An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time.
Daily Archives: September 23, 2022
Hackers Deploy Malicious OAuth Apps to Compromise Email Servers, Spread Spam
The spam emails were sent to trick recipients into signing up for fake paid subscriptions
Cyber Mercenary Group Void Balaur Continues Hack-For-Hire Campaigns
Void Balaur campaigns in 2022 targeted various industries across the US, Russia and Ukraine
How Often Should You Change Your Passwords?
When it comes to passwords, most of us would love nothing more than to set it and forget it. But that’s exactly what hackers are hoping for — in fact, it makes their job a lot easier. This means the best line of defense is frequent password changes.
But how often should you create new passwords? Cybersecurity experts recommend changing your password every three months. There may even be situations where you should change your password immediately, especially if a cybercriminal has access to your account.
This article explores those exact situations and covers some of the best password practices you can use to help safeguard these important combinations of letters and numbers.
Situations when you should immediately change your password
While 90 days is a generous amount of time between password changes, there are some situations where you’ll want to change your password immediately.
Your account was hacked
If you think someone has hacked your account, it’s important to act fast and change your password. Did everyone in your address book get a strange email that looks like it’s from you? Change your email password. Are your Facebook friends getting a new friend request from you? Something’s not right, so you’ll want to change your password.
This can help limit the amount of time a cybercriminal has access to your account.
After a data breach
If there’s a password breach at work or within a company you do business with, you’ll want to change the password for any affected accounts. If you use that password for any other websites, you’ll definitely want to change your password to those accounts. If hackers get access to your password, they may try it on multiple websites to see what else they can steal.
You used an unsecure network
As much as possible, try to avoid logging into your secure accounts on public Wi-Fi, such as at a library or cafe. Generally, an unsecure network means your online activity is public. If you need to use an unsecure network, change your password once you’re on a secure network.
It can also be a good idea to look into a smart VPN like McAfee Secure VPN, which automatically turns on to protect your personal data and credit card information even if you need to use public Wi-Fi.
You discover malware
Your personal information could be at risk if malware infects your computer. If you have quality antivirus software (like what’s included in McAfee Total Protection) and it detects malware, you’ll want to change your passwords from another device.
You remove people from the account
If you no longer have contact with someone, there’s no need for them to remain on your Netflix or Amazon account. There’s also no need for an ex to share a bank account or have mobile app access. Create new passwords when you’re no longer sharing an account with someone.
You no longer use certain accounts
You may have an account you haven’t used in a year, such as from an online retailer. Change old passwords for seldom-used accounts and close the account if you don’t intend to use it again.
How to create a strong password
A good password can make it more difficult for hackers to access your accounts. But what exactly makes a strong password? Here are a few criteria.
It’s used only for one account. While it can be easy to use similar passwords for multiple accounts, hackers might be able to get into your other online accounts if they access just one.
It’s at least 12 characters long. To make it easy to remember, use a lyric from a song or poem (for example, “andtherocketsredglare”). Or make an abbreviation from the words in a sentence (changing “the quick brown fox jumped over the lazy dog in the backyard” to “tqbfjotlditb,” for instance).
It’s a complex password. Include at least one capital letter, one number, and one symbol. A computer can guess a password with eight letters immediately. But a 12-character password with at least one uppercase and one lowercase letter, number, and a special character would take 34,000 years to crack. Some sites allow users to create a passphrase. That’s a string of words that can be up to 100 characters long.
It’s hard to guess. Don’t use information that people who know you or look at your social media can guess. Avoid personal information like your nickname or initials, birthday, address or street name, or a child or pet’s name.
It doesn’t use common words like “password” or “qwerty.” You’d be surprised how many people use “password123” or “123456” as a password. A cybercriminal would not.
What are the most common ways passwords get hacked?
A cybercriminal may use a variety of strategies to access your passwords. Here are some of their most common tactics.
Guesswork: This is why password security requires unique passwords that don’t include personal information.
Buying passwords on the dark web: Search engines don’t index the dark web. A lot of dark web activity isn’t traceable, including the sale of passwords.
Phishing: This is when a hacker sends an email that appears to be from a trusted source to trick the recipient into typing in their password.
Malware: Cybercriminals may infect a device with malicious software that allows them to access personal data, including passwords.
Shoulder surfing: This could happen in a coffee shop or office if you leave sticky notes showing your passwords on your desk.
Spidering: These are bots that search the web looking for personal data.
Brute force attack: A bot systematically tries thousands of passwords hoping to find the correct one.
How can you keep your online passwords secure?
When it comes to keeping your data secure, password complexity is just the beginning. Here are a few additional tips for keeping your passwords safe.
Do a password audit
Review the passwords for all of your accounts. Make sure you’re not using any for multiple websites. See if your passwords are guessable. Do they include personal information like birthdays or addresses? If you find passwords that are weak or repeated, change those first.
Use multi-factor authentication
Set up multi-factor authentication for important accounts, such as with financial institutions. Logging into a website with two-factor authentication requires you to enter a code sent by text or email in addition to a username and password.
Some accounts require multi-factor authentication with biometric factors for added security, such as a thumbprint or face scan. Using multi-factor authentication with long, complicated passwords can make an account more secure.
Use a password manager
A password manager like McAfee True Key can help prevent unauthorized access to your online accounts by protecting your passwords with strong encryption. It also comes with a password generator to help you create complex passwords while storing them safely.
If you have old or weak passwords or use them on multiple sites, a password manager can generate new ones. It’ll then keep track of them and sign you in to apps and websites — with you only having to remember one master password.
See how McAfee True Key makes managing passwords easy and secure
Let McAfee True Key help you defend your personal data. The password management software makes dealing with passwords secure and easy.
McAfee True Key stores your passwords on your device using the strongest encryption available. Once you use a master password to log into True Key, it’ll auto-fill your passwords for any apps or websites you visit. For added convenience, True Key securely syncs your information across all of your devices so you can access it wherever you need it.
While McAfee manages your secure passwords, you can continue enjoying the internet the way it was intended — free from hackers.
The post How Often Should You Change Your Passwords? appeared first on McAfee Blog.
Details of Over 300,000 Russian Reservists Leaked, Anonymous Claims
The group claims the individuals are likely to be mobilized by the Russian government to fight in Ukraine
“Fake crypto millionaire” charged with alleged $1.7M cryptomining scam
A self-proclaimed cryptocurrency millionaire has been charged with multiple felonies for his alleged role in a scam that purported to sell a high-powered cryptomining machine called the “Bitex Blockbuster” that did not actually exist.
Read more in my article on the Hot for Security blog.
Come to the National Information Security Conference in October, and see Smashing Security LIVE!
Between 5-7 October, I will be chairing the UK’s National Information Security Conference (better known as NISC), at Carden Park in Cheshire. It’s a great event – you should come along.
Oh, and we’ll do the podcast “live” there as well…
Leaking Screen Information on Zoom Calls through Reflections in Eyeglasses
Okay, it’s an obscure threat. But people are researching it:
Our models and experimental results in a controlled lab setting show it is possible to reconstruct and recognize with over 75 percent accuracy on-screen texts that have heights as small as 10 mm with a 720p webcam.” That corresponds to 28 pt, a font size commonly used for headings and small headlines.
[…]
Being able to read reflected headline-size text isn’t quite the privacy and security problem of being able to read smaller 9 to 12 pt fonts. But this technique is expected to provide access to smaller font sizes as high-resolution webcams become more common.
“We found future 4k cameras will be able to peek at most header texts on almost all websites and some text documents,” said Long.
[…]
A variety of factors can affect the legibility of text reflected in a video conference participant’s glasses. These include reflectance based on the meeting participant’s skin color, environmental light intensity, screen brightness, the contrast of the text with the webpage or application background, and the characteristics of eyeglass lenses. Consequently, not every glasses-wearing person will necessarily provide adversaries with reflected screen sharing.
With regard to potential mitigations, the boffins say that Zoom already provides a video filter in its Background and Effects settings menu that consists of reflection-blocking opaque cartoon glasses. Skype and Google Meet lack that defense.
Research paper.
Cybersecurity Snapshot: 6 Things That Matter Right Now
Topics that are top of mind for the week ending Sept. 23 | A digital trust disconnect between theory and practice | Don’t ignore attack surface management | An SBOM 101 | Report finds hackers targeting small businesses | And much more!
1 – For digital trust, organizations talk the talk but don’t walk the walk
A global survey shows a disconnect between what businesses say and what they actually do regarding digital trust.
For its “State of Digital Trust 2022” report, IT governance professional association ISACA polled 2,755 business and IT professionals about their policies, practices and beliefs for digital trust, which it defines as “the confidence in the integrity of relationships, interactions and transactions among providers and consumers within an associated digital ecosystem.”
Among the findings were:
Almost all respondents (98%) acknowledge that digital trust is important but only 12% have a dedicated staffer in this role.
Only 50% said there’s sufficient collaboration at their organization among security, data integrity and privacy professionals – digital trust’s most important roles.
Eighty-two percent of respondents say digital trust will grow in importance in the next five years, but only 29% provide digital trust training to staff.
Only 66% say their organization sufficiently prioritizes digital trust.
Just 23% say their organization measures the maturity of its digital trust practices.
There’s also strong awareness among those polled about the downsides of weak digital trust, including reputational harm (cited by 62% of respondents), more privacy breaches (60%), increased cybersecurity incidents (59%) and customer loss (56%.)
(Source: ISACA’s “State of Digital Trust 2022” North America infographic, Sept. 2022)
Among the obstacles that prevent organizations from boosting digital trust are lack of skills and training and misalignment with business goals. It also doesn’t help if leadership support for digital trust initiatives is weak, and if financial and technological resources are insufficient.
Some of ISACA’s recommendations for beefing up digital trust include:
Understand how digital trust can contribute to the organization’s goals, measure the current state and compare it against industry best practices.
Outline digital trust goals, identify priorities and develop a road map.
Establish a mindset of continuous improvement in areas such as cybersecurity, quality, reliability, compliance and customer experience.
For more information:
Read the full report
Read the blog from ISACA’s CEO and the press release
View infographics tailored for different regions
2 – Towards a secure Open RAN for 5G services
With the advent of 5G, mobile network operators see a benefit in moving away from traditional, proprietary radio-access networks (RANs) and towards open RANs that can provide them with more flexibility and reliability.
To help operators ensure the security of open RANS, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) just published the guide “Open Radio Access Network Security Considerations.”
CISA Acting Assistant Director Mona Harrington said in a statement that open RAN is “an exciting concept” that could boost innovation, network performance and competition. “However, with those benefits come the potential for additional security concerns,” she said.
For more information:
“Top 5 security risks of Open RAN” (CSO)
“How Open RAN Can Bring Security Advantages” (Open RAN Policy Coalition)
“Open RAN so easy to hack it’s ‘scary,’ says top security boffin” (Light Reading)
“Private networks gradually get to know open RAN” (FierceWireless)
“NSA and CISA Publish Open RAN Adoption and Cybersecurity Assessment” (MeriTalk)
3 – Analyst: “Ignore attack surface management at your own peril”
Attack surface growth has accelerated, thanks to remote work, distributed computing, API usage, IoT deployments, cloud adoption and shadow IT – in short, anything that increases an organization’s internet-facing assets.
In a recent column, Enterprise Strategy Group (ESG) analyst Jon Oltsik cited results from an ESG survey of 376 security pros who reported these effects of an expanded attack surface:
Collaboration and communication between the software development and security teams must be tightened as organizations develop more cloud-native apps and release software continuously.
Existing security tools and processes need to be re-evaluated as organizations seek to discover and manage attack surface assets. According to the survey, trying to manually collate and analyze data from disparate systems doesn’t work:
43% of respondents said it takes them 80-plus hours to do a full attack surface management inventory
69% said they suffered a security incident due to an unknown, unmanaged or mismanaged attack surface asset
Be prepared to manage more vulnerabilities and deploy more patches.
Anticipate an increase in blind spots.
For more information:
“Finally Finding the ‘Unknown Unknowns’ Across Your Entire Attack Surface” (Tenable)
“What is attack surface management and why is it necessary?” (TechTarget)
“The Right Way to do Attack Surface Mapping” (Tenable)
“Look for attack surface management to go mainstream in 2022” (CSO)
“How to implement an attack surface management program” (TechTarget)
4 – Cyber insurer: Hackers hit small businesses hard; ransomware attacks drop
Cyber insurance provider Coalition has released its mid-year report, based on an analysis of claims from 160,000 of its policyholders, and salient findings include:
Small businesses – those with annual revenue below $25 million – reported a claim cost average of $139,000, up from $88,000 in the first half of 2021, which highlights their increased vulnerability to cyberattacks.
Phishing ranked first among primary triggers for cyber incidents, accounting for 58% of reported claims – up 41% in the first half of 2021 – and putting the spotlight on employee vulnerability to this form of email social-engineering attack.
Regarding ransomware incidents specifically, there was a drop in the average cost of claims; the frequency of claims; the median ransom payment; and the average ransom demand, all compared to the first half of 2021. Coalition attributes this trend to factors such as:
Companies with security controls such as offline data backups may refuse to pay ransoms because they can restore operations.
Large organizations in particular are increasingly unwilling to enter into ransom negotiations.
(Source: Coalition’s “2022 Cyber Claims Report Mid-year Update,” Sept. 2022)
For more information:
“Ransomware is (slightly) on the decline, cyberinsurance company says” (CSO)
“Cyber Insurance Premium Hikes to Support Returns Amid Rising Claims” (Fitch Ratings)
“Cyber-Insurance Firms Limit Payouts, Risk Obsolescence” (Dark Reading)
“Cyber insurance needs an industry-wide security standard” (Security Magazine)
“Advice from an expert on cyber insurance coverage” (Journal of Accountancy)
5 – An SBOM primer, with a “how to” for developing a program
Global management consulting firm McKinsey & Co. has published a clear and comprehensive overview about the basics of software bills of materials (SBOMs), which are very much in the spotlight as a key element of software supply chain security.
In the piece, titled “Software bill of materials: Managing software cybersecurity risks,” the authors define the SBOM, explain its benefits and include the following recommendations for developing a program:
Use existing software composition analysis (SCA) tools as a foundation and either buy or develop in house the other necessary tools, ensuring they fit smoothly with software development lifecycle processes (SDLC).
Ensure that a cross-functional team is involved with the SBOM program, including participants from software development, security, procurement, legal, risk, privacy and compliance.
(Source: “Software bill of materials: Managing software cybersecurity risks,” McKinsey & Co., Sept. 2022)
Build automated SBOM generation and review capabilities throughout the SDLC.
Create a governance structure for SBOM-related tasks.
For more information:
“The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness” (Linux Foundation)
“The Minimum Elements For a Software Bill of Materials (SBOM)” (U.S. National Telecommunications and Information Administration)
“Securing the Software Supply Chain: Recommended Practices for Developers” (U.S. National Security Agency)
“Software Bill of Materials (SBOM) Pros & Cons” (Enterprise Networking Planet)
“The White House wants new transparency into software components” (Protocol)
6 – Cloud visibility still, er, cloudy?
Visibility into cloud assets remains a challenge for quite a few security teams out there, as an ad-hoc poll we conducted at a recent Tenable webinar shows.
Interested in learning more about this topic? Check out these Tenable resources:
“Full IT Visibility Requires Business Risk Context” (blog)
“You’ve Migrated Business-Critical Functions to the Cloud…Now What?” (blog)
“Cloud Security Roundtable: Scaling Cloud Adoption without Sacrificing Security Standards” (On-demand webinar)
“4 Steps to Achieving Comprehensive Kubernetes Security” (white paper)
“DevOps Guide to Terraform Security” (white paper)