Multiple vulnerabilities have been discovered in Schneider Electric APC Smart-UPS that could allow for remote code execution. Schneider Electric APC Smart-UPS are devices that protect equipment and provide emergency backup power for mission-critical assets. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of the application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
dotnet6.0-6.0.103-1.fc34
FEDORA-2022-3b24db8072
Packages in this update:
dotnet6.0-6.0.103-1.fc34
Update description:
This is the March 2022 update for .NET 6: SDK 6.0.103 and Runtime 6.0.3
Release notes:
– SDK: https://github.com/dotnet/core/blob/main/release-notes/6.0/6.0.3/6.0.103.md
– Runtime: https://github.com/dotnet/core/blob/main/release-notes/6.0/6.0.3/6.0.3.md
This includes fixes for CVE-2022-24464 and CVE-2022-24512
dotnet6.0-6.0.103-1.fc35
FEDORA-2022-61d4028014
Packages in this update:
dotnet6.0-6.0.103-1.fc35
Update description:
This is the March 2022 update for .NET 6: SDK 6.0.103 and Runtime 6.0.3
Release notes:
– SDK: https://github.com/dotnet/core/blob/main/release-notes/6.0/6.0.3/6.0.103.md
– Runtime: https://github.com/dotnet/core/blob/main/release-notes/6.0/6.0.3/6.0.3.md
This includes fixes for CVE-2022-24464 and CVE-2022-24512
dotnet6.0-6.0.103-1.fc36
FEDORA-2022-5f97af4511
Packages in this update:
dotnet6.0-6.0.103-1.fc36
Update description:
This is the March 2022 update for .NET 6: SDK 6.0.103 and Runtime 6.0.3
Release notes:
– SDK: https://github.com/dotnet/core/blob/main/release-notes/6.0/6.0.3/6.0.103.md
– Runtime: https://github.com/dotnet/core/blob/main/release-notes/6.0/6.0.3/6.0.3.md
This includes fixes for CVE-2022-24464 and CVE-2022-24512
Helping Mom & Dad: Online Doctor Visits and Telemedicine
Whether it’s for routine care, a prescription refill, or a simple follow-up, online doctor visits offer tremendous benefits in terms of both convenience and ease of care—all good reasons to help mom and dad get connected with it.
There’s no doubt that more older adults than ever are taking advantage of online doctor visits, more formally known as telemedicine. While usage numbers have risen dramatically across all age groups, it’s particularly so for elders. Pre- and post-pandemic numbers saw a 63-fold increase in Medicare telemedicine use.
However, many older patients are missing out and not using telemedicine for one reason or another. What’s holding them back? Several things, according to research from the University of California, San Francisco:
Unreadiness with regards to technology, such as not having access to a telemedicine-ready device or knowing how to use it.
A lack of familiarity with the internet, particularly if they have not used email, texting, or the internet in general within the past month.
Physical challenges, involving vision or otherwise the ability to converse over a video call.
No access or limited access to a broadband connection (particularly in rural areas).
Moreover, another issue is that many older adults do not know that telemedicine is an option. Research from the University of Michigan showed that 55% of older adults surveyed were unaware if their healthcare provider even offered telemedicine as a service. And perhaps quite telling is that the same survey revealed nearly half of older adults harbored concerns about privacy and did not feel personally connected to their care provider during their visits.
For us as children and grandchildren of older adults, it can be tough knowing that a loved one is missing out on an avenue of care that they could otherwise benefit from. While we absolutely respect what they feel is comfortable and trustworthy for them, there are several other areas where we can help the older loved ones in our lives overcome the issues and concerns they face.
With that, let’s talk about the technology behind telemedicine and how you can help them use it, and address some of those privacy issues as well.
Easing into telemedicine
As indicated above, paying a visit to the doctor via telemedicine can be a big jump. Just as the idea of it is new for many of us, it’s yet newer for older adults. There’s a good chance that you’re familiar with video chats and calls already, which gives you a foundation we can work with when it’s time to see the doctor on a screen. That may not be the case for older adults. Add that into the privacy concerns and decades of seeing a doctor in person, you can see why some older adults simply choose to opt-out.
One way you can help is to have a few video chats with your older loved ones. In addition to the regular calls you make, you might want to try having a video chat with them from time to time. It’s an outstanding way to spend time together when you can’t be together in person, and it may develop a comfort level with the technology so that they may be willing to give telemedicine a try. You can check out my earlier article in this series that covers video chats with mom and dad, along with straightforward steps to get them up and running on the technology and how to use it.
Get them set up on the right device for telemedicine
One thing your parents will need for their visit is a reliable device that they’re comfortable using. It could be a computer or laptop, or it may be a smartphone or tablet. Note that in some cases their healthcare provider may use a telemedicine solution that has certain requirements as well, so you’ll want to see what those are and ensure that the device mom or dad has is compatible. (For example, the care provider may have an app that’s available through the Apple App Store or Google Play. Others may have an online platform that can be accessed by several different kinds of devices.)
If they’re using a smartphone or tablet, that will likely make things easier because the camera and microphone are already integrated into the device—all set up and ready to go. For a computer or laptop, you can help them get familiar with the setup, like the microphone levels, speaker volume, and camera. For audio, you can see a set of headphones or smartphone earbuds work well for them, which can help prevent audio feedback loops and simply make it easier to hear the caregiver.
If you’re looking for a little assistance with a Windows computer, you can check out this quick article for setting up the audio and this article for setting up the camera. For Macs, check out this article for audio and this article for the video.
Make sure their technology is secure
If they don’t already have comprehensive online protection software for their devices, look into getting it. This will protect them against malware, viruses, and phishing attacks. They’ll also benefit from other features that help them manage their passwords, protect their identity, safeguard their privacy, and more.
As for privacy in general, medical information is among the most precious information any of us have. For example, here in the U.S., we have HIPPA privacy standards to protect our medical records and conversations. Yet there’s also the issue of eavesdropping, which is a risk in practically any online communication.
To help address privacy issues and concerns, health care providers will often post a set of Frequently Asked Questions (FAQ) as part of their telemedicine service. Within that, you’ll very likely find a section on personal privacy and the technologies in place to protect it. Here’s a good example of a telemedicine FAQ from the University of Washington Medicine and another example from the telemedicine page that Virginia Mason/Franciscan Health designed for its patients.
In all, if your parents have concerns about their privacy, you can absolutely assure them that it’s a valid concern. Consult the provider’s FAQ for guidance. If either of you has further questions, feel free to call the healthcare provider and speak with them.
Help them pick a private place and get prepared for the call
In addition to digital security, there’s the possibility of physical eavesdropping, somebody actually listening in on their conversation from another room, apartment, or from the street. Help your older loved ones pick a place in their home where they can have some privacy and where they can’t be overheard by neighbors and passers-by. A bedroom is a fine place—or any location that’s familiar and comfortable as well. When choosing a private place, a well-lit location is important as well so that the camera captures a nice and clear image.
Additionally, you can help them prep for their visit by putting together a list of things to discuss during the visit. The U.S. Department of Health and Human Services suggests writing things down:
Make a list of their current medications (or gather the actual bottles).
Write down any symptoms, questions, or concerns they want to discuss during the appointment, so they do not forget them.
If their doctor has requested information like their temperature or weight have this information ready.
Keep paper nearby to take notes about what the doctor says during the video visit.
Make their telemedicine visit safer with these tips
In addition to the above, there are further measures you can help your parents or older loved one take to further secure their telemedicine visit—and their internet usage in general.
1) Use strong, unique passwords
Your telemedicine visit may require setting up a new account and password. When doing so, make sure it’s with a strong, unique password. A password manager can help. Also found in comprehensive online protection software, a password manager can create and securely store strong and unique passwords for your mom and dad, giving them one less thing they need to remember and worry about.
2) Use a VPN
A VPN, or virtual private network, offers a strong layer of additional protection when you’re transmitting health data or simply having a private conversation about your health with a professional. A VPN creates an encrypted tunnel to keep you and your activity anonymous. In effect, your data is scrambled and hidden to anyone outside your VPN tunnel, thus making your private information difficult to collect. Check with the care provider to see if their telemedicine solution uses a VPN. If not, you can always get a VPN as part of your online protection software.
3) Secure their internet router
Beyond their devices, securing their internet router is an important step in making a telemedicine visit safe and secure. The data that travels along it is of a highly personal nature already, so make sure the router has a strong and unique password. Also, change the name of their router so it doesn’t give away their address or any other signs of their identity. One more step is to check that your router is using an encryption method, like WPA2, which will keep your signal secure. If you have questions, check with their internet provider—they may even offer up a newer, more secure router to replace an older one.
The best telemedicine choice is the one that’s right for your parents
As with anything concerning their health, have your parents and loved ones consult with their caregivers to ensure that a telemedicine visit is a proper course for them.
So while the technical ins and outs of preparing for a telemedicine visit may have their challenges for some older adults, we should also realize that getting comfortable with the idea of a telemedicine visit in the first place may take some time and effort. Starting with regular video chats with the family may increase familiarity and ease with holding a conversation over video. Likewise, having a conversation with their doctor about telemedicine may put some concerns to rest as well. After all, they will have a relationship with their doctor. Getting the facts from the doctor, face to face may help.
We all want what’s best, particularly when it comes to the care of our parents and older loved ones in our lives, and choosing to try telemedicine is a highly personal decision for them. I hope this article and the resources cited within it will help you enable them to make the choice that’s comfortable, effective, and right for them.
The post Helping Mom & Dad: Online Doctor Visits and Telemedicine appeared first on McAfee Blog.
Leak of Russian Censorship Data
The transparency organization Distributed Denial of Secrets has released 800GB of data from Roskomnadzor, the Russian government censorship organization.
Specifically, Distributed Denial of Secrets says the data comes from the Roskomnadzor of the Republic of Bashkortostan. The Republic of Bashkortostan is in the west of the country.
[…]
The data is split into two main categories: a series of over 360,000 files totalling in at 526.9GB and which date up to as recently as March 5, and then two databases that are 290.6GB in size, according to Distributed Denial of Secrets’ website.
USN-5324-1: libxml2 vulnerability
It was discovered that libxml2 incorrectly handled certain XML files. An
attacker could use this issue to cause libxml2 to crash, resulting in a
denial of service, or possibly execute arbitrary code.
SCA Rules Come into Force Today for E-commerce Transactions
From today, UK shoppers will have to provide a combination of two forms of identification at checkout when making an online purchase
USN-5323-1: NBD vulnerabilities
It was discovered that NBD incorrectly handled name length fields. A remote
attacker could use this issue to cause NBD to crash, resulting in a denial
of service, or possibly execute arbitrary code.
Top 12 client-side security threats
Today’s web applications are complex, often made up of a mix of existing software, open-source and third-party code, and custom JavaScript and HTML all integrated via application program interfaces (APIs).
While web applications are hosted and maintained on an organization’s server, they actually run on an end user’s browser. The scripts that run the applications are referred to as ‘client-side scripts.’ These scripts create an incredibly dynamic environment that enable a high level of functionality, but also facilitate tremendous risk since the combination of potentially flawed or vulnerable systems, servers, codes, and applications creates the perfect scenario for threat actors to leverage in client-side attacks.
What are client-side attacks?
Client-side attacks occur when a user unintentionally downloads malicious or vulnerable content from a server, often by doing nothing more than simply clicking on a web page and filling out a form. That content could take the form of bad JavaScript code or unsafe third-party code that exists as part of the web application.
The term ‘client-side’ refers to end-user devices, like desktops, laptops, mobile phones, and tablets, which are considered ‘clients.’ Conversely, the systems that the devices are connected to are referred to as ‘servers.’ Client devices send requests to the server and the server responds to the request. Servers usually support multiple client devices at the same time, and client devices usually send requests to multiple different servers while operating on the internet.
Because client-side activity happens outside a business’s security perimeter, standard security technologies won’t protect the end user from malicious activity that is occurring on dynamic web pages accessed from the end user’s own device.
What are the most common client-side security risks?
Unmitigated risks present in organizational systems can lead to potentially severe attacks on the client side—that is, an organization’s customers or end users. These types of attacks include e-skimming, Magecart-like threats, and formjacking.
The Open Web Application Security Project® (OWASP) lists 12 client-side security risks that organizations need to ensure they’ve mitigated to prevent attacks:
Document Object Model (DOM)-based Cross-site Scripting—Sometimes also called just ‘cross-site scripting’ or ‘XSS’, this is a vulnerability that affects websites and enables an attacker to inject their own malicious code onto the HTML pages displayed to users. If the malicious code is executed by the victim’s browser, the code performs actions, such as stealing credit card information or sensitive credentials.
JavaScript Injection—This type of vulnerability is considered a subtype of XSS involving the injection of malicious JavaScript code executed by the end user’s browser application. JavaScript injunctions can be used to modify the content seen by the end user, to steal the user’s session cookies, or to impersonate the user.
Hypertext Markup Language (HTML) Injection—Another type of cross-site scripting attack, an HTML injection involves injecting HTML code via vulnerable sections of the website. Usually, the purpose of the HTML injection is to change the website’s design or information displayed on the website.
Client-side URL Redirection or Open Redirection—In this type of attack, an application accepts untrusted input that contains a URL value that causes the web application to redirect the user to another, likely malicious page controlled by the attacker.
Cascading Style Sheets (CSS) Injection—Attackers inject arbitrary CSS code into a website, which is then rendered in the end user’s browser. Depending on the type of CSS payload, the attack could lead to cross-site scripting, user interface (UI) modifications or the exfiltration of sensitive information, like credit card data.
Client-side Resource Manipulation—This type of vulnerability enables the threat actor to control the URL that links to other resources on the web page, thus enabling cross-site scripting attacks.
Cross-origin Resource Sharing (CORS)—Poorly configured CORS policies can facilitate cross-origin attacks like cross-site request forgery (CSRF).
Cross-site Flashing—Because Flash applications are often embedded in browsers, flaws or vulnerabilities in the Flash application could enable cross-site scripting attacks.
Clickjacking or UI Redress Attack—This type of attack involves a threat actor using multiple web page frame layers to trick a user into clicking a button or link on a different page from the one intended. Keystrokes can also be hijacked using this technique. By using stylesheets, iframes, and text boxes, a threat actor can trick the user into thinking they’re entering login credentials or bank account information into a legitimate website, when, in fact, they are actually typing into a frame controlled by the attacker.
WebSockets—If servers do not properly verify the origin of an initial HTTP web socket server, a variety of different attack types are possible, including sniffing, cross-site web socket hijacking (CSWH), and cross-site request forgery (CSRF).
Web Messaging—Also called cross-document messaging, web messaging enables applications running on different domains to communicate securely. If the receiving domain is not configured, problems could arise related to redirection or the website leaking sensitive information to unknown or malicious servers.
Local Storage—Sometimes called web storage or offline storage, local storage enables JavaScript sites and apps to store and access the data without any expiration date. Thus, data stored in the browser will be available even after closing the browser window. Since the storage can be read using JavaScript, a cross-site scripting attack could extract all the data from the storage. Malicious data could also be loaded via JavaScript.
How to protect from client-side risks and attacks
To identify potential risks and protect your customers from client-side attacks, organizations should monitor for suspicious script activity at all times. While testing can achieve this goal, the testing process can be time consuming and requires specific areas of expertise. The best way to expedite the monitoring process is to use security technology designed for just this activity. With AT&T Managed Vulnerability Program’s Client-side Security powered by Feroot, tools like Inspector help businesses automatically discover and report on web assets and data access. It also identifies client-side security vulnerabilities and provides specific threat remediation to ensure customers are protected.
Feroot’s PageGuard solution is based on the Zero Trust model and runs continuously in the background to automatically detect and block unauthorized, anomalous, or malicious scripts and code behaviors.
With these attacks increasing daily, organizations are urged to work with security experts to implement tools that continuously scan and protect from attackers. These services offered by AT&T’s Managed Vulnerability Program (MVP) and Feroot allow the MVP team to inspect and monitor customer web applications for malicious JavaScript code that could jeopardize customer and organization security.