Read Time:9 Second
FEDORA-2022-87c0f05204
Packages in this update:
logrotate-3.20.1-1.fc36
Update description:
fix potential DoS from unprivileged users via the state file (CVE-2022-1348)
logrotate-3.18.0-4.fc34
Read Time:9 Second
FEDORA-2022-71ece75de1
Packages in this update:
logrotate-3.18.0-4.fc34
Update description:
fix potential DoS from unprivileged users via the state file (CVE-2022-1348)
Manipulating Machine-Learning Systems through the Order of the Training Data
Read Time:1 Minute, 9 Second
Yet another adversarial ML attack:
Most deep neural networks are trained by stochastic gradient descent. Now “stochastic” is a fancy Greek word for “random”; it means that the training data are fed into the model in random order.
So what happens if the bad guys can cause the order to be not random? You guessed it—all bets are off. Suppose for example a company or a country wanted to have a credit-scoring system that’s secretly sexist, but still be able to pretend that its training was actually fair. Well, they could assemble a set of financial data that was representative of the whole population, but start the model’s training on ten rich men and ten poor women drawn from that set then let initialisation bias do the rest of the work.
Does this generalise? Indeed it does. Previously, people had assumed that in order to poison a model or introduce backdoors, you needed to add adversarial samples to the training data. Our latest paper shows that’s not necessary at all. If an adversary can manipulate the order in which batches of training data are presented to the model, they can undermine both its integrity (by poisoning it) and its availability (by causing training to be less effective, or take longer). This is quite general across models that use stochastic gradient descent.
Research paper.
Airline passengers left stranded after ransomware attack
Read Time:11 Second
An Indian airline says that an “attempted ransomware attack” against its IT infrastructure caused flights to be delayed or canceled, and left passengers stranded.
Read more in my article on the Hot for Security blog.
CVE-2021-32997
Read Time:26 Second
The affected Baker Hughes Bentley Nevada products (3500 System 1 6.x, Part No. 3060/00 versions 6.98 and prior, 3500 System 1, Part No. 3071/xx & 3072/xx versions 21.1 HF1 and prior, 3500 Rack Configuration, Part No. 129133-01 versions 6.4 and prior, and 3500/22M Firmware, Part No. 288055-01 versions 5.05 and prior) utilize a weak encryption algorithm for storage and transmission of sensitive data, which may allow an attacker to more easily obtain credentials used for access.
CVE-2021-32989
Read Time:9 Second
When a non-existent resource is requested, the LCDS LAquis SCADA application (version 4.3.1.1011 and prior) returns error messages which may allow reflected cross-site scripting.
CVE-2021-32966
Read Time:15 Second
Philips Interoperability Solution XDS versions 2.5 through 3.11 and 2018-1 through 2021-1 are vulnerable to clear text transmission of sensitive information when configured to use LDAP via TLS and where the domain controller returns LDAP referrals, which may allow an attacker to remotely read LDAP system credentials.
Multiple Vulnerabilities in Firefox Products Could Allow for Arbitrary Code Execution
Read Time:40 Second
Multiple vulnerabilities have been discovered in Mozilla Firefox Products, the most severe of which could allow for arbitrary code execution.
Mozilla Firefox is a web browser used to access the Internet.
Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
Mozilla Thunderbird is an email client
Mozilla Firefox for Android is the Android based Firefox Browser on Android devices.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Chaos ransomware explained: A rapidly evolving threat
Read Time:49 Second
The Chaos ransomware builder started out last year as a buggy and unconvincing impersonation of the notorious Ryuk ransomware kit. It has since gone through active development and rapid improvements that have convinced different attacker groups to adopt it. The latest version, dubbed Yashma, was first observed in the wild in mid-May and contains several enhancements.
One successful ransomware operation known as Onyx hit U.S.-based emergency services, medical facilities and organizations from several other industries over the past year. It uses a variation of the Chaos ransomware, according to security researchers.
“What makes Chaos/Yashma dangerous going forward is its flexibility and its widespread availability,” researchers from BlackBerry said in a new report. “As the malware is initially sold and distributed as a malware builder, any threat actor who purchases the malware can replicate the actions of the threat group behind Onyx, developing their own ransomware strains and targeting chosen victims.”
New Mend service auto-detects and fixes code, app security issues
Read Time:33 Second
Open-source application security company Mend, formerly WhiteSource, has announced the launch of an automated remediation service for addressing code security issues. According to the firm, the new service is designed to reduce the software attack surface and application security burden, enabling developers to write secure code more easily.
Mend has also integrated Mend Supply Chain Defender, a solution that detects and blocks malicious open-source software, into its JFrog Artifactory plugin within the Mend Application Security Platform. The news comes amid increasing market investment into securing key aspects of code and app production to address related risks and challenges.