nginx-1.22.1-1.fc35

Read Time:15 Second

FEDORA-2022-97de53f202

Packages in this update:

nginx-1.22.1-1.fc35

Update description:

Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, worker
process memory disclosure, or might have potential other impact
(CVE-2022-41741, CVE-2022-41742).

Read More

nginx-1.22.1-1.fc36

Read Time:15 Second

FEDORA-2022-b0f5bc2175

Packages in this update:

nginx-1.22.1-1.fc36

Update description:

Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, worker
process memory disclosure, or might have potential other impact
(CVE-2022-41741, CVE-2022-41742).

Read More

Securing your organization against phishing can cost up to $85 per email

Read Time:33 Second

As phishing attacks increase, preventing them from doing damage is proving costly for organizations. Phishing-related activities are consuming a third of the total time available to IT and security teams and costing organizations anywhere between $2.84 and $85.33 per phishing email, according to a new report by Osterman Research.

The report does not calculate the cost of damage caused by phishing, rather the productivity loss of IT and security teams.

On average, organizations spend 16-30 minutes dealing with each phishing email identified in their email infrastructure, said the report, commissioned by email security firm Ironscales.

To read this article in full, please click here

Read More

vim-9.0.803-1.fc37

Read Time:15 Second

FEDORA-2022-839fd408a5

Packages in this update:

vim-9.0.803-1.fc37

Update description:

patchlevel 803

The newest upstream commit

Security fixes for CVE-2022-3256, CVE-2022-3324, CVE-2022-3352, CVE-2022-3235, CVE-2022-3234, CVE-2022-3296, CVE-2022-3297, CVE-2022-3278.

Read More

Financial losses to synthetic identity-based fraud to double by 2024

Read Time:46 Second

Losses to imposter scams based on synthetic identities—identities that only exist as figments in a credit reporting bureau’s records—will rise from a reported $1.2 billion in 2020 to $2.48 billion by 2024 in the US, according to an analysis published Thursday by identity verification vendor Socure.

Synthetic identities became a common concern for businesses and financial institutions in the mid-2010s, Socure’s report said. Typically, such an identity is based on a real person, but with a slight tweak to some piece of personally identifiable information, like a different date of birth or Social Security number.

This altered identity is frequently verified by nothing more than a credit check—which means that it’s rarely detected. A fraudster can then use the identity for a wide array of purposes, including different types of loan applications and credit cards.

To read this article in full, please click here

Read More

Attackers switch to self-extracting password-protected archives to distribute email malware

Read Time:29 Second

Distributing malware inside password-protected archives has long been one of the main techniques used by attackers to bypass email security filters. More recently, researchers have spotted a variation that uses nested self-extracting archives that no longer require victims to input the password.

“This is significant because one of the most difficult obstacles threat actors face when conducting this type of spam campaign is to convince the target to open the archive using the provided password,” researchers from Trustwave SpiderLabs said in a new report.

To read this article in full, please click here

Read More

USN-5694-1: LibreOffice vulnerabilities

Read Time:1 Minute, 6 Second

It was discovered that LibreOffice incorrectly handled links using the
Office URI Schemes. If a user were tricked into opening a specially
crafted document, a remote attacker could use this issue to execute
arbitrary scripts. (CVE-2022-3140)

Thomas Florian discovered that LibreOffice incorrectly handled crashes when
an encrypted document is open. If the document is recovered upon restarting
LibreOffice, subsequent saves of the document were unencrypted. This issue
only affected Ubuntu 18.04 LTS. (CVE-2020-12801)

Jens Müller discovered that LibreOffice incorrectly handled certain
documents containing forms. If a user were tricked into opening a specially
crafted document, a remote attacker could overwrite arbitrary files when
the form was submitted. This issue only affected Ubuntu 18.04 LTS.
(CVE-2020-12803)

It was discovered that LibreOffice incorrectly validated macro signatures.
If a user were tricked into opening a specially crafted document, a remote
attacker could possibly use this issue to execute arbitrary macros. This
issue only affected Ubuntu 18.04 LTS. (CVE-2022-26305)

It was discovered that Libreoffice incorrectly handled encrypting the
master key provided by the user for storing passwords for web connections.
A local attacker could possibly use this issue to obtain access to
passwords stored in the user’s configuration data. This issue only affected
Ubuntu 18.04 LTS. (CVE-2022-26306, CVE-2022-26307)

Read More

Interview with Signal’s New President

Read Time:1 Minute, 24 Second

Long and interesting interview with Signal’s new president, Meredith Whittaker:

WhatsApp uses the Signal encryption protocol to provide encryption for its messages. That was absolutely a visionary choice that Brian and his team led back in the day ­- and big props to them for doing that. But you can’t just look at that and then stop at message protection. WhatsApp does not protect metadata the way that Signal does. Signal knows nothing about who you are. It doesn’t have your profile information and it has introduced group encryption protections. We don’t know who you are talking to or who is in the membership of a group. It has gone above and beyond to minimize the collection of metadata.

WhatsApp, on the other hand, collects the information about your profile, your profile photo, who is talking to whom, who is a group member. That is powerful metadata. It is particularly powerful—and this is where we have to back out into a structural argument ­ for a company to collect the data that is also owned by Meta/Facebook. Facebook has a huge amount, just unspeakable volumes, of intimate information about billions of people across the globe.

It is not trivial to point out that WhatsApp metadata could easily be joined with Facebook data, and that it could easily reveal extremely intimate information about people. The choice to remove or enhance the encryption protocols is still in the hands of Facebook. We have to look structurally at what that organization is, who actually has control over these decisions, and at some of these details that often do not get discussed when we talk about message encryption overall.

Read More