CVE-2021-26728

Read Time:14 Second

Command injection and stack-based buffer overflow vulnerabilities in the KillDupUsr_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server user (root). This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.

Read More

CVE-2021-26727

Read Time:14 Second

Multiple command injections and stack-based buffer overflows vulnerabilities in the SubNet_handler_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server user (root). This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.

Read More

USN-5227-3: Pillow vulnerability

Read Time:1 Minute, 18 Second

USN-5227-1 fixed vulnerabilities in Pillow. It was discovered that the fix
for CVE-2022-22817 was incomplete. This update fixes the problem.

Original advisory details:

It was discovered that Pillow incorrectly handled certain image files. If a
user or automated system were tricked into opening a specially-crafted
file, a remote attacker could cause Pillow to hang, resulting in a denial
of service. (CVE-2021-23437)

It was discovered that Pillow incorrectly handled certain image files. If a
user or automated system were tricked into opening a specially-crafted
file, a remote attacker could cause Pillow to crash, resulting in a denial
of service. This issue ony affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and
Ubuntu 21.04. (CVE-2021-34552)

It was discovered that Pillow incorrectly handled certain image files. If a
user or automated system were tricked into opening a specially-crafted
file, a remote attacker could cause Pillow to crash, resulting in a denial
of service, or possibly execute arbitrary code. (CVE-2022-22815)

It was discovered that Pillow incorrectly handled certain image files. If a
user or automated system were tricked into opening a specially-crafted
file, a remote attacker could cause Pillow to crash, resulting in a denial
of service. (CVE-2022-22816)

It was discovered that Pillow incorrectly handled certain image files. If a
user or automated system were tricked into opening a specially-crafted
file, a remote attacker could cause Pillow to crash, resulting in a denial
of service, or possibly execute arbitrary code. (CVE-2022-22817)

Read More

USN-5696-1: MySQL vulnerabilities

Read Time:33 Second

Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.

MySQL has been updated to 8.0.31 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
Ubuntu 18.04 LTS has been updated to MySQL 5.7.40.

In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.

Please see the following for more information:

https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-40.html
https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-31.html
https://www.oracle.com/security-alerts/cpuoct2022.html

Read More

On the Randomness of Automatic Card Shufflers

Read Time:1 Minute, 4 Second

Many years ago, Matt Blaze and I talked about getting our hands on a casino-grade automatic shuffler and looking for vulnerabilities. We never did it—I remember that we didn’t even try very hard—but this article shows that we probably would have found non-random properties:

…the executives had recently discovered that one of their machines had been hacked by a gang of hustlers. The gang used a hidden video camera to record the workings of the card shuffler through a glass window. The images, transmitted to an accomplice outside in the casino parking lot, were played back in slow motion to figure out the sequence of cards in the deck, which was then communicated back to the gamblers inside. The casino lost millions of dollars before the gang were finally caught.

Stanford mathematician Persi Diaconis found other flaws:

With his collaborator Susan Holmes, a statistician at Stanford, Diaconis travelled to the company’s Las Vegas showroom to examine a prototype of their new machine. The pair soon discovered a flaw. Although the mechanical shuffling action appeared random, the mathematicians noticed that the resulting deck still had rising and falling sequences, which meant that they could make predictions about the card order.

New Scientist article behind a paywall. Slashdot thread.

Read More

Amid real estate volatility, cybercriminals are profiting

Read Time:3 Minute, 3 Second

This blog was written by an independent guest blogger.

It is easy to think of cybercrime as a phenomenon only impacting the digital space. However, as trends are showing, digital attacks have a very real and very physical impact. According to the FBI, there has been a surge in rental and real estate property scams conducted via digital means, whether that’s the insertion of rogue actors into the property purchase chain, or hijacking of legitimate websites to promote false, money scamming listings. With the real estate market in such a state of volatility, with house prices seemingly rising or falling in lurches from week to week, it’s an especially prosperous time for criminals. Protection is key.

Staying safe online

The most common real estate scams are focused on the scammer impersonating the role of the real estate agent. This can be done through exploiting improper security protections on the website itself or through the scammer inserting themselves into the process of purchasing through, for instance, SQL injection. Older styles of scams, such as selling homes by someone impersonating the homeowner, are becoming increasingly digitized too.

The key here is in cyber security and awareness from anyone involving themselves in the real estate business. Firstly, choose a realtor with a professional reputation, and ensure they have a distinct and established local profile. Google NAM data will help to further establish their legitimacy. Secondly, by using a high-quality browser – such as Edge, Firefox or Chrome – you’ll quickly be able to see just how well protected a website is. This is crucial; according to CISA, a huge number of websites simply do not have the requisite level of protection to be secure. Ensure anything you work with does.

Practicing enhanced due diligence

Every house sale or real estate exchange is subject to a significant level of due diligence. Both the seller and the buyer need to ensure they are meeting various levels of control; this prevents fraud, smooths the transfer of funds, and ensures that every party within the transaction has the peace of mind and financial information to be satisfied that they are getting what they’ve paid for; or that the buyer is legitimate. For this reason, with digital attacks in the offing, it’s important to be diligent. This can admittedly be difficult, due to the sense of expedience that’s currently being felt in the real estate world. Staying slow is key from a security perspective.

Understanding the risk

When it comes to the realty industry, there is, according to Deloitte, an overriding sense that real estate agents don’t need to worry about cybercrime. This is because they have, relatively speaking, lower volumes of customer protected data. Most cybercrime seeks to obtain data, given its inherent value; this is something that real estate businesses generally doesn’t have in great amounts.

However, even small attacks, where successful, can yield big returns for cyber criminals. The amount of money being exchanged in real estate, in addition to the sheer variety of payment types, means there are plenty of points at which a single attack can result in a big financial win. With long-term, concerted attacks, which aren’t unheard of, serious damage can be caused. Accordingly, the real estate firms themselves need to undertake sufficient protection.

Just like every other industry with significant levels of digitization, real estate is at risk of cybercrime. The attacks seek to create financial harm by deceiving either party. Staying safe is chiefly about education; all parties in the real estate chain; but technical knowhow has a part to play, too, chiefly on the part of realtors.

Read More