A critical vulnerability in a popular open-source networking protocol could allow attackers to execute code with root privileges unless patched, experts have warned.

Samba is a popular free implementation of the SMB protocol, allowing Linux, Windows and Mac users to share files across a network.

However, a newly discovered critical vulnerability (CVE-2021-44142) in the software has been given a CVSS score of 9.9, making it one of the most dangerous bugs discovered in recent years. Log4Shell was given only a slightly higher score of 10.0.

“All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read-write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit,” Samba explained.

“The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.”

Patches have been released, and Samba updates 4.13.17, 4.14.12 and 4.15.5 have been issued to fix the problem, with administrators being urged to upgrade to these releases or apply the patch as soon as possible. The vulnerability has not yet been exploited in the wild at the time of writing, but this is likely to change.

An additional workaround is possible if sysadmins remove the “fruit” VFS module from the list of configured VFS objects in any “vfs objects” line in the Samba configuration smb.conf.

The new vulnerability comes at a busy time for administrators, many of whom spent time over the holidays hunting for instances of vulnerable Log4j hidden in Java dependencies across their organization.

Last year was another record-setter in terms of the number of CVEs published to the National Vulnerability Database (NVD), the fifth year in a row this has happened.

Most IT security decision-makers are struggling to recruit workers to address a shortage of skilled professionals, despite business backing to do so, according to new research.

Global cybersecurity recruitment firm Stott and May teamed up with venture investor Forgepoint Capital to compile the Cyber Security in Focus study. It features responses from cybersecurity directors, security operations directors and VPs of product security in EMEA and North America.

Some 87% of respondents admitted they are suffering skills shortages, with over a third (35%) claiming positions were left unfilled after a 12-week period.

As a result, in-house skills (43%) were cited as the most significant barrier to strategy execution, above budget (35%), technology (13%) and board-level buy-in (9%).

The challenges around hiring have also led to a surge in salaries: 54% of hiring managers believe that these have increased more than 11% year on year in the sector.

The study also highlighted something of a contradiction. Security is gaining board-level buy-in. Some 80% of security leaders said their business perceives the function as a “strategic priority,” up from 54% last year. In addition, 100% agree that the business feels the function plays a role in improving the overall value proposition to customers.

However, over half (51%) of respondents argued that cybersecurity investment is still not keeping pace with digital transformation.

As investments in digital increase, sourcing the right engineering-centric CISOs will be the key to success, according to Forgepoint Capital managing director William Lin.

“A lot of digital transformation is inherently going to be driven by engineering, and finding a CISO that can empower developers with knowledge, tooling and experience will enable outcomes to be achieved faster and more securely,” he argued.

Heather Paunet, SVP at Untangle, argued that closing the cyber skills gap will require the industry to promote itself to would-be recruits better.

“There also needs to be organizational change that recognizes the severity and devastation cyber-attacks can cause and makes cybersecurity a priority. Companies need to ensure this investment isn’t just in technology, but also in their current workforce with continual training, advancement opportunities and recognition,” she added.

“In addition, IT education programs need to do the profession justice and emphasize the different roles and careers available in cybersecurity.”

According to the latest ISC2 survey, global skills shortages fell for the second consecutive year in 2021 to 2.7 million, including a shortfall of 377,000 in the US and 33,000 in the UK.

A ransomware attack on a Scottish regulator in 2020 continues to significantly impact operations, with the true cost of the incident still unknown, an audit has found.

The double extortion attack hit the Scottish Environment Protection Agency (SEPA) on Christmas Eve 2020, forcing IT services offline.

According to a new report from Audit Scotland, the initial attack vector appears to have been a phishing email, although it’s still not 100% clear.

Despite following best practice backup guidelines, with one copy stored offline, the “sophisticated nature of the attack” meant online copies were quickly targeted, and there was no way of accessing historical records quickly, the spending watchdog claimed.

As a result, the “majority” of SEPA’s data was encrypted, stolen or lost.

Despite claiming the agency had a “high” level of cyber-maturity, independent reviews since the attack have also made 44 recommendations for enhancing the agency’s cyber-readiness and resilience.

According to Audit Scotland, it will be particularly alarming to Scottish taxpayers that more than a year on from the attack, the agency is still reinstating some of its systems.

The auditor took the rare step of issuing a “disclaimer of opinion” on SEPA’s annual accounts for 2020/21, claiming it couldn’t access enough evidence to substantiate £42m of income from contracts.

The agency still doesn’t know the total financial impact of the cyber-attack, although it has already been forced to write off over £2m in bad debts because of records lost to the incident.

“Based on management forecasts during the year, the Scottish Government gave SEPA authority to overspend by £2.5m to cover the impact of Covid19 and the cyber-attack if required,” the report claimed.

“SEPA recognizes that the cyber-attack has increased the medium to longer-term financial pressures on the organization. Its financial strategy 2020-24 had already identified potential variability in future income and expenditure streams of up to £17.9m as a worst-case scenario.”

A cyber-attack has disrupted operations at two oil storage and logistics firms in Germany.

Oiltanking GmbH Group and Mabanaft Group said on Tuesday that they had launched an investigation into a cyber-incident on Saturday. 

IT systems at both companies were affected, though the full extent of the attack is still being determined. In a statement to the Associated Press, the companies said they had hired external computer forensic specialists to discover the “full scope” of the incident.

No information has been shared yet by either company regarding the nature of the attack or its perpetrators. The companies said work is being undertaken to enable them “to restore operations to normal in all our terminals as soon as possible.”

Oiltanking GmbH Group is still operating storage tank terminals for oil, gas and chemicals in all global markets. However, the attack has forced separate entity Oiltanking Deutschland GmbH, part of Mabanaft, into “operating with limited capacity” its terminals in Germany.

The statement said that Mabanaft’s German arm had “declared force majeure for the majority of its inland supply activities in Germany.”

Speaking at a conference on Tuesday, the head of Germany’s IT security agency, Arne Schoenbohm, said that while the incident was severe, it was “not grave.” 

Schoenbohm said that 1.7% of the country’s total gas stations had been impacted by the incident, making it impossible for prices to be changed or for customers to pay for gas using a credit card. Cash payments were being accepted at some of the 233 affected facilities, most of which are in northern Germany. 

German news agency dpa reported that industry officials had said that the cyber-attack on the two companies did not pose a threat to the country’s overall fuel supplies. 

“The timing of this coincidentally aligns with Russia having threatened to shut off its pipelines into Europe as the crisis in Ukraine continues to be tense for all involved,” observed Lookout’s senior manager of security solutions, Hank Schless. 

He added: “This is the perfect example of using a high-pressure situation to create opportunity for malicious cyber-activity, which attackers do as often as they can.”

The California State Senate has passed legislation to ban the transmission of unsolicited sexually explicit images and videos without the recipient’s consent – a practice called ‘cyber flashing.’

Senate Bill 53, also known as the FLASH (Forbid Lewd Activity and Sexual Harassment) Act, was passed on Monday with bipartisan support.

Introduced in February 2020 by senators Connie Leyva and Lena Gonzalez, the legislation would establish legal protections for users of technology who receive explicit sexual consent, which they have not requested.

SB 53 would give victims of cyber flashing a private right of action against any person who knows or reasonably should know that a lewd image they sent was unsolicited. The bill would entitle the plaintiff to recover economic and non-economic damages or statutory damages between $1500 and $30,000, as well as punitive damages, reasonable attorney’s fees and costs and other available relief, including injunctive relief.

“I appreciate the Senate’s support of SB 53 as we are now one step closer to finally holding perpetrators of cyber flashing accountable for their abusive behavior and actions,” Senator Leyva said. 

“This form of technology-based sexual harassment is far more pervasive than many Californians realize, so it is important that we empower survivors that receive these unwanted images or videos.”

According to the Pew Research Center, 53% of young American women and 37% of young American men have been sent unsolicited explicit material while online. Most women who received uncalled for X-rated content reported being sent this material through social media platforms, including Snapchat, Instagram, LinkedIn, Twitter and Facebook. 

Cyber flashing also occurs via dating platforms, text messages, email and through the ‘AirDropping’ of content in public spaces.

The FLASH Act has the support of the dating app Bumble, whose CEO Whitney Wolfe Herd sees a need for stronger laws to protect internet users.

“An overwhelming majority of our time is spent online and there are simply not enough laws and deterrents in place to protect us, and women and children in particular,” said Wolfe Herd.

“It falls upon us in the technology and social media space to work hand in hand with local government and legislators to isolate the problems and develop solutions just like the FLASH Act being introduced by Senator Leyva.”