes for CVE-2021-41556 and CVE-2022-30292
squirrel-2.2.5-25.fc36
backport fixes for CVE-2021-41556 and CVE-2022-30292
Amazon has revealed that it gives police videos from its Ring doorbells without a warrant and without user consent.
Ring recently revealed how often the answer to that question has been yes. The Amazon company responded to an inquiry from US Senator Ed Markey (D-Mass.), confirming that there have been 11 cases in 2022 where Ring complied with police “emergency” requests. In each case, Ring handed over private recordings, including video and audio, without letting users know that police had access to—and potentially downloaded—their data. This raises many concerns about increased police reliance on private surveillance, a practice that has long gone unregulated.
EFF writes:
Police are not the customers for Ring; the people who buy the devices are the customers. But Amazon’s long-standing relationships with police blur that line. For example, in the past Amazon has given coaching to police to tell residents to install the Ring app and purchase cameras for their homes—an arrangement that made salespeople out of the police force. The LAPD launched an investigation into how Ring provided free devices to officers when people used their discount codes to purchase cameras.
Ring, like other surveillance companies that sell directly to the general public, continues to provide free services to the police, even though they don’t have to. Ring could build a device, sold straight to residents, that ensures police come to the user’s door if they are interested in footage—but Ring instead has decided it would rather continue making money from residents while providing services to police.
CNet has a good explainer.
Slashdot thread.
This blog was written by an independent guest blogger.
The hybrid working model is the new norm due to its effectiveness and the productivity it offers. However, it does pose significant drawbacks to an organization’s network security, making it vulnerable to several cyber-attacks such as credential harvesting.
Credential harvesting is an approach hackers use to attack an organization and get access to its credentials virtually. These credentials often include username, passwords, email address, and emails. The hackers use multiple tactics, techniques, and procedures such as man-in-the-middle (MiTM), DNS poisoning and phishing to access valid credentials illegally. These credentials provide open access to the organization’s database, network, and system for malicious extraction. The hacker might sell this data to third parties over the Dark Web.
The exponential rise in credential harvesting attacks poses a particularly alarming situation. The recent Account Takeover Report found 24 billion credentials on sale over the dark web. Amidst this, it has become downright crucial to understand credential harvesting attacks and adopt appropriate measures to mitigate them.
Cyber attackers long ago figured out the easiest way to gain access to an enterprise’s sensitive data is by invading the end users’ privacy by compromising their credentials or identity. Hackers widely use credential harvesting, and their main aim and goal are to access the network to steal the data or sell the stolen information on the dark web. Moreover, cybercriminals even use the data to demand hefty ransoms.
Credential harvesting is somewhat similar to phishing. 71.5% of phishing attacks occurred in 2020 that focused on credential harvesting, while 72% of the employees confirmed that they had clicked on the malicious link in phishing emails, making it easy for attackers to harvest credentials.
By embedding malicious links in PDF or word files, hackers bypass safety firewalls and email protection systems. By entering their username and passwords, the targeted victims give away their credentials. To appear more legitimate, attackers may dupe the name and email addresses of company employees and other partners.
Besides this, hackers may use password dumping tools that extract passwords and make their work easier. Once infecting a system, attackers can laterally move within the organization network to achieve their goal.
Another tactic that attackers use is the MiTM attack. They set up a bogus network that pretends to be a business Wi-Fi spot. By connecting to such networks, victims provide complete access to their system to hackers who track and record their activities and data.
What makes these attacks successful is the widespread lack of security awareness. While working remotely, users often tend to connect to public WiFis and unsecure networks without using appropriate tools such as VPNs. Even if any user decides to use a VPN, many adhere to using a free VPN that significantly compromises their privacy and security.
Strong credentials might not save you from hackers’ intrusions and data leaks. But taking strong security measures will help prevent unauthorized users from accessing the organization’s accounts. Following are some of the best practices to reduce the risk of credential harvesting.
Implement Multi-Factor Authentication (MFA)
Another great way to defend against credential harvesting attacks is to implement MFA. It is one of the best-known methods to stop unwanted people from moving within an organization and accessing sensitive data laterally. This method allows users to set up multiple ways (text messages, email, or phone calls) to verify their identity. If hackers have compromised your credentials, they won’t bypass the authentication stage. Also, the target would be warned about unusual activity, and they can immediately change the password.
Risk-based access control
Risk-based access control is an advanced protection method that uses a machine learning system to define and enforce the access control policy according to user behavior. Using ML-based systems and users’ profiles, access decisions are made in real-time and set up low-risk access or block access when the risk is higher. It is used along with MFA and includes various steps of identification, authentication, and authorization.
Phishing education
As phishing attacks are a primary cause of credential harvesting attacks, all employees must be given adequate training about phishing. Through training and awareness programs, staff members should learn how to identify and respond to a phishing attack. Furthermore, they must be encouraged to report any unusual signs they experience to take quick actions before damage is done.
Ensure credential vaulting
Credential vaulting also provides a secure pathway for users to avoid credential harvesting attacks. While using these systems, you are assured that privileged credentials are kept in an encrypted vault and users never see the actual login information. Moreover, users can check out the tools that are logged in, pass the encrypted credential to the appropriate system, and login automatically. This ensures that credential keys are never stolen as users don’t have the login information in the first place.
In addition, credential vaulting offers valuable tracking and usage information for all your privileged logins for auditing and monitoring.
Stealing credentials and using them to access a network is the hackers’ ultimate goal. Threat actors use various tactics to harvest credentials and use them for malicious purposes. But by incorporating strong defensive measures and educating employees, organizations can reduce the risk factor.
As numerous data compliance laws proliferate across the globe, security professionals have become too focused on checking their requirements boxes when they should be focused on reducing risk. Can the two work harmoniously together?
The answer depends on how effectively IT security leaders can work with their auditors and speak to their boards, say experts. These are their top five recommendations:
It’s well-known that compliance is about protecting regulated data, while cybersecurity is focused on keeping bad guys out. From a data protection perspective, the key security measure then is to avoid processing or storing regulated data that isn’t needed. If regulated data must be stored, make sure you’re using stronger-than-recommended encryption, says James Morrison, national cybersecurity specialist for Intelisys, the infrastructure support division of payment systems company, ScanSource.
Every time a user opens an app on their device, it seems they are being asked to provide both information necessary to engage with the app and far too often additional information that falls into the nice-to-have or marketing niche. Having CISOs participating in the discussions on what data is necessary for an app to function is table stakes. They should have a say in how that data is parsed to determine how it must be protected to remain in compliance with privacy laws. In addition, CISOs have a role to play in assisting the workforce in remaining safe online as well as protecting their (and the company’s) privacy.
During a recent conversation with Rob Shavell, founder of DeleteMe, he commented how data over-collection by companies is a rampant problem. The data brokers take what you give them and what they scrape and package and sell it. He notes, “Employers are now helping employees protect their PII [personal identifiable information] as it is in the company’s interest to do so.”
libtiff-4.4.0-4.fc36
Security fix for CVE-2022-34526.
Multiple security vulnerabilities have been discovered in cURL, an URL
transfer library. These flaws may allow remote attackers to obtain sensitive
information, leak authentication or cookie header data or facilitate a
denial of service attack.