USN-5708-1: backport-iwlwifi-dkms vulnerabilities

Read Time:1 Minute, 9 Second

Sönke Huster discovered that an integer overflow vulnerability existed in
the WiFi driver stack in the Linux kernel, leading to a buffer overflow. A
physically proximate attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-41674)

Sönke Huster discovered that a use-after-free vulnerability existed in the
WiFi driver stack in the Linux kernel. A physically proximate attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2022-42719)

Sönke Huster discovered that the WiFi driver stack in the Linux kernel did
not properly perform reference counting in some situations, leading to a
use-after-free vulnerability. A physically proximate attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2022-42720)

Sönke Huster discovered that the WiFi driver stack in the Linux kernel did
not properly handle BSSID/SSID lists in some situations. A physically
proximate attacker could use this to cause a denial of service (infinite
loop). (CVE-2022-42721)

Sönke Huster discovered that the WiFi driver stack in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
physically proximate attacker could use this to cause a denial of service
(system crash). This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.10.
(CVE-2022-42722)

Read More

Iran’s Digital Surveillance Tools Leaked

Read Time:1 Minute, 2 Second

It’s Iran’s turn to have its digital surveillance tools leaked:

According to these internal documents, SIAM is a computer system that works behind the scenes of Iranian cellular networks, providing its operators a broad menu of remote commands to alter, disrupt, and monitor how customers use their phones. The tools can slow their data connections to a crawl, break the encryption of phone calls, track the movements of individuals or large groups, and produce detailed metadata summaries of who spoke to whom, when, and where. Such a system could help the government invisibly quash the ongoing protests ­—or those of tomorrow ­—an expert who reviewed the SIAM documents told The Intercept.

[…]

SIAM gives the government’s Communications Regulatory Authority ­—Iran’s telecommunications regulator ­—turnkey access to the activities and capabilities of the country’s mobile users. “Based on CRA rules and regulations all telecom operators must provide CRA direct access to their system for query customers information and change their services via web service,” reads an English-language document obtained by The Intercept. (Neither the CRA nor Iran’s mission to the United Nations responded to a requests for comment.)

Lots of details, and links to the leaked documents, at the Intercept webpage.

Read More

Choosing a DAST solution: What to pay attention to?

Read Time:9 Minute, 10 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The majority of today’s web applications contain dangerous vulnerabilities. To analyze their security, one cannot do without a dynamic scanner. DAST (Dynamic Application Security Testing) tools allow you to detect and evaluate security problems quickly. Let me tell you what to look for when choosing such a tool.

According to various studies, 70% of vulnerabilities have to do with errors in the code. Using vulnerabilities in your web application code, hackers can distribute malware, launch cryptojacking attacks, employ phishing and redirect users to malicious sites, hack a phone remotely, or steal personal data using social engineering techniques. 

Yes, sure, it is impossible to create perfectly secure software, but it is quite possible to reduce the number of vulnerabilities and increase the level of product security. To do this, you can rely on DevSecOps – a process that links development and security and where software is checked and tested for vulnerabilities at every stage of its creation.

The DevSecOps process is very voluminous; it may include numerous information security tools. In this article, I want to talk about DAST and how to choose the right scanner for dynamic application analysis. Together we will figure out what tool characteristics and parameters you need to pay attention to and what product types are currently available on the market.

What is DAST, and how does it work?

Dynamic application security testing is one of the secure development practices where an automated analysis of a deployed and functioning application is carried out. The dynamic scanner checks all access points via HTTP, simulates external attacks using common vulnerabilities, and simulates various user actions. The tool determines which APIs the service has, sends verification requests, uses, where possible, incorrect data (quotes, delimiters, special characters, and more).

The dynamic scanner sends and analyzes a large number of requests. The analysis of the sent request and the received response, as well as their comparison with a regular request, allows you to find different security problems.

Most scanners have similar functions and modus operandi. Their main components are a crawler and an analyzer.

The crawler traverses every link on every page it can reach, examining the contents of files, pressing buttons, and going through a dictionary of possible page names. This process allows you to estimate the size of the attack surface and possible attack vectors taking into account the existing ways of interacting with the application.

The analyzer checks the application directly. It can work in passive or active mode. In the first case, the analyzer studies only information that the crawler sends to it. In the second, the analyzer sends requests with incorrect data to the points found by the crawler and to other places that are not currently present on the pages but can be used in the application. It then infers the presence of a vulnerability based on the server’s responses.

What should you pay attention to when choosing a DAST tool?

Scan quality

This is the ratio of found and missed vulnerabilities. It is impossible to immediately understand how well the scanner analyzes. To do this, you should at least approximately understand ​​what vulnerabilities can be there and compare your estimates with the scan results. There are several ways to evaluate a tool:

If you have an application and have already checked it for vulnerabilities through a bug bounty program or penetration testing, you can compare those results with the results of the scanner.
If there is no application yet, you can use other pre-vulnerable software, which is created, as a rule, for training. You need to find an application that is close to your development environment in terms of the technology stack.

The number of false positives plays a decisive role when assessing the scan quality. Too many false positives clog the results. Besides, real errors can be missed. To determine how well the tool scans, you should analyze the report, parse the responses, and calculate the number and proportion of false positives.

Crawling

If there is no information about the application and you need to analyze it from scratch, it is important to understand how many paths and transitions you can collect, that is, how accurate the crawling will be. To do this, you can look at the DAST product settings. You need to find out if it can monitor requests from the front-end to the back-end, parse, for example, Swagger or WSDL applications, find links in HTML or JS. It is also worth studying the process of obtaining information about the application.

Before scanning, you can, for example, find out which APIs are used. This will help you understand what the tool needs to perform a full program scan. When choosing a scanner, it is helpful to make a list of what each tool can import and see if it can be built into the development process.

Scan speed

This parameter is also important, especially if checks are integrated into the development process. Scanning can slow down the process and, as a result, lead to a waste of time and money. Scan speed largely depends on how quickly the application responds to requests, how many simultaneous connections it can handle, and several other factors. Therefore, in order to compare the speed of different DAST tools, you need to run them with the same software under approximately the same conditions.

Advanced settings

Automatic analysis tools must have detailed settings. They will allow you to remove unnecessary requests and limit the scan area. This will increase the quality of the process and the speed of analysis. To set tasks for the tool appropriately, you must have all available options and settings.

There are “smart” scanners that adapt themselves to applications. But such tools still have to be manually configured since the goals of the checks are different. For example, sometimes you need to scan an application in several ways, starting with a full scan and ending with a superficial analysis; in this case, the manual mode will definitely come in handy.

When choosing a tool, you need to pay attention to the total number of possible parameters, as well as how easy it is to configure them. To compare the work of different tools, you can create several scan profiles in each of them: fast and shallow for initial analysis, full and maximum for a full-fledged one.

Integration

To make the dynamic analysis as effective as possible, it is worth integrating this practice into the development process and periodically running the scanner during the build. It is necessary to form a list of what is used in the CI/CD process in advance, draw up an approximate plan for launching the tool.

This will help you understand how easy it will be to integrate it into the development process and whether it is convenient to use its API.

Technology

Choosing a scanner, you should consider the technologies your company uses in development. To do this, you can analyze applications and create a list of technologies, languages ​​, and frameworks that are used. The list can get quite extensive, especially if the company is big. Therefore, it is appropriate to choose only a few critical parameters as criteria for evaluating scanners:

The number of technologies and frameworks that the tool covers.
The ability to support key technologies the company uses in its critical services.

Login sequence recording

Recording the login sequence is extremely important for dynamic scanners since authentication is required to enter the application. There are many pitfalls in this process, such as hashing the password before sending it or encrypting it with a shared key on the front-end, etc. Therefore, you must check in advance whether the tool will cope with all such nuances. To do this, you need to select as many different applications as possible and see if the scanner can go through the login stage in each of them.

It is also good to check how the tool behaves when logged out. The scanner sends a lot of requests during the analysis process. In response to some of them, the server can “throw the user out” of the system. The tool should notice this and re-enter the application.

Tool updates

Technology is constantly evolving, so when choosing a tool, it is vital to consider how often its updates or new versions of signatures/patterns or analysis rules are released. It is worth studying this information on the product website or requesting it from the vendor. This will show whether the developer is following trends and how up-to-date your database of checks will be.

It is desirable to find out if you can influence the development of the product and how the developer handles requests for new features. This will show how quickly the functionality you need will appear in the product and how communication with the vendor is arranged as part of the options update.

Which tool to choose?

There are plenty of tools on the market offered by such companies as Netsparker, Acunetix, Nessus, Rapid7, AppScan, and others. Let me briefly describe two instruments that I use.

BurpSuite Enterprise

This tool was developed by PortSwigger. The product has a full-fledged REST API for interacting and managing scans, sending reports, and much more. The scanning agent is the classic BurpSuite. It is launched in “headless mode” but has limitations. For example, you can interact with it only through control commands from the head portal, and you will not be able to load your plugins. Generally, if the tool is configured correctly, it can provide excellent results.

OWASP ZAP (Zed Attack Proxy)

This popular tool was created by the OWASP community, so it is completely free. It has different SDKs and APIs for different programming languages. You can use OWASP options or your own plugins.

The product has extensions for various CI/CD tools. It can be run in different modes and controlled programmatically. You can easily insert the tool into your development process. At the same time, the scanner has its drawbacks. Since it is an open-source solution, the quality of scans is lower than that of enterprise solutions. Also, the tool’s functionality is not very extensive and deep, but it can be extended and improved.

Conclusion

When choosing a dynamic analyzer, you can use the criteria noted above in this article, but they must be applied correctly. Each company is unique and has its own nuances and features – all this must be taken into account in conjunction with all the selection criteria. It is also good to define your needs in advance and understand what results you want to receive from the tool. Not to make a mistake, it is advised to conduct full-fledged testing of various options, compare them with each other and choose the best solution.

Read More

The Worst Black Friday and Cyber Monday Scams – And How to Avoid Them

Read Time:14 Minute, 39 Second

On Black Friday and Cyber Monday, the deals roll out. So do some of the worst Black Friday and Cyber Monday scams. 

Hackers, scammers, and thieves look to cash in this time of year by blending in with the holiday rush, spinning up their own fake shipping notices, phony deals, and even bogus charities that look legitimate at first glance, yet are anything but. Instead, they may be loaded with malware, point you to phishing sites that steal your personal info, or they may simply rip you off.   

Classically, many online scams play on emotions by creating a sense of urgency or even fear. And for the holidays, you can throw stress into that mix as well—the stress of time, money, or even the pressure of finding that hard-to-get gift that seems to be out of stock everywhere. The bad actors out there will tailor their attacks around these feelings, hoping that they’ll catch you with your guard down during this busy time of year. 

”The Five Least Wanted” – Top online shopping scams to avoid 

So while knowing how to spot a great gift at a great price is solid skill to have this time of year, so is the ability to spot a scam. Let’s look at some of the worst ones out there, along with what you can do to steer clear of them. 

1) The fake order scam  

Come this time of year, keeping tabs on all the packages you have in transit can get tricky. You may have an armload of them enroute at any given time, and scammers will look to slip into this mix with phony order confirmations sent to your mailbox or your phone by text. Packed with either an email attachment or a link to a bogus website, they’ll try to get you to download malware or visit a site that attempts to steal your identity.  

These messages can look quite legit, so the best way to keep track of your orders is on the sites where you purchased them. Go directly to those sites rather than clicking on any links or attachments you get. 

2) The phony tracking number scam 

This scam plays out much like the fake order scam, yet in this case the crooks will send a phony package tracking notification, again either as a link or as an attachment. For starters, legitimate retailers won’t send tracking numbers in an attached file. If you see anything like that, it’s surely a scam designed to inject malware onto your device. In the case of a link, the scammers aim to send you to a site that will steal your personal info, just like in the case above.  

Once again, the best way to track your packages is to go to the source. Visit the online store where you made your purchase, open your current orders, and get your package tracking information from there. 

3) The bogus website scam  

A classic scammer move is to “typosquat” phony email addresses and URLs that look awfully close to legitimate addresses of legitimate companies and retailers. So close that you may overlook them. They often appear in phishing emails and instead of leading you to a great deal, these can in fact link you to scam sites that can then lift your login credentials, payment info, or even funds should you try to place an order through them.  

You can avoid these sites by going to the retailer’s site directly. Be skeptical of any links you receive by email, text, or direct message—it’s best to go to the site yourself by manually typing in the legitimate address yourself and look for the deal there.  

4) The hot deal scam  

At the heart of holiday shopping is scarcity. And scarcity is something scammers love. There’s always some super-popular holiday item that’s tough to find, and scammers will spin up phony websites and offers around those items to lure you in. They may use the typosquatting technique mentioned above to pose as a legitimate retailer, or they may set up a site with their own branding to look legitimate on their own (or at least try). Either way, these scams can hurt you in a couple of ways—one, you’ll pay for the goods and never receive them; and two, the scammers will now have your payment info and address, which they can use to commit further fraud. 

If the pricing, availability, or delivery time all look too good to be true for the item in question, it may be a scam designed to harvest your personal info and accounts. Use caution here before you click. If you’re unsure about a product or retailer, read reviews from trusted websites to help see if it’s legitimate. (The Better Business Bureau is a great place to start—more on that in moment.) 

5) The fake charity scam 

In the season of giving, donating to charities in your name or in the name of others makes for a popular holiday gesture. Scammers know this too and will set up phony charities to cash in. Some indications that a phony charity has reached you include an urgent pitch that asks you to “act now.” A proper charity will certainly make their case for a donation, yet they won’t pressure you into it. Moreover, phony charities will outright ask for payment in the form of gift cards, wire transfers (like Western Union), money orders, or even cryptocurrency—because once those funds are sent, they’re nearly impossible to reclaim when you find out you’ve been scammed. 

There are plenty of ways to make donations to legitimate charities, and the U.S. Federal Trade Commission (FTC) has a site full of resources so that you can make your donation truly count 

So, how can I avoid getting scammed on Black Friday and Cyber Monday? 

Some of it takes an eagle eye that can spot these scams as they pop up in your inbox, texts, social media feed, and so on. Yet you have further ways you can keep safe while shopping on Black Friday, Cyber Monday, and any time. 

Stick with known, legitimate retailers online 

This is a great one to start with. Directly typing in the correct address for online stores and retailers is a prime way to avoid scammers online. In the case of retailers that you don’t know much about, the U.S. Better Business Bureau (BBB) asks shoppers to do their research and make sure that retailer has a good reputation. The BBB makes that easier with a listing of retailers you can search simply by typing in their name. 

Look for the lock icon in your browser when you shop 

Secure websites begin their address with “https,” not just “http.” That extra “s” in stands for “secure,” which means that it uses a secure protocol for transmitting sensitive info like passwords, credit card numbers, and the like over the internet. It often appears as a little padlock icon in the address bar of your browser, so double-check for that. If you don’t see that it’s secure, it’s best to avoid making purchases on that website.  

Pay with a credit card instead of your debit card  

In the U.S., the Fair Credit Billing Act offers the public protection against fraudulent charges on credit cards, where citizens can dispute charges over $50 for goods and services that were never delivered or otherwise billed incorrectly. Note that many credit card companies have their own policies that improve upon the Fair Credit Billing Act as well. However, debit cards aren’t afforded the same protection under the Act. Avoid using a debit card while shopping online and use your credit card instead.  

Use two-factor authentication on your accounts  

Two-factor authentication is an extra layer of defense on top of your username and password. It adds in the use of a special one-time-use code to access your account, usually sent to you via email or to your phone by text or a phone call. In all, it combines something you know, like your password, with something you have, like your smartphone. Together, that makes it tougher for a crook to hack your account. If any of your accounts support two-factor authentication, the few extra seconds it takes to set up is more than worth the big boost in protection you’ll get.  

Use a VPN if you’re shopping on public Wi-Fi  

Public Wi-Fi in coffee shops and other public locations can expose your private surfing to prying eyes because those networks are open to all. Using a virtual private network (VPN) encrypts your browsing, shopping, and other internet traffic, thus making it secure from attempts at intercepting your data on public Wi-Fi, such as your passwords and credit card numbers.  

What’s more, a VPN masks your whereabouts and your IP address, plus uses encryption that helps keep your activities private. As a result, companies and data brokers can potentially learn far less about you, your shopping, your travels, your habits, and any other information that they could possibly collect and otherwise profit from. 

Clean up your personal data online 

Yes, it’s true. Your information gets collected, bought, and solid online. In fact, personal information fuels a global data trading economy estimated at $200 billion U.S. dollars a year. Run by data brokers that keep hundreds and even thousands of data points on billions of people, these sites gather, analyze, buy, and sell this information to other companies as well as to advertisers. Likewise, these data brokers may sell this information to bad actors, such as hackers, spammers, and identity thieves who would twist this information for their own purposes. 

Getting your info removed from these sites can seem like a daunting task. (Where do I start, and just how many of these sites are out there?) Our Personal Data Cleanup can help by regularly scanning these high-risk data broker sites for info like your home address, date of birth, and names of relatives. It identifies which sites are selling your data, and depending on your plan, automatically requests removal. 

Protect your identity from identity thieves 

Another place where personal information is bought and sold, stored, and exchanged is the dark web. The problem is that it’s particularly difficult for you to determine what, if any, of your info is on the dark web, stashed away in places where hackers and thieves can get their hands on it. Identity monitoring can help. McAfee’s identity monitoring helps you keep your personal info safe by alerting you if your data is found on the dark web, an average of 10 months before our competitors. 

Monitored info can range anywhere from bank account and credit card numbers to your email addresses and government ID number, depending on your location. If your information gets spotted, you’ll get an alert, along with steps you can take to minimize or even prevent damage if the information hasn’t already been put to illegal use. 

Take advantage of identity protection 

Identity protection through McAfee takes identity monitoring a step further by offering, depending on your location and plan, identity theft coverage for financial losses and expenses due to identity theft, in addition to hands-on help from a recovery professional to help restore your identity—all in addition to the identity monitoring called out above, again depending on your location and plan. 

Monitor your credit 

Keeping an eye on your bills and statements as they come in can help you spot unusual activity on your accounts. A credit monitoring service can do that one better by keeping daily tabs on your credit report. While you can do this manually, there are limitations. First, it involves logging into each bureau and doing some digging of your own. Second, there are limitations as to how many free credit reports you can pull each year. A service does that for you and without impacting your credit score. 

Depending on your location and plan, McAfee’s credit monitoring allows you to look after your credit score and the accounts within it to see fluctuations and help you identify unusual activity, all in one place, checking daily for signs of identity theft. 

Use protection while you shop  

A complete suite of online protection software like McAfee+ can offer layers of extra security while you shop. In addition to the VPN, identity, credit monitoring, and other features mentioned above, it includes web browser protection that can block malicious and suspicious links that could lead you down the road to malware or a phishing scam—along with a password manager that can create strong, unique passwords and store them securely as well. Taken together, McAfee+ offers all-in-one online protection for your identity, privacy, and security that can keep you far safer when you shop online—and as you spend your time online in general. 

What should I do if I fall victim to a Black Friday or Cyber Monday scam? 

Even if you take the proper precautions the unexpected can happen. Whether it’s a scam, an identity crime, or flat-out theft, there are steps you can take right away to help minimize the damage. 

The first bit of advice is to take a deep breath and get right to work on recovery. From there, you can take the following steps: 

1. Notify the companies involved 

Whether you spot a curious charge on your bank statement, discover potentially a fraudulent account when you check credit report, or when you get an alert from your monitoring service, let the bank or organization involved know you suspect fraud or theft. With a visit to their website, you can track down the appropriate number to call and get the investigation process started. 

2. File a police report 

Some businesses will require you to file a local police report and acquire a case number to complete your claim. Beyond that, filing a report is a good idea in itself. Identity theft is still theft and reporting it provides an official record of the incident. Should your case of identity theft lead to someone impersonating you or committing a crime in your name, filing a police report right away can help clear your name down the road. Be sure to save any evidence you have, like statements or documents that are associated with the theft. They can help clean up your record as well. 

3. Contact your governmental anti-fraud or trade organization 

In the U.S., the identity theft website from the Federal Trade Commission (FTC) is a fantastic resource should you find yourself in need. In addition to keeping records of the theft, the FTC can provide you with a step-by-step recovery plan—and even walk you through the process if you create an account with them. Additionally, reporting theft to the FTC can prove helpful if debtors come knocking to collect on any bogus charges in your name. With a copy of your report, you can ask debtors to stop. 

4. Put on a credit freeze or lock 

An instance of identity fraud or theft, suspected or otherwise, is a good time to review your options for a credit freeze or lock. As mentioned earlier, see what the credit bureaus in your region offer, along with the terms and conditions of each. With the right decision, a freeze or lock can help minimize and prevent further harm. 

5. Continue to monitor 

Strongly consider using a monitoring service like the one we described earlier to help you continue to keep tabs on your identity. The unfortunate fact of identity theft and fraud is that it can mark the start of a long, drawn-out affair. One instance of theft can possibly lead to another, so even what may appear to be an isolated bad charge on your credit card calls for keeping an eye on your identity all around. Many of the tools you would use up to this point still apply, such as checking up on your credit reports, maintaining fraud alerts as needed, and reviewing your accounts closely—along with utilizing an identity monitoring service. 

6. Work with a recovery pro 

A recovery service can help you clean up your credit in the wake of fraud or theft, all by working on your behalf. Given the time, money, and stress that can come along with setting your financial record straight, leaning on the expertise of a professional can provide you with much-needed relief on several counts. 

Take an extra moment to spot those Black Friday and Cyber Monday scams  

Just as it’s always been, hackers, scammers, and thieves want to ruin a good thing. In this case, it’s your spirit of giving and sharing in the holiday season. Yet with this list of top scams and ways you can avoid them, you can keep bad actors like them at bay. Remember, they’re counting on you to be in a hurry this time of year, and maybe a bit stressed and a little disorganized to boot. Take your time while shopping out there and keep an eye out for their tricks. That extra moment can save you far more time and money than you may think. 

The post The Worst Black Friday and Cyber Monday Scams – And How to Avoid Them appeared first on McAfee Blog.

Read More

The OSPO – the front line for secure open-source software supply chain governance

Read Time:41 Second

Organizations of every shape, size, and sector have embraced open-source software (OSS). The financial, medical, and manufacturing industries – and even national security – now use OSS to power their most critical applications and activities. However, this widespread adoption comes with pitfalls: a corresponding increase of almost 800% in software supply chain attacks according to the State of the Software Supply Chain from Sonatype.

With the rapid growth of OSS adoption, organizations have begun to stand up Open Source Program Offices (OSPOs) to help codify strategies around OSS use and contribution and to foster collaboration with the broader OSS community. These OSPO’s often have key responsibilities such as cultivating an OSS strategy, leading its execution, and facilitating the use of OSS products and services across an enterprise.

To read this article in full, please click here

Read More