USN-6449-1: FFmpeg vulnerabilities

Read Time:45 Second

It was discovered that FFmpeg incorrectly managed memory resulting
in a memory leak. An attacker could possibly use this issue to cause
a denial of service via application crash. This issue only
affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-22038)

It was discovered that FFmpeg incorrectly handled certain input files,
leading to an integer overflow. An attacker could possibly use this issue
to cause a denial of service via application crash. This issue only
affected Ubuntu 20.04 LTS. (CVE-2020-20898, CVE-2021-38090,
CVE-2021-38091, CVE-2021-38092, CVE-2021-38093, CVE-2021-38094)

It was discovered that FFmpeg incorrectly managed memory, resulting in
a memory leak. If a user or automated system were tricked into
processing a specially crafted input file, a remote attacker could
possibly use this issue to cause a denial of service, or execute
arbitrary code. (CVE-2022-48434)

Read More

How to establish a great security awareness culture

Read Time:4 Minute, 3 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

As we mark another Cybersecurity Awareness Month, it’s essential to recognize that this is more than a calendar event; it’s a wake-up call for proactive vigilance in the digital age. In an environment rife with technological threats, the cornerstone of robust cybersecurity isn’t just advanced systems and firewalls—it’s informed and empowered individuals. There are three most important insights organizations can learn before implementing any cybersecurity awareness-raising campaign:

More than a reminder: Each October, organizations and individuals worldwide pause to reflect on the ever-evolving digital cybersecurity. But it’s not just about ticking off a box or recognizing threats. The month serves as an empowering signal, urging everyone, from top-tier management to the newest intern, to equip themselves with knowledge and best practices.
The central role of individuals: While the technological landscape continually shifts, one factor remains constant—the human element. Properly informed individuals stand as the first and often most crucial line of defense against a myriad of cyber threats.
From awareness to action: True cybersecurity is about transitioning from passive recognition to active defense. Cybersecurity Awareness Month lays the foundation, but the responsibility is on each of us to translate that knowledge into tangible actions. This involves understanding the risks inherent in the digital space and cultivating a culture of security within our spheres of influence.

When diving deeper into the various digital vulnerabilities in this article, always remember that every individual, armed with awareness – can make a difference.

Cultivating a culture of cybersecurity awareness

Creating a culture where security awareness is a top priority demands actionable steps, consistent reinforcement, and collective responsibility. Here’s how:

Security-first leadership—Leading by example
Leaders play a pivotal role in shaping organizational culture. When top management emphasizes cybersecurity, it cascades down the ranks, instilling a security-first mindset across all tiers.

Security as a shared responsibility—Beyond the IT department
Security isn’t a realm exclusive to the IT department. Every employee, irrespective of their role, has a stake in maintaining a secure digital environment. Promoting this understanding can foster collective ownership, ensuring that everyone feels responsible for and participates in the company’s security efforts.

Feedback-driven fortifications—Sharpening defense with dialogue
Open channels of communication can be powerful tools for refining security strategies. A two-way dialogue encourages employees to voice concerns and observations, resulting in a dynamic defense system that’s constantly refined based on ground realities.

Learning from the landscape—Stay updated, stay safe
The cyber landscape is in flux, shaped by emerging technologies and evolving threats. Organizations can preemptively adjust strategies by actively monitoring global trends and incidents, ensuring they’re always a step ahead.

Architecting a bespoke security culture—Beyond templates
Organizations are as unique as fingerprints. A one-size-fits-all approach may not capture the specific needs of a particular enterprise. Tailoring security measures to an organization’s unique characteristics ensures precision protection, leaving no blind spots.

Maintaining awareness—The marathon mindset
Cybersecurity isn’t about sprinting through a checklist; it’s a marathon of maintaining awareness. With recurrent training, reminders, and knowledge-sharing sessions, organizations can foster a culture where security awareness becomes second nature, not something forced upon employees.

Here are some more tips to help make a stronger security awareness culture:

Make security awareness a part of the onboarding process. New employees should be trained on cybersecurity best practices as soon as they start working for your organization. This will help them to understand the importance of security and how to protect your organization’s data and systems from cyberattacks.
Recognize and reward good security behavior. When employees demonstrate good security behavior, such as reporting a suspicious email or using strong passwords, be sure to recognize and reward them. This will help to reinforce the importance of security and encourage employees to continue to make good security choices.

The power of why

Every security measure has an underlying reason rooted in the preservation of the company’s integrity and assets. It’s not enough to simply follow protocols; understanding the “why” behind each security guideline ensures that individuals recognize the importance of each step they take.

When a company implements new security controls, it is vital to communicate the rationale behind these decisions. Highlighting the reasons for these controls, and explaining the potential consequences of non-compliance, provides employees with a clear picture of their importance. This transparent communication not only promotes adherence to protocols but also plays a pivotal role in raising cybersecurity awareness throughout the organization.

By comprehending both the “why” and the potential fallout of ignoring these measures, employees become more vigilant and proactive, leading to heightened cybersecurity awareness, more effective risk management, and a fortified defense against threats.

Read More

USN-6422-2: Ring vulnerabilities

Read Time:1 Minute, 36 Second

It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)

It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
(CVE-2023-27585)

Original advisory details:

It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)

It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302,
CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723,
CVE-2022-23537, CVE-2022-23547, CVE-2022-23608, CVE-2022-24754,
CVE-2022-24763, CVE-2022-24764, CVE-2022-24793, CVE-2022-31031,
CVE-2022-39244)

It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 20.04 LTS. (CVE-2022-21722)

It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
(CVE-2023-27585)

Read More