FEDORA-2022-dc48a89918
Packages in this update:
freerdp-2.7.0-1.fc36
Update description:
Update to 2.7.0.
Security fixes for CVE-2022-24882, CVE-2022-24883.
freerdp-2.7.0-1.fc36
Update to 2.7.0.
Security fixes for CVE-2022-24882, CVE-2022-24883.
Tenable launches the 2022 Capture the Flag event for the security community, running from June 9-13.
Get ready to test your hacking skills, practice new ones and see how you measure up against others in the industry by joining this year’s annual Capture the Flag event. Each year, Tenable hosts its annual Capture the Flag events for the security community, giving security practitioners an opportunity to showcase their cybersecurity skills and talents in a fun and engaging game of capture the flag.
We’re proud to announce that this year’s annual Capture the Flag event will be held in June 2022! Whether you’re a seasoned pro who started your career with Nessus or a “newbie” to the security industry, we welcome you to compete for the chance to win prizes and bragging rights through a series of security-related challenges. You may complete these challenges solo or with a team.
Tenable team members, from zero-day research to vulnerability detection, have put their heads together to develop a broad and unique set of challenges to give competitors of diverse backgrounds a chance to have fun as you put your skills to the test. We’re excited to, once again, put together our very own CTF and see what this community can accomplish.
Register here to save your spot! You can register as an individual or a team of up to five participants. The event will run from Thursday, June 9, 2022 at 12:00 pm ET to Monday, June 13, 2021 at 12:00 pm ET. The competition will be run through the CTFd.io platform. Please use a valid email address when registering; it will be used for competition updates and prize distribution.
Earn points by competing in a variety of CTF challenges. Points available for challenges will increase as the difficulty of the challenges increase. Additionally, some challenges will grant fewer points over time or may decrease in point value if you use hints to solve them. Competitors will not be required to use Tenable products to participate in the competition but Nessus Essentials may be a useful tool for some challenges.
The top three teams or individuals will be awarded prizes. Only participants in the U.S. are eligible for monetary prizes. Winning participants outside of the U.S. will be recognized in the award ceremony and with a digital certificate or badge. You can find full contest terms here. Winning submissions will receive a single prize, whether a team or individual.
First place – $500 Amazon Gift Card
Second place – $300 Amazon Gift Card
Third place – $200 Amazon Gift Card
The top 100 teams will have the option to opt in and receive a limited edition 2022 Tenable CTF T-Shirt!
Note: Participants will also have a chance to win other prizes; more details will be available on the competition platform.
This is meant to be a friendly competition — please no spoilers! Be careful not to share any challenge solutions publicly until after the competition wrap-up and award ceremony on June 16, 2022. (Sign-up details for the Tenable CTF Debrief & Awards Ceremony webinar will be coming soon.)
If you have any questions, please contact ctf@tenable.com.
Don’t wait! Sign up now to secure your spot in the Tenable Capture the Flag:
SMS phishing attacks — annoyingly called “smishing” — are becoming more common.
I know that I have been receiving a lot of phishing SMS messages over the past few months. I am not getting the “Fedex package delivered” messages the article talks about. Mine are usually of the form: “thank you for paying your bill, here’s a free gift for you.”
Cyber insurance coverage? Through the roof these days. Also, coverage is not that easy to get. The many breaches and the dollar judgements handed down make cyber insurance another costly operating investment. A mid-sized client of mine, as an example, pays $1 million in annual cyber insurance costs just to do business with its commercial and government customers.
The issue adds another twist to the topic of third-party risk. Typically, a corporation’s top tier of vendors has some form of cyber insurance. Such vendor coverage generally protects their customers from financial liability involving the breach of customer sensitive data such as Personal Identifiable Information (PII).
Breach incidents can also include disruptions, intellectual property exfiltration, and website defacements. Lately ransom threats where the hacker demands payment for not releasing data onto dark sites have escalated. For those vendor corporations handling customer data, ranging from sales histories to financial transactions, such vendor coverage is a must instead of an option.
Yet there are those smaller supplier companies which eschew cyber insurance either by choice or through lack of awareness. Estimates vary, but those smaller uninsured companies range from 28 to 41%, according to industry reports. Rising costs, coupled with the rigors of insurance requirements, ratchet down coverage as a priority.
This is the crux of an escalating vendor issue facing CISO’s today: which ones pose uninsured risks? Is it simply the smaller boutique vendor? Or does scope include second tier and third tier suppliers to main vendors as well? What precautions can be taken in advance to pre-empt lack of vendor coverage across tiers? These problems have been echoed by the CISO community now faced by increasing attacks channeled through third parties.
Here are three immediate mitigation steps CISO’s can take:
Know vendors to the nth degree. Besides the standard inventory of cyber and IT suppliers, identify who are those who supply them. Do these secondary vendors have adequate coverage, and how about their subcontractors? This is not an easy task. But AT&T Cybersecurity offers vendor discovery tools, along with % risk levels, from partners such as NetSkope and BitSight. These tools help spare inter-vendor finger pointing and the “shock and surprise” in event of breach.
Lock down contracts. There are any number of cyber insurance requirement clauses that can be added to new contracts in progress and ones for renewal. Here’s where the CISO finds Finance and Legal resources to be invaluable partners. Together they can determine if adequate vendor coverage exists for legal fees, breach recovery and cyber vandalism.
Cyber hygiene vigilance. Third parties still pose the greatest threat of breach despite the best of plans. No one wants to in a position where they must execute on cyber insurance in the first place CISO’s can keep cyber fences “horse high” with basic defense mechanisms such as:
Complex passwords
VPN use
Encryption
Multi-factor Authentication (MFA)
Sound firewall rules
Strong anti-virus
User security awareness
Within any of these intertwined areas of defense, AT&T Cybersecurity can be of assistance.
To summarize the complete evaluation of third-party risk must now include cyber insurance readiness as a factor. No CISO is an island here, and it becomes a protective opportunity rather than a headache once the right internal business partners are engaged.
Larry Pesce remembers the day when the distributed denial of service (DDoS) threat landscape changed dramatically. It was late fall in 2016 when a fellow researcher joined him at the InGuardians lab, where he is director of research. His friend wanted to see how fast Mirai, a novel internet of things (IoT) botnet installer, would take over a Linux-based DVR camera recorder that was popular with medium-size businesses. So, she brought in a purchased DVR, then they set up observation instrumentation before connecting it to the internet via the DVR’s span port.
The SolarWinds compromise of 2020 had a global impact and garnered the resources of both public and private sectors in an all-hands-on-deck remediation effort. The event also had a deleterious effect on the SolarWinds stock price. These two events, were, predictably, followed by a bevy of civil lawsuits. Fast forward to late March 2022 and we have a federal court saying the suit that named SolarWinds; its vice president of security and CISO, Tim Brown; as well as two prime investor groups Silver Lake and Thoma Bravo may go forward.
Artifex Ghostscript through 9.26 mishandles .completefont. NOTE: this issue exists because of an incomplete fix for CVE-2019-3839.