FEDORA-2023-ed2642fd58
Packages in this update:
nghttp2-1.52.0-2.fc38
Update description:
fix HTTP/2 Rapid Reset (CVE-2023-44487)
nghttp2-1.52.0-2.fc38
fix HTTP/2 Rapid Reset (CVE-2023-44487)
godot-4.1.2-1.fc40
Automatic update for godot-4.1.2-1.fc40.
* Thu Oct 12 2023 Rémi Verschelde <akien@fedoraproject.org> – 4.1.2-1
– Version 4.1.2-stable
– Updates tinyexr to 1.0.7, fixes CVE-2022-34300 (rhbz#2233637)
– Preconfigure Blender path for .blend file import (rhbz#2177897)
A cyber espionage campaign tied to the Chinese group ToddyCat is targeting high-profile organizations in Kazakhstan, Uzbekistan, Pakistan, and Vietnam
nghttp2-1.55.1-4.fc39
fix HTTP/2 Rapid Reset (CVE-2023-44487)
curl-7.85.0-12.fc37
fix cookie injection with none file (CVE-2023-38546)
fix SOCKS5 heap buffer overflow (CVE-2023-38545)
curl-8.0.1-5.fc38
fix cookie injection with none file (CVE-2023-38546)
fix SOCKS5 heap buffer overflow (CVE-2023-38545)
This is a fun challenge:
The NIST elliptic curves that power much of modern cryptography were generated in the late ’90s by hashing seeds provided by the NSA. How were the seeds generated? Rumor has it that they are in turn hashes of English sentences, but the person who picked them, Dr. Jerry Solinas, passed away in early 2023 leaving behind a cryptographic mystery, some conspiracy theories, and an historical password cracking challenge.
So there’s a $12K prize to recover the hash seeds.
Some backstory:
Some of the backstory here (it’s the funniest fucking backstory ever): it’s lately been circulating—though I think this may have been somewhat common knowledge among practitioners, though definitely not to me—that the “random” seeds for the NIST P-curves, generated in the 1990s by Jerry Solinas at NSA, were simply SHA1 hashes of some variation of the string “Give Jerry a raise”.
At the time, the “pass a string through SHA1” thing was meant to increase confidence in the curve seeds; the idea was that SHA1 would destroy any possible structure in the seed, so NSA couldn’t have selected a deliberately weak seed. Of course, NIST/NSA then set about destroying its reputation in the 2000’s, and this explanation wasn’t nearly enough to quell conspiracy theories.
But when Jerry Solinas went back to reconstruct the seeds, so NIST could demonstrate that the seeds really were benign, he found that he’d forgotten the string he used!
If you’re a true conspiracist, you’re certain nobody is going to find a string that generates any of these seeds. On the flip side, if anyone does find them, that’ll be a pretty devastating blow to the theory that the NIST P-curves were maliciously generated—even for people totally unfamiliar with basic curve math.
Note that this is not the constants used in the Dual_EC_PRNG random-number generator that the NSA backdoored. This is something different.
python2.7-2.7.18-35.fc37
Security fix for CVE-2022-48565.
A practical guide to phishing and best practices to avoid falling victim.
Over the past several years, remote and hybrid work has quickly gained popularity amongst those seeking a to reduce the amount of time on the road or an improved work/life balance. To accomplish this, users are often working from multiple devices, some of which may be company issued, but others may be privately owned.
Cyberattackers have leveraged this trend to bypass traditional security controls using social engineering, with phishing attacks being a favored tactic. In fact, the FBI Internet Crime Report issued in 2022 reported phishing as the top reported internet crime for the past 5 years. Its ability to persuade individuals to divulge sensitive information to seemingly familiar contacts and companies over email and/or SMS text messages has resulted in significant data breaches, both personal and financial, across all industries. Mobile phishing, in particular, is quickly becoming a preferred attack vector among hackers seeking to use them as a jump point to gain access to proprietary data within a company’s network.
This article provides an overview of the origins of phishing, its impact on businesses, the types of mobile phishing attacks hackers employ, and ways in which companies can best defend themselves against such attacks.
The belief among many in the cybersecurity industry is that phishing attacks first emerged in the mid-90s when dial-up was the only means of gaining access to the internet. Hackers posing as ISP administrators used fake screen names to establish credibility with the user, enabling them to “phish” for personal log-in data. Once successful, they were able to exploit the victim’s account by sending out phishing emails to other users in their contact list, with the goal of scoring free internet access or other financial gain.
Awareness of phishing was still limited until May 2000 when Love Bug entered the picture. Love Bug, a highly effective and contagious virus designed to take advantage of the user’s psyche was unleashed in the Philippines, impacting an estimated 45 million Window PCs globally. Love Bug was sent via email with the subject line reading “ILOVEYOU”. The body of the message simply read “Kindly check the attached LOVELETTER coming from me”. Users who couldn’t resist opening the message unleashed a worm virus infecting and overwriting user’s files with copies of the virus. When the user opened the file, they would reinfect the system.
Lovebug elevated phishing to a new level as it demonstrated the ability to target a user’s email mailing list for the purpose of spamming acquaintances thereby incentivizing the reader to open his/her email. This enabled the lovebug worm to infect computer systems and steal other user’s passwords providing the hacker the opportunity to log-in to other user accounts providing unlimited internet access.
Since Love Bug, the basic concept and primary goal of phishing tactics has remained consistent, but the tactics and vectors have evolved. The window of opportunity has increased significantly for hackers with the increased use of social media (e.g., Linkedin, Twitter, Facebook). This provides more personal data to the hackers enabling them to exploit their targets with more sophisticated phishing tactics while avoiding detection.
Phishing attacks present a significant threat for organizations as their ability to capture proprietary business and financial data are both costly and time consuming for IT organizations to detect and remediate. Based on a recent survey, 59% of companies reported an increase in the number of mobile phishing attacks over a 12-month period. On average, dealing with the threat of a single phishing email takes 27.5 minutes at a cost of $31.32 per phishing message with some organizations taking much longer and paying more per phishing message.
Phishing attacks have become more targeted as hackers are seeking very specific personal or corporate information. The following highlights a few of the more popular types of targeted phishing tactics:
Spear-phishing: Hackers perform reconnaissance through the web or social media platforms to target specific individuals, most often those with access to highly confidential information or that have escalated network privileges. These campaigns are tailored or personal in nature to make them more enticing to act on a phishing message.
Whale phishing: This is an even more targeted spear-phishing attack targeting high-level executives. Hackers are fully aware of executive access to highly sensitive personal and financial data within their respective company so obtaining executive credentials is key. As with spear phishing, whale phishing is highly targeted but more personal in its message.
Billing phishing: Although less targeted and more random in nature, this sort of phishing attack disguises itself as a legitimate company to trick users into urgently visit a spoofed website. The phishing SMS and email attacks come in various forms of fraudulent template, with some of the most common appearing in the form of shipping notifications, utility bills, or urgent credit card fraud alerts.
Although phishing attacks often seek to capture login credentials or financial data, it may also be used as a means to deploy other types of malware, including ransomware. Ransomware is a malware attack that denies a user or organization access to files on their computer by encrypting them, and then demanding a ransom payment for the decryption key. Ransomware variants such as Ryuk are more targeted in encrypting specific enterprise files while the Maze variant encrypt files and draw sensitive data prior to encryption.
Mobile phishing has become a preferred tactic among hackers. The mobile device has become not only a significant mainstream communication tool but one with access to sensitive corporate data and messages. A hacker’s ability to steal a person’s log-in credentials increases as they spread their attacks across both personal and work platforms. These trends are contributing to the increase in mobile phishing attacks:
Increase in the number of BYOD devices due to hybrid work – Many companies incorporating hybrid work have made personal devices more acceptable and as a result have relaxed their bring-your-own-devices (BYOD) policies. This poses significant risk and challenges to enterprise data as personal device access to social media and unsecure Wi-Fi networks could have an impact on the enterprise data accessible from that device. These situations potentially invite bad actors to initiate socially engineered attacks coming from social media or third-party messaging platforms.
Mobile phishing has extended beyond email – Hackers have now extended their attacks beyond email. We are seeing increased use of other means of launching attacks including:
Smishing: Smishing are phony text messages designed to trick you into providing proprietary data.
Vishing: Vishing are phony phone calls designed to trick you into revealing personal information.
Quishing : An emerging tactic where QR codes are embedded in images to bypass email security tools that scan a message for known malicious links. This will allow the phishing messages to reach the target’s inbox.
What can your company do to prevent such attacks from occurring in the future? Here are several tips for you to consider:
Leverage internal and external data to develop a company strategy on how you will combat phishing attacks and reduce the risk associated with these attacks.
Educate your users on how to identify a phishing attack using phishing simulators or other tools and establish a communication channel for users to report them to your IT department.
Track both successful and unsuccessful phishing attacks over time to determine attack patterns such as persons or departments being targeted. IT should report out the activity they are tracking to better inform employees of any phishing trends.
Consider endpoint security for your desktops, laptops, and servers and mobile threat defense (MTD) applications for all your iOS and Android endpoints. These technologies offer comprehensive protection against a wide range of threats, including the ability to identify phishing attacks sent via email or SMS as well as blocking malicious URLs. Although all companies can benefit greatly from endpoint and mobile threat defense solutions, they are of paramount importance for companies in high-security sectors, regulated sectors (i.e., finance and healthcare), large and fragmented device fleets and companies with users that are potential targets of geopolitically motivated cyberattacks.
4 https://ostermanresearch.com/2022/10/21/business-cost-phishing-ironscales/ (White paper by Osterman Research, October 2022 (See attachment))
[BK1]Link to blog on this topic
A new survey from accounting software provider Sage showed that most SMEs have developed a cybersecurity posture but struggle to keep up with the threats