Read Time:7 Second
FEDORA-2023-7a94186139
Packages in this update:
xorg-x11-server-Xwayland-22.1.9-3.fc38
Update description:
Security fix for CVE-2023-5367
Yearly Archives: 2023
xorg-x11-server-Xwayland-23.2.1-2.fc39
Read Time:7 Second
FEDORA-2023-f8ff1b7a3f
Packages in this update:
xorg-x11-server-Xwayland-23.2.1-2.fc39
Update description:
Security fix for CVE-2023-5367
AWS: Security Not a Priority For a Third of SMBs
USN-6440-3: Linux kernel (HWE) vulnerabilities
Read Time:2 Minute, 48 Second
Seth Jenkins discovered that the Linux kernel did not properly perform
address randomization for a per-cpu memory management structure. A local
attacker could use this to expose sensitive information (kernel memory) or
in conjunction with another kernel vulnerability. (CVE-2023-0597)
It was discovered that the IPv6 implementation in the Linux kernel
contained a high rate of hash collisions in connection lookup table. A
remote attacker could use this to cause a denial of service (excessive CPU
consumption). (CVE-2023-1206)
Yu Hao and Weiteng Chen discovered that the Bluetooth HCI UART driver in
the Linux kernel contained a race condition, leading to a null pointer
dereference vulnerability. A local attacker could use this to cause a
denial of service (system crash). (CVE-2023-31083)
Ross Lagerwall discovered that the Xen netback backend driver in the Linux
kernel did not properly handle certain unusual packets from a
paravirtualized network frontend, leading to a buffer overflow. An attacker
in a guest VM could use this to cause a denial of service (host system
crash) or possibly execute arbitrary code. (CVE-2023-34319)
Lin Ma discovered that the Netlink Transformation (XFRM) subsystem in the
Linux kernel contained a null pointer dereference vulnerability in some
situations. A local privileged attacker could use this to cause a denial of
service (system crash). (CVE-2023-3772)
Kyle Zeng discovered that the networking stack implementation in the Linux
kernel did not properly validate skb object size in certain conditions. An
attacker could use this cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-42752)
Kyle Zeng discovered that the netfiler subsystem in the Linux kernel did
not properly calculate array offsets, leading to a out-of-bounds write
vulnerability. A local user could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-42753)
Kyle Zeng discovered that the IPv4 Resource Reservation Protocol (RSVP)
classifier implementation in the Linux kernel contained an out-of-bounds
read vulnerability. A local attacker could use this to cause a denial of
service (system crash). Please note that kernel packet classifier support
for RSVP has been removed to resolve this vulnerability. (CVE-2023-42755)
Bing-Jhong Billy Jheng discovered that the Unix domain socket
implementation in the Linux kernel contained a race condition in certain
situations, leading to a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-4622)
Budimir Markovic discovered that the qdisc implementation in the Linux
kernel did not properly validate inner classes, leading to a use-after-free
vulnerability. A local user could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-4623)
Alex Birnberg discovered that the netfilter subsystem in the Linux kernel
did not properly validate register length, leading to an out-of- bounds
write vulnerability. A local attacker could possibly use this to cause a
denial of service (system crash). (CVE-2023-4881)
It was discovered that the Quick Fair Queueing scheduler implementation in
the Linux kernel did not properly handle network packets in certain
conditions, leading to a use after free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-4921)
USN-6435-2: OpenSSL vulnerabilities
Read Time:23 Second
USN-6435-1 fixed vulnerabilities in OpenSSL. This update
provides the corresponding updates for Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that OpenSSL incorrectly handled excessively large
Diffie-Hellman parameters. An attacker could possibly use this issue
to cause a denial of service. (CVE-2023-3446)
Bernd Edlinger discovered that OpenSSL incorrectly handled excessively
large Diffie-Hellman parameters. An attacker could possibly use this
issue to cause a denial of service. (CVE-2023-3817)
godot-4.1.2-1.fc39
Read Time:39 Second
FEDORA-2023-5410d30cc9
Packages in this update:
godot-4.1.2-1.fc39
Update description:
This updates provides Godot 4.1.2 as the latest stable release for this free and open source game engine.
It fixes many bugs, improves features and usability.
For Fedora 37 and 38, it updates from Godot 4.0.x to 4.1.x, so the release notes for the minor 4.1 release are worth reviewing.
This update also improves the .blend file import integration by pre-filling the path to system packaged Blender.
It also fixes a security vulnerability in the EXR importer.
Release notes:
– https://godotengine.org/article/godot-4-1-is-here/
– https://godotengine.org/article/maintenance-release-godot-4-1-1/
– https://godotengine.org/article/maintenance-release-godot-4-1-2/
godot-4.1.2-1.fc38
Read Time:39 Second
FEDORA-2023-59e4f4c9bb
Packages in this update:
godot-4.1.2-1.fc38
Update description:
This updates provides Godot 4.1.2 as the latest stable release for this free and open source game engine.
It fixes many bugs, improves features and usability.
For Fedora 37 and 38, it updates from Godot 4.0.x to 4.1.x, so the release notes for the minor 4.1 release are worth reviewing.
This update also improves the .blend file import integration by pre-filling the path to system packaged Blender.
It also fixes a security vulnerability in the EXR importer.
Release notes:
– https://godotengine.org/article/godot-4-1-is-here/
– https://godotengine.org/article/maintenance-release-godot-4-1-1/
– https://godotengine.org/article/maintenance-release-godot-4-1-2/
godot-4.1.2-1.fc37
Read Time:39 Second
FEDORA-2023-5225a85559
Packages in this update:
godot-4.1.2-1.fc37
Update description:
This updates provides Godot 4.1.2 as the latest stable release for this free and open source game engine.
It fixes many bugs, improves features and usability.
For Fedora 37 and 38, it updates from Godot 4.0.x to 4.1.x, so the release notes for the minor 4.1 release are worth reviewing.
This update also improves the .blend file import integration by pre-filling the path to system packaged Blender.
It also fixes a security vulnerability in the EXR importer.
Release notes:
– https://godotengine.org/article/godot-4-1-is-here/
– https://godotengine.org/article/maintenance-release-godot-4-1-1/
– https://godotengine.org/article/maintenance-release-godot-4-1-2/
Microsoft is Soft-Launching Security Copilot
Social engineering: Hacking minds over bytes
Read Time:4 Minute, 0 Second
In this blog, lets focus on the intersection of psychology and technology, where cybercriminals manipulate human psychology through digital means to achieve their objectives.
Our world has become more interconnected over time, and this has given rise to an entirely new breed of criminal masterminds: digital criminals with deep psychological insights who use technology as the ultimate battlefield for social engineering activities. Welcome to social engineering – where your mind becomes the battlefield!
Before the digital revolution, social engineering was practiced face-to-face and practitioners of this form were known as “con men,” regardless of gender. Today however, cybercriminals use psychological methods to trick individuals into compromising their systems, divulging sensitive data, or participating in malicious activities unwittingly.
An unsuspecting employee receives an email purporting to be from an official subscription service for software used at their organization, prompting them to log-in as quickly as possible and avoid having their account frozen due to inactivity. Following a link in this email leading them directly to a convincing fake login page, unknowingly giving away their credentials which give a threat actor access to company systems and confidential data. This deception was an ideal example of Business Email Compromise (BEC). An attacker created an urgent phishing email designed to distort employee judgment. There was reconnaissance conducted beforehand by threat actors, so they already possessed information regarding both an employee’s email address and web-based applications, making the attack became even more effective.
Social engineering is one of the primary strategies criminals use in their attempts to attack our systems. From an information security perspective, social engineering is the use of manipulative psychological tactics and deception to commit fraud. The goal of these tactics is to establish some level of trust to convince the unsuspecting victim to hand over sensitive or confidential information.
Here are some books that offer a range of perspectives and insights into the world of social engineering, from the psychology behind it to practical defenses against it. Reading them can help you better understand the tactics used by social engineers and how to protect yourself and your organization.
1. Influence: The Psychology of Persuasion” by Robert B. Cialdini
Robert Cialdini’s classic book explores the six key principles of influence: reciprocity, commitment and consistency, social proof, liking, authority, and scarcity. While not solely focused on social engineering, it provides valuable insights into the psychology of persuasion that are highly relevant to understanding and defending against social engineering tactics.
2. “The Art of Deception: Controlling the Human Element of Security” by Kevin D. Mitnick
A former hacker turned cybersecurity consultant, delves into the art of deception and social engineering. He shares real-life examples of social engineering attacks and provides practical advice on how to protect yourself and your organization from such threats.
3. “Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker” by Kevin D. Mitnick In this autobiography, Kevin Mitnick recounts his personal experiences as a hacker and social engineer. He provides a fascinating insider’s perspective on the tactics used by hackers to manipulate people and systems, shedding light on the world of cybercrime and social engineering.
4. “Social Engineering: The Art of Human Hacking” by Christopher Hadnagy Summary: A comprehensive guide to social engineering techniques and strategies. It covers various aspects of human hacking, including information gathering, building rapport, and exploiting psychological vulnerabilities. It’s an excellent resource for those looking to understand and defend against social engineering attacks.
5. “No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing” by Johnny Long, Jack Wiles, and Scott Pinzon
Explores low-tech and non-digital methods of social engineering, including dumpster diving, physical intrusion, and eavesdropping. It provides insights into how attackers can exploit physical vulnerabilities and offers countermeasures to protect against such tactics.
6. “Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails” by Christopher Hadnagy and Michele Fincher
Focusing specifically on email-based social engineering attacks, this book examines phishing techniques in detail. It provides insights into the tactics used by attackers to trick individuals into revealing sensitive information and offers guidance on how to defend against phishing threats.
7. “The Confidence Game: Why We Fall for It . . . Every Time” by Maria Konnikova
While not exclusively about social engineering, this book delves into the psychology of deception and the reasons why people often fall victim to scams and cons. It provides valuable insights into the vulnerabilities of human cognition and behavior that social engineers exploit.
Cyberattacks increasingly depend on human interaction for successful execution. Threat actors use psychology to exploit vulnerabilities and compromise systems. With sufficient awareness, training, policies, and procedures organizations can protect themselves against these insidious attacks by keeping aware of emerging vulnerabilities through training sessions, policies, and procedures as well as their regular assessment by skilled personnel.