USN-5689-1 fixed a vulnerability in Perl.
This update provides the corresponding update for Ubuntu 22.10.
Original advisory details:
It was discovered that Perl incorrectly handled certain signature verification.
An remote attacker could possibly use this issue to bypass signature verification.
Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims’s username and hashed password to spoof the victim’s id against the server.
Judicial and law enforcement authorities in Europe, Australia, the US, Ukraine, and Canada took down a so-called spoofing website that allowed fraudsters to impersonate trusted corporations or contacts in order to steal more than $120 million from victims.
In a coordinated action led by the UK and supported by Europol and EU judicial cooperation agency Eurojust, a total of 142 suspects were arrested, including the main administrator of the website, according to a statement posted by Europol on November 24.
The website provided a paid-for service that provided those who signed up with the ability to anonymously make spoofed calls, send recorded messages, and intercept one-time passwords. During the 16 months the website was live, Europol reported that the site took $3.8 million in fees, while enabling its customers to generate $120 million from illegal ‘spoofing’ campaigns.
The breach affected any account with the “Let others find you by your phone” option enabled
Laptop technicians routinely violate the privacy of the people whose computers they repair:
Researchers at University of Guelph in Ontario, Canada, recovered logs from laptops after receiving overnight repairs from 12 commercial shops. The logs showed that technicians from six of the locations had accessed personal data and that two of those shops also copied data onto a personal device. Devices belonging to females were more likely to be snooped on, and that snooping tended to seek more sensitive data, including both sexually revealing and non-sexual pictures, documents, and financial information.
[…]
In three cases, Windows Quick Access or Recently Accessed Files had been deleted in what the researchers suspect was an attempt by the snooping technician to cover their tracks. As noted earlier, two of the visits resulted in the logs the researchers relied on being unrecoverable. In one, the researcher explained they had installed antivirus software and performed a disk cleanup to “remove multiple viruses on the device.” The researchers received no explanation in the other case.
[…]
The laptops were freshly imaged Windows 10 laptops. All were free of malware and other defects and in perfect working condition with one exception: the audio driver was disabled. The researchers chose that glitch because it required only a simple and inexpensive repair, was easy to create, and didn’t require access to users’ personal files.
Half of the laptops were configured to appear as if they belonged to a male and the other half to a female. All of the laptops were set up with email and gaming accounts and populated with browser history across several weeks. The researchers added documents, both sexually revealing and non-sexual pictures, and a cryptocurrency wallet with credentials.
A few notes. One: this is a very small study—only twelve laptop repairs. Two, some of the results were inconclusive, which indicated—but did not prove—log tampering by the technicians. Three, this study was done in Canada. There would probably be more snooping by American repair technicians.
The moral isn’t a good one: if you bring your laptop in to be repaired, you should expect the technician to snoop through your hard drive, taking what they want.
The Council of the European Union (EU) has adopted a new cybersecurity directive designed to improve resilience and incident response capacities across the EU, replacing NIS, the current directive on the security of network and information systems.
The new directive, NIS2, will set the baseline for cybersecurity risk management measures and reporting obligations across sectors and aims to harmonize cybersecurity requirements and implementation of measures in different member states.
“NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure,” read an EU Council press release.
Florian Weimer discovered that shadow was not properly copying and removing
user directory trees, which could lead to a race condition. A local attacker
could possibly use this issue to setup a symlink attack and alter or remove
directories without authorization.
A database of 487 million WhatsApp users’ mobile numbers has been put up for sale on a hacking community forum. The data set contains WhatsApp user data from more than 84 countries, the post shows. The story was first reported by Cybernews.
The seller of the leaked data is also offering it through the controversial messaging app Telegram, where the person or the group goes by handle “Palm Yunn.” On the hacking community forum, the user is listed as “Agency123456.” The seller claims the database is from 2022.
The Find and Replace All WordPress plugin before 1.3 does not sanitize and escape some parameters from its setting page before outputting them back to the user, leading to a Reflected Cross-Site Scripting issue.
The Download Plugin WordPress plugin before 2.0.0 does not properly validate a user has the required privileges to access a backup’s nonce identifier, which may allow any users with an account on the site (such as subscriber) to download a full copy of the website.
