USN-5811-3: Sudo vulnerability

Read Time:19 Second

USN-5811-1 fixed a vulnerability in Sudo. This update provides
the corresponding update for Ubuntu 14.04 ESM.

Original advisory details:

Matthieu Barjole and Victor Cutillas discovered that Sudo incorrectly
handled user-specified editors when using the sudoedit command. A local
attacker that has permission to use the sudoedit command could possibly use
this issue to edit arbitrary files. (CVE-2023-22809)

Read More

Critical Vulnerability in Control Web Panel Exploited in the Wild

Read Time:1 Minute, 21 Second

FortiGuard Labs is aware of a report that a patched but critical vulnerability in Control Web Panel (CWP) is being exploited in the wild. The vulnerability (CVE-2022-44877) is a command injection vulnerability that allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter. Proof-of-concept code is reportedly available.Control Web Panel (formerly CentOS web panel) is a server administration user interface used to manage Linux systems.Why is this Significant?This is significant because a critical vulnerability in Control Web Panel (CVE-2022-44877) is being exploited in the wild. Previously known as “CentOS Web Panel”, Control Web Panel is a popular web-based server configuration software.Furthermore, CISA added CVE-2022-44877 to the known exploited vulnerabilities catalog on January 17, 2023. As proof-of-concept code is reportedly available, exploit attempts are expected to pick up.What is CVE-2022-44877?CVE-2022-44877 is a command injection vulnerability that allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter. The vulnerability is rated critical and has a CVSS score of 9.8.What Versions of Control Web Panel are Vulnerable?Control Web Panel 7 prior to version 0.9.8.1147 are vulnerable.Has the Vendor Released a Patch for CVE-2022-44877?Yes, a patch was released in version 0.9.8.1147 on October 25, 2022.What is the Status of Protection?FortiGuard Labs released the following IPS signature in version 22.480 for CVE-2022-44877:CentOS.Web.Panel.login.Command.Injection (default action is set to “pass”)

Read More

NIST Is Updating Its Cybersecurity Framework

Read Time:45 Second

NIST is planning a significant update of its Cybersecurity Framework. At this point, it’s asking for feedback and comments to its concept paper.

Do the proposed changes reflect the current cybersecurity landscape (standards, risks, and technologies)?
Are the proposed changes sufficient and appropriate? Are there other elements that should be considered under each area?
Do the proposed changes support different use cases in various sectors, types, and sizes of organizations (and with varied capabilities, resources, and technologies)?
Are there additional changes not covered here that should be considered?
For those using CSF 1.1, would the proposed changes affect continued adoption of the Framework, and how so?
For those not using the Framework, would the proposed changes affect the potential use of the Framework?

The NIST Cybersecurity Framework has turned out to be an excellent resource. If you use it at all, please help with version 2.0.

Read More

9 Ways smart devices can compromise your privacy

Read Time:5 Minute, 27 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

A smart device is any device connected to the internet and can be controlled by a computer or smartphone. This includes devices such as home appliances, security cameras, thermostats, doorbells, lighting systems, and other connected gadgets.

Smart devices are becoming increasingly popular due to the convenience they offer. However, with this convenience comes a greater risk to your privacy.

When people talk about smart devices, what they are referring to more broadly is the internet of things (IoT) and its ability to connect all your devices together. This means that all the data collected by each device can be accessed and shared with other connected devices, potentially exposing personal information about you and your home life.

Here are 9 ways in which smart devices can compromise your privacy.

1. Location tracking

Many smart devices track and store users’ locations, which can be used to build detailed profiles of their activities. This data can then be sold to third parties without the user’s knowledge or consent.

This has become a major problem with smart devices such as fitness trackers and smartphones. If you’re not careful, your device could be sharing more data than you think. You might be under the impression that you’re in control of the data it collects, but this is not always the case.

2. Insecure Wi-Fi connections

Many smart devices use Wi-Fi to connect to the internet. This means it can be vulnerable to hackers if proper security protocols are not in place. Hackers can access your device, view sensitive data such as passwords, and even take control of it.

There have been instances of hackers hijacking smart devices via Wi-Fi connections and using them to launch cyber-attacks. This is especially true if you travel with smart devices like phones or laptops, as they may be connecting to unsecured Wi-Fi networks.

3. Vulnerable webcams

Smart devices often come with built-in cameras and microphones, which can be hacked into to gain access to audio and video recordings of the user. This has been a major issue in recent years with reports of “webcam hacking” becoming increasingly common.

It is increasingly common for people to have cameras in their doorbells, in their baby monitors, and even in their TVs. All of these can be hacked into if the user doesn’t take proper security measures.

For example, there have been instances where hackers have hijacked security cameras and used them to spy on unsuspecting users in their homes. This is an extreme case of a privacy violation that can be prevented with proper security measures.

4. Poorly secured cloud databases

Many smart devices store data such as pictures and videos in the cloud, meaning they are accessible from any device. However, this also leaves them vulnerable to hacking.

If the cloud service that stores your data is not properly secured, hackers can gain access to it and view, copy, or delete sensitive information. This could be anything from your banking details to private photos of you and your family.

5. Third-party app permissions

Many smart devices have a range of third-party apps that users can download. However, these apps often require access to certain permissions to work.

For example, an app might need permission to access your contacts or your location data. This means it can collect and share this information with other companies without the user’s knowledge or consent.

It’s important to read through the terms and conditions carefully before downloading any app, as it may be collecting more data than you think.

6. Data breaches

Smart devices often store data on servers located off-site. This means that if those servers are hacked, your data could be exposed to malicious actors. It is important to make sure your device is regularly updated with the latest security patches and that you are aware of any data breaches that could affect it.

As more and more people adopt smart tech, there is an increased risk of data breaches. Both companies and individuals must take extra steps to ensure the security of their customers’ data, or else they face serious consequences.

7. Unsecured Bluetooth connections

Many smart devices make use of Bluetooth technology to connect to other devices wirelessly. While this is convenient, it also leaves the device vulnerable to hackers. If a hacker can access your Bluetooth connection, they can gain access to the data stored on the device.

It is important to keep your Bluetooth connection secure by regularly changing the password and only pairing devices you trust. Additionally, it’s a good idea to periodically scan for any unauthorized connections.

8. Data mining

Many smart devices collect data about users’ habits and activities, which can then be used for targeted advertising or other commercial purposes. This means your device might be collecting more information about you than you realize.

It’s important to be aware of what data your device is collecting and who it is being shared with. You can also adjust the settings on your device to limit the amount of data that is being collected. Even if it’s just for commercial purposes, you should know and be able to control what data is being collected.

9. Voice commands

Smart devices often come with voice-activated assistants such as Alexa and Google Home. These are designed to make our lives easier, but they can also be used to gather sensitive information about your home life.

When you speak to a voice assistant, your voice is stored on the company’s servers and could potentially be accessed by other parties without your knowledge or consent. What’s more, a lot of people find it creepy that these devices can actually listen to what you are saying even if you are not giving direct commands to the smart device, which can be a huge privacy concern.

Conclusion

Smart devices can be a great addition to any home, but it is important to keep in mind the potential risks associated with them. From unsecured cloud storage and third-party app permissions to data mining and voice commands, there are many ways that these devices could compromise your privacy. By being aware of these potential risks and taking the necessary steps to protect your data, you can help ensure that your privacy remains safe.

Read More

Economic headwinds could deepen the cybersecurity skills shortage

Read Time:29 Second

According to the most recent research report from ESG and the Information System Security Association International (ISSA), 57% of organizations claim that they’ve been impacted by the global cybersecurity skills shortage, while 44% of organizations believe the skills shortage has gotten worse over the past few years. The result? Increasing workloads on existing cybersecurity staff, job requisitions open for weeks or months, and high burnout rates and attrition for cybersecurity professionals. (ESG and ISSA will update and present their latest research at this year’s RSA conference.)

To read this article in full, please click here

Read More

How to survive below the cybersecurity poverty line

Read Time:47 Second

The security poverty line broadly defines a divide between the organizations that have the means and resources to achieve and maintain mature security postures to protect data, and those that do not. It was first coined by cybersecurity expert Wendy Nather in 2011, and the concept is just as relevant today as it was then (if not more so). It has widely become the benchmark for acceptable cybersecurity, often associated with factors such as company size, sector and disposable income, but also know-how and appetite for recognizing and addressing security inadequacies.

Generally (but not always), those “above” the security poverty line are larger, private-sector businesses with the money, talent pool, and durability required to meet basic but highly important cybersecurity standards. Below it are typically small, young businesses or those that operate in cash- and resource-strapped sectors (though this is not a universal fact).

To read this article in full, please click here

Read More