Microsoft patches 3 vulnerabilities in Azure API Management

Read Time:25 Second

Microsoft has patched three new vulnerabilities in the Azure API Management service which includes two Server-Side Request Forgery (SSRF) vulnerabilities and a file upload path traversal on an internal Azure workload, according to cybersecurity firm Ermetic.

The vulnerabilities were achieved through url formatting bypasses and an unrestricted file upload functionality in the API Management developer portal, Ermetic said. The cybersecurity firm identified the vulnerabilities in December and Microsoft patched them in January.

To read this article in full, please click here

Read More

How To Be Safe On WhatsApp

Read Time:4 Minute, 56 Second

I’m betting you have WhatsApp on your phone. Or, if you don’t – I’m quite sure a member of your family would. As the most popular messaging app in the world with 2 billion active monthly users, it’s clearly a favourite for many of us who want to keep in contact with both our Apple and Android friends in a safe and encrypted fashion. 

My relationship with WhatsApp was a slow burn. I discovered it a few years back when it became apparent that group messages to a close cluster of girlfriends weren’t being received by my Android pals. WhatsApp solved that problem instantly. But then over several years, I realized it solved quite a few other pesky problems namely expensive and tricky phone calls when travelling overseas and my frustration at not being able to send a message to a large group of people. I became a fan girl! 

But it hasn’t always been smooth sailing for WhatsApp users, over the years there have been scams including the 10th birthday scam where users were offered the chance to win 1000GB of free data and most recently the ‘mum and dad’ scam. There was also a wave of controversy in 2021, when new WhatsApp owner, Meta, introduced a new Privacy Policy which had a swathe of users concerned that it would share data with Facebook. Many of us threatened not to sign however if we didn’t – we couldn’t use it! So, we all agreed, somewhat reluctantly in the name of convenience and moved on. 

WhatsApp Offers Rolls Royce Encryption But Is It Enough? 

WhatsApp’s default end-to-end encryption sets it apart from other messaging apps and is another one of my favourite features. But what does that actually mean? In short, it means that your messages can only be read on the recipient’s phone. Likewise, video and audio calls can only be answered by the intended receiver. WhatsApp encrypts every message sent on its platform which means the only people who can decode it are the sender and the receiver. WhatsApp can’t access anything you share and nor could a hacker if they were to intercept a message. Love end-to-end encryption! 

But this doesn’t mean that there are no risks using WhatsApp. Like all online platforms, staying ahead of the risks is the smartest way of ensuring you have the best experience. And there are several steps you can take to stay ahead of the threats on WhatsApp. Here are my top tips: 

My Top Tips To Stay Safe While Using WhatsApp 

1. Turn On Automatic Updates 

Keeping your WhatsApp software up to date is essential as updates will almost always include fixes or ‘patches’ for new vulnerabilities and threats. Why not automate them to ensure that this happens? This means you won’t be at risk if you forget to update the software yourself. 

2. Be Careful What You Share 

Never ever share personal data or crucial financial information on the app, in case your device ends up in the wrong hands or it becomes infected with spyware or malware. And this goes for any app – keep your personal information nice and tight.  

3. Protect Your Device From Spyware 

To prevent your device from becoming compromised by malicious software, ensure your device has some super-duper mobile security software. McAfee’s Mobile Security software, available for both iOS and Android, will protect devices of all types from cyberthreats. 

4. Ignore Suspicious Messages 

As anyone can message anyone on WhatsApp, it’s inevitable you may receive some random or suspicious looking messages. Always err on the side of caution and do not respond to direct messages from people you don’t know. If you receive a promotional offer from a company that is quite tempting, go directly to their website to confirm. Scammers will often send out 1000’s of emails with a tempting offer and link to a malicious website in the hope that someone will ‘bite’. Don’t be caught in a phishing scam! 

5. Add a Pin Number 

Enabling 2 factor authentication is one the best ways to secure your WhatsApp account and ensure a hacker can’t download your account on their phone. Without your 6-digit pin number, a hacker can’t get into your account, even if they get their hands on the SMS code they need to activate your account on another device. And it takes 30 seconds to set up!  

6. Be Aware Of The Most Common WhatsApp Hacking Strategy 

If you haven’t set up your 6-digit pin, then you are at risk at being ‘socially hacked’. This is how it works: a hacker, who has hijacked one of your friend’s accounts, will message you asking for the 6-digit code that’s just been sent to your account. They will say it’s meant for them. And as you ‘know’ this person, you are likely to send that code straight through without even questioning them. But in fact, the 6-digit code in question has been requested by the hacker for your account, so the minute you share it – you will be immediately locked out! So, never ever share your 6-digit code with anyone. No-one will ever have a legitimate reason to request it.   

But please don’t let these risks put you off this fantastic messaging app. I’m a big believer in understanding the challenges so you can prepare yourself, go ahead and enjoy! And I haven’t even touched on some of the more fun aspects of the app – the stickers & the status updates – they can be quite the conversation starter! So go ahead and enjoy but just make sure you’ve done your homework!! 

Stay safe everyone! 

Alex  

The post How To Be Safe On WhatsApp appeared first on McAfee Blog.

Read More

USN-6055-2: Ruby regression

Read Time:20 Second

USN-6055-1 fixed a vulnerability in Ruby. Unfortunately it introduced a regression.
This update reverts the patches applied to CVE-2023-28755 in order to fix the regression
pending further investigation.

We apologize for the inconvenience.

Original advisory details:

It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2023-28755)

Read More

Google launches entry-level cybersecurity certificate to teach threat detection skills

Read Time:27 Second

Google has announced a new entry-level cybersecurity certificate to teach learners how to identify common risks, threats, and vulnerabilities, as well as the techniques to mitigate them. Designed and taught by Google’s cybersecurity experts, the Google Cybersecurity Certificate aims to prepare learners for entry-level jobs in cybersecurity in less than six months with no prior experience required, create greater opportunities for people around the world, and help fill the growing number of open cyber roles, the tech giant said.

To read this article in full, please click here

Read More

USN-6058-1: Linux kernel vulnerability

Read Time:16 Second

It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed.

Read More

USN-6057-1: Linux kernel (Intel IoTG) vulnerabilities

Read Time:1 Minute, 57 Second

It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel contained a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1281)

It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges. (CVE-2023-0386)

Haowei Yan discovered that a race condition existed in the Layer 2
Tunneling Protocol (L2TP) implementation in the Linux kernel. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-4129)

It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)

It was discovered that the NTFS file system implementation in the Linux
kernel contained a null pointer dereference in some situations. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2022-4842)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)

It was discovered that the Human Interface Device (HID) support driver in
the Linux kernel contained a type confusion vulnerability in some
situations. A local attacker could use this to cause a denial of service
(system crash). (CVE-2023-1073)

It was discovered that a memory leak existed in the SCTP protocol
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (memory exhaustion). (CVE-2023-1074)

It was discovered that the NFS implementation in the Linux kernel did not
properly handle pending tasks in some situations. A local attacker could
use this to cause a denial of service (system crash) or expose sensitive
information (kernel memory). (CVE-2023-1652)

Lianhui Tang discovered that the MPLS implementation in the Linux kernel
did not properly handle certain sysctl allocation failure conditions,
leading to a double-free vulnerability. An attacker could use this to cause
a denial of service or possibly execute arbitrary code. (CVE-2023-26545)

Read More

USN-6056-1: Linux kernel (OEM) vulnerability

Read Time:16 Second

It was discovered that a race condition existed in the Xen transport layer
implementation for the 9P file system protocol in the Linux kernel, leading
to a use-after-free vulnerability. A local attacker could use this to cause
a denial of service (guest crash) or expose sensitive information (guest
kernel memory).

Read More

The Merck appeal: cyber insurance and the definition of war

Read Time:45 Second

Pharmaceutical firm Merck recently won an appeal that could mean its insurers will have to pay up on a $1.4-billion judgment related to the NotPetya cyberattack in 2017. The New Jersey appellate division judges hearing the appeal judge noted that the plain definition of war applies to the various insurance policies and that a cyberattack against an accounting firm not engaged in hostilities, while criminal and based on ill-will, was not tantamount to an act of war.

As detailed in the judges’ decision, many of the original defendants settled their portion of the insurance claim with Merck. In a separate yet parallel case involving multinational food and beverage company Mondelez International and Zurich American Insurance, a settlement was also reached, missing the opportunity to have a telling effect and adjustment on how cyber insurance will be treated going forward.

To read this article in full, please click here

Read More