Manufacturers need to document a medical device's intended use and operational environment, as well as plan for misuse, such as a cyberattack.

Due to the increasing concerns about medical devices' cybersecurity risks, European Union regulators put forward a new set of market entry requirements for medical devices and in vitro diagnostic medical devices to reduce the risk of patient harm as a result of a cyber incident, as well as protect national health systems.

EU regulators are raising the bar on cybersecurity requirements with the European Union Medical Device Regulation (MDR) and the European Union In Vitro Diagnostic Regulation (IVDR), which went into effect May 26, 2021. The regulations are intended to "establish a robust, transparent, predictable and sustainable regulatory framework ... which ensures a high level of safety and health whilst supporting innovation."

Organizations have until May 26, 2024, or when their current market certification expires, to make the necessary changes to their quality management systems and technical documentation to comply with the new requirements. Despite the number of assessment processes and standards and guidance documents that have been provided, medical device manufacturers, providers, and certification services may not be ready in time.

More than 90% of currently valid AIMDD/MDD certificates will expire by 2024, so a significant number of existing devices need to be reapproved, in addition to new devices entering the market. It is estimated that 85% of products currently on the market today still require new certification under MDR.IVDR. Considering that the process takes 13 to 18 months, companies need to start the process now in order to meet the 2024 deadline.

**Setting Instructions for Use**

In general, cybersecurity processes are not that different from general device performance and safety processes. The goal is to assure (through verification and validation) and demonstrate (through documentation) device performance, risk reduction and control, and minimization of foreseeable risks and undesirable side effects through risk management. Combination products or interconnected devices/systems also require management of the risks that result from interaction between software and the IT environment.

The Medical Device Coordination Group's MDCG-16 Guidance on Cybersecurity for medical devices explains how to interpret and fulfill cybersecurity requirements under MDR and IVDR. Manufacturers are expected to take into account the principles of the secure development life cycle, security risk management, and verification and validation. Further, they should provide minimum IT requirements and expectations for cybersecurity processes, such as installation and maintenance in their device's instructions for use. "Instructions for use" is a highly structured required section of the certification application manufacturers must file.

Cybersecurity measures must reduce any risks associated with the operation of medical devices, including cybersecurity-induced safety risks, to provide a high level of protection for health and safety. The International Electrotechnical Commission (IEC) spells out high-level security features, best practices, and security levels in IEC/TIR 60601-4-5. Another IEC technical report, IEC 80001-2-2, enumerates specific design and architecture security capabilities, such as automatic logoff, audit controls, data backup and disaster recovery, malware detection/protection, and system and OS hardening.

To meet ISO guidelines (ISO 14971), the Association for the Advancement of Medical Instrumentation advises striking a balance between safety and security. Careful analysis is required to prevent security measures from compromising safety and safety measures from becoming a security risk. Security needs to be right-sized and should be neither too weak nor too restrictive.

**Sharing Responsibility for Cybersecurity**

Cybersecurity is a responsibility shared between the device manufacturer and the deploying organization (typically the customer/operator). Thus, specific roles that provide important cybersecurity functions — such as integrator, operator, healthcare and medical professionals, and patients and consumers — require careful training and documentation.

The "instructions for use" section of a manufacturer's certification application should provide cybersecurity processes including security configuration options, product installation, initial configuration guidelines (e.g., change of default password), instructions for deploying security updates, procedures for using the medical device in failsafe mode (e.g., enter/exit failsafe mode, performance restrictions in fail-safe mode, and data recovery function when resuming normal operation), and action plans for the user in case of an alert message.

That section should also provide user requirements for training and enumerate required skills, including IT skills required for the installation, configuration, and operation of the medical device. In addition, it should specify requirements for the operating environment (hardware, network characteristics, security controls, etc.) that cover assumptions on the environment of use, risks for device operation outside the intended operating environment, minimum platform requirements for the connected medical device, recommended IT security controls, and backup and restore features for both data and configuration settings.

Specific security information may be shared through documentation other than the instructions for use, such as instructions for administrators or security operation manuals. Such information may include a list of IT security controls included in the medical device, provisions to ensure integrity/validation of software updates and security patches, technical properties of hardware components, the software bill of materials, user roles and associated access privileges/permissions on the device, logging function, guidelines on security recommendations, requirements for integrating the medical device into a health information system, and a list of the network data streams (protocol types, origin/destination of data streams, addressing scheme, etc.).

If the operating environment is not exclusively local but involves external hosting providers, the documentation must clearly state what, where (in consideration of data-residency laws), and how data is stored, as well as any security controls to safeguard the data in the cloud environment (e.g., encryption). The instructions for use section of the documentation needs to provide specific configuration requirements for the operating environment, such as firewall rules (ports, interfaces, protocols, addressing schemes, etc.).

Security controls implemented during premarket activities may be inadequate to maintain an acceptable benefit-risk level during the operational life of the device. Therefore, regulations require the manufacturer to establish a post-market cybersecurity surveillance program to monitor operation of the device in the intended environment; to share and disseminate cybersecurity information and knowledge of cybersecurity vulnerabilities and threats across multiple sectors; to perform vulnerability remediation; and to plan for incident response.

The manufacturer is further responsible for investigating and reporting serious incidents and fielding safety corrective actions. Specifically, incidents that have cybersecurity-related root causes are subject to trend reporting, including any statistically significant increase in the frequency or severity of incidents.

**Planning for All Scenarios**

Today's medical devices are highly integrated and operate in a complex network of devices and systems, many of which may not be under control of the device operator. Therefore, manufacturers should carefully document the device's intended use and intended operational environment, as well as plan for reasonably foreseeable misuse, such as a cyberattack.

Cybersecurity pre- and post-market risk management requirements and supporting activities are not necessarily different from traditional safety programs. However, they do add an additional level of complexity as:

*   The range of risks to consider is more complex (safety, privacy, operations, business). 
*   They require a specific set of activities that need to be conducted along the device development life cycle via a Secure Product Development Framework (SPDF).

Global regulators, including MDR/IVDR, are starting to enforce a higher level of security for medical devices and specifically requiring demonstrable security as part of the larger device life cycle. Devices should meet, based on device type and use case, a security baseline, and manufacturers need to maintain that baseline over the entire lifetime of the device.

How Europe Is Using Regulations to Harden Medical Devices Against Attack

Vulnerability could have been used to bypass cloud isolation protection

Vulnerability could have been used to bypass cloud isolation protection

Oracle has patched a critical vulnerability in its cloud infrastructure that could have allowed attackers to steal data or tamper with client files.

On September 20, Wiz security researcher Elad Gabay publicly disclosed the security flaw, found in June following an examination of Oracle Cloud Infrastructure (OCI).

Dubbed #AttachMe, the “major” bug centers on one problem: a lack of permissions protection when attaching volumes to OCI.

**Attack path**

An attack would begin with the use of a target’s unique identifier, their cloud environment ID (OCID), which could be found via publicly available information or a low-privilege account.

A threat actor would then initiate an instance in an attacker-controlled tenant – located in the same availability domain (AD) as the target volume – before attaching the victim’s volume to the instance.

Read more of the latest cloud security news

OCI, by design, supports the attachment of a single volume to multiple instances simultaneously.

The lack of authorization checks would ensure the attacker had read/write privileges over the target volume, whether or not they had sufficient permissions.

As a result, it may have been possible for attackers to leverage this avenue to steal or modify information, search for cleartext secrets, or move laterally across the volume.

**Worst-case scenario**

In the worst-case scenario, attackers could potentially hijack an environment by manipulating binaries to achieve code execution.

“Before it was patched, #AttachMe could have allowed attackers to access and modify any other users’ OCI storage volumes without authorization, thereby violating cloud isolation,” Gabay said.

Wiz added that the vulnerability could have impacted all OCI customers or could have been used to target the infrastructure of individual client services.

The Wiz security team disclosed its findings to Oracle on June 9, three days after discovery.

Oracle acknowledged the security report on June 10, and it was on the same day that the vulnerability was confirmed and fixed. No OCI customer action is required.

Catch up with the latest cybersecurity vulnerability news

Speaking to The Daily Swig, Wiz researcher Sagi Tzadik said that the real-world ramifications of the vulnerability, if not patched so rapidly by oracle, could have been quite severe.

“This could lead to severe sensitive data leakage for potentially all OCI customers and in some scenarios could even be exploited to gain remote code execution on their environment, providing an initial entry point for further movement in the victim’s cloud environment,” he commented.

“While OCIDs are generally private, they are not treated as secrets. It is relatively feasible to obtain these IDs from a quick GitHub or Google search.”

Oracle declined to comment, but thanked Gabay in the firm’s July 2022 Critical Patch Update notes.

“Insufficient validation of user permissions is a common bug class among cloud service providers,” Wiz added.

“The best way to identify such issues is by performing rigorous code reviews and comprehensive tests for each sensitive API in the development stage. We also recommend performing service-specific penetration tests and participating in bug bounty programs, as these have proven effective with these types of issues.”

DON’T MISS Tarfile path traversal bug from 2007 still present in 350k open source repos

#AttachMe Oracle cloud bug exposed volumes to data theft, hijack 

An integer overflow in WhatsApp could result in remote code execution in an established video call.

**WhatsApp Security Advisories****2022 Updates**

**_February Update_**

**CVE-2021-24043**

A missing bound check in RTCP flag parsing code prior to WhatsApp for Android v2.21.23.2, WhatsApp Business for Android v2.21.23.2, WhatsApp for iOS v2.21.230.6, WhatsApp Business for iOS 2.21.230.7, and WhatsApp Desktop v2.2145.0 could have allowed an out-of-bounds heap read if a user sent a malformed RTCP packet during an established call.

**_January Update_**

**CVE-2021-24042**

The calling logic for WhatsApp for Android prior to v2.21.23, WhatsApp Business for Android prior to v2.21.23, WhatsApp for iOS prior to v2.21.230, WhatsApp Business for iOS prior to v2.21.230, WhatsApp for KaiOS prior to v2.2143, WhatsApp Desktop prior to v2.2146 could have allowed an out-of-bounds write if a user makes a 1:1 call to a malicious actor.

CVE-2022-36934: WhatsApp-turvallisuustiedotteet

Churches are using invasive phone-monitoring tech to discourage “sinful” behavior. Some software is seeing more than congregants realize.

Gracepoint is the kind of evangelical Southern Baptist church that’s compelled to publicly enumerate all of the ways it’s not a cult. “We’ll admit that we’re a bit crazy about the Great Commission and sharing the Gospel,” reads an FAQ page titled, “Is Gracepoint a Cult?” So when Grant Hao-Wei Lin came out to a Gracepoint church leader during their weekly one-on-one session, he was surprised to learn that he wasn’t going to be kicked out. According to his church leader, Hao-Wei Lin says, God still loved him in spite of his “struggle with same-sex attraction.”

But Gracepoint did not leave the matter in God’s hands alone. At their next one-on-one the following week, Hao-Wei Lin says the church leader asked him to install an app called Covenant Eyes on his phone. The app is explicitly marketed as anti-pornography software, but according to Hao-Wei Lin, his church leader told him it would help “control all of his urges.”

Covenant Eyes is part of a multimillion-dollar ecosystem of so-called accountability apps that are marketed to both churches and parents as tools to police online activity. For a monthly fee, some of these apps monitor everything their users see and do on their devices, even taking screenshots (at least one per minute, in the case of Covenant Eyes) and eavesdropping on web traffic, WIRED found. The apps then report a feed of all of the users’ online activity directly to a chaperone—an “accountability partner,” in the apps’ parlance. When WIRED presented its findings to Google, however, the company determined that two of the top accountability apps—Covenant Eyes and Accountable2You—violate its policies.

The omnipotence of Covenant Eyes soon weighed heavily on Hao-Wei Lin, who has since left Gracepoint. Within a month of installing the app, he started receiving accusatory emails from his church leader referencing things he had viewed online. “Anything you need to tell me?” reads one email Hao-Wei Lin shared with WIRED. Attached was a report from Covenant Eyes that detailed every single piece of digital content Hao-Wei Lin had consumed the prior week. It was a trail of digital minutiae accumulated from nights spent aimlessly browsing the internet, things Hao-Wei Lin could barely remember having seen—and would have forgotten about had a member of his Church not confronted him. The church leader zeroed in on a single piece of content that Covenant Eyes had flagged as “Mature”: Hao-Wei Lin had searched “#Gay” on a website called Statigr.am, and the app had flagged it.

Gracepoint, which focuses on colleges, claims to “serve students” on more than 70 campuses across the United States. According to emails between a Covenant Eyes representative and a former Gracepoint church leader that WIRED reviewed, the company said that in 2012 as many as 450 Gracepoint Church members were signed up to be monitored through Covenant Eyes.

“I wouldn’t quite call it spyware,” says a former member of Gracepoint who was asked to use Covenant Eyes and spoke on the condition of anonymity, due to privacy concerns. “It’s more like ‘shameware,’ and it’s just another way the church controls you.”

Similar to surveillance software like Bark or NetNanny, which is used to monitor children at home and school, “shameware” apps are lesser-known tools that are used to keep track of behaviors parents or religious organizations deem unhealthy or immoral. Fortify, for instance, was developed by the founder of an anti-pornography nonprofit called Fight the New Drug and tracks how often an individual masturbates in order to help them overcome “sexual compulsivity.” The app has been downloaded over 100,000 times and has thousands of reviews on the Google Play store.

The current iteration of the Covenant Eyes app was developed by Michael Holm, a former NSA mathematician who now serves as a data scientist for the company. The system is allegedly capable of distinguishing between pornographic and non-pornographic images. The software captures everything visible on a device’s screen, analyzing the images locally before slightly blurring them and sending them to a server to be saved. “Image-based pornography detection was a huge conceptual change for Covenant Eyes,” Holm told _The Christian Post_, an evangelical Christian news outlet, in 2019. “While I didn’t yet know it, God had put me in that place at that time for a purpose higher than myself, just as I and others had desired and prayed for.”

Covenant Eyes spokesperson Dan Armstrong says the company is “concerned” about “people being monitored without proper consent.” He adds that “accountability relationships are better off between people who already know each other and want the best for one another, such as close personal friends and family members,” and that the company discourages using its app in relationships with a power imbalance.

Among the top accountability apps—including Accountable2You and EverAccountable—Covenant Eyes appears to be the largest player. The company organizes conferences that are attended by thousands of people and dedicated to educating attendees about the dangers of pornography while pitching the company’s product as an urgent solution to what it characterizes as a growing moral crisis. According to the app analytics firm AppFigures, in the past year more than 50,000 people have downloaded Covenant Eyes. Rocketreach estimates that the company has an annual revenue of $26 million.

Ed Kang, pastor of Gracepoint Church in Berkeley, California, and a major figure in the organization, says in an email that volunteer staff members are required to install Covenant Eyes or Accountable2You “as part of their staff agreement.” But he disputes that church leaders were instructed to monitor congregants’ phone activity. “Usually it’s whoever they \[congregants\] designate, and we actually discourage leaders from being the accountability partners as that seems a bit too heavy,” he writes. (All five former Gracepoint congregants who spoke to WIRED said a church leader was their accountability partner.) Kang adds that the number of Gracepoint congregants who use Covenant Eyes or Accountable2You “may be significantly higher than 450 nowadays” and that Accountable2You “has better pricing.”

What’s common across Covenant Eyes, Accountable2You, and EverAccountable is their zero-tolerance approach to pornography. All three suggest in their marketing materials that not only is watching porn a moral failure, but any amount of porn consumption is bad for your health. Their solution: Promote purity through what they call “radical accountability,” a concept wherein a community comes together to confront a person who is living in sin. At its most basic level, the idea is pretty straightforward: Why would anyone watch porn if they are going to have to talk to their parents or pastor about it?

While these apps claim to have helped many people overcome pornography addictions, experts who study sexual health are skeptical that the apps have a lasting positive effect. “I’ve never seen anyone who’s been on one of these apps feel better about themselves in the long term,” says Nicole Praus, a scientist at the University of California, Los Angeles, who studies the effects of pornography on the brain and the spread of disinformation on sexual health. “These people just end up feeling like there’s something wrong with them when the reality is that there likely isn’t.”

But Covenant Eyes and Accountable2You do much more than just police pornography. When WIRED downloaded, decompiled, and tested Covenant Eyes and Accountable2You, we found that both apps are built to collect, monitor, and report all sorts of innocent behavior. The applications exploited Android’s accessibility permissions to monitor almost everything someone does on their phone. While the accessibility functionalities are meant to help developers build out features that assist people with disabilities, these apps take advantage of such permissions to either capture screenshots of everything actively being viewed on the device or detect the name of apps as they’re being used and record every website visited in the device’s browser.

In Hao-Wei Lin’s case, that included his Amazon purchases, articles he read, and even which friends’ accounts he looked at on Instagram. The trouble is, according to Hao-Wei Lin, providing his church leader with a ledger of everything he did online meant his pastor could always find something to ask him about, and the way Covenant Eyes flagged content didn’t help. For example, in Covenant Eyes reports that Hao-Wei Lin shared with WIRED, his online psychiatry textbook was rated “Highly Mature,” the most severe category of content reserved for “anonymizers, nudity, erotica, and pornography.” The same was true of anything Hao-Wei Lin felt was “remotely gay,” like his Statigr.am searches.

After WIRED contacted Google about Covenant Eyes and Accountable2You, both apps were suspended from the Google Play store. “Google Play permits the use of the Accessibility API for a wide range of applications,” spokesperson Danielle Cohen says in an email. “However, only services that are designed to help people with disabilities access their device or otherwise overcome challenges stemming from their disabilities are eligible to declare that they are accessibility tools.”

Covenant Eyes and Accountable2You both remain available on iOS. While WIRED did not test the apps on Apple devices, neither app appears to utilize iOS’ accessibility permissions. Apple has not yet responded to a request for comment.

In our tests of Accountable2You prior to its suspension, we found that the software similarly flagged content with keywords like “gay” or “lesbian” in the URL. For instance, when we set up a test account and navigated to the US Centers for Disease Control’s website for LGBTQ youth resources, the phone we designated as our accountability partner was immediately texted and emailed a “questionable activity report” indicating that our test phone had visited a “Highly Questionable” website.

“It’s really not about pornography,” says Brit, a former user of Accountable2You who asked to only be identified by her first name, due to privacy concerns. “It’s about making you conform to what your pastor wants.” Brit says she was asked to install the app by her parents after she was caught looking at pornography and that her mother and her pastor were both her designated accountability partners. “I remember I had to sit down and have a conversation with him \[her pastor\] after I Wikipedia’d an article about atheism,” she says. “I was a kid, but that doesn’t mean I don’t have some kind of right to read what I want to read.”

While accountability apps are largely marketed to parents and families, some also advertise their services to churches. Accountable2You, for example, advertises group rates for churches or small groups and has set up several landing pages for specific churches where members can sign up. Covenant Eyes, meanwhile, employs a director of Church and Ministry Outreach to help onboard religious organizations.

Accountable2You did not respond to WIRED’s requests for comment.

Eva Galperin is director of cybersecurity at the Electronic Frontier Foundation, a digital rights nonprofit, and cofounder of the Coalition Against Stalkerware. Galperin says consent to such surveillance is a major concern. “One of the key elements of consent is that a person can feel comfortable saying no,” she says. “You could argue that any app installed in a church setting is done in a coercive manner.” While WIRED did not speak to anyone who was unaware that the app was on their phone, which is often the case with spyware, Hao-Wei Lin says he didn’t feel like he was in a position where he could say no to his church leader when he was asked to install Covenant Eyes. Gracepoint had secured him a $400-a-month apartment in Berkeley, where he was attending college. Without the church’s support, he might have had nowhere to live.

But this is not the experience of everyone we spoke to. James Nagy is a former Gracepoint church member who, as a one-time congregation leader, was on both sides of Covenant Eyes reports. Nagy, who is gay, was taught from a young age that homosexuality was a sin. So when Gracepoint offered him a software solution that claimed to be able to help what he then considered to be a moral dilemma, he jumped at the opportunity. He says that while he believed many people at Gracepoint were pressured to install the app, in his case, the pressure came from himself. “Gracepoint didn’t try to change me,” Nagy says. “I tried to change me.” Nagy is now an elder at the Presbyterian Church (USA) and until 2021 was a facilitator with the Reformation Project, a nonprofit whose mission is to advance LGBTQ inclusion in the church.

In the quest to curb behavior churches deem immoral, these accountability apps will collect and store extremely sensitive personal information from their users, including from those under the age of 18. Fortify, which describes itself as an addiction recovery app, asks its users to log information about when they last masturbated, where they were when it happened, and what device they used. While Fortify’s privacy policy states that the company doesn’t sell or otherwise share this data with third parties, its policy does allow it to share data with trusted third parties to perform statistical analysis, though it does not mention who these trusted third parties are. In a phone call, Clay Olsen, the CEO of Fortify parent company Impact Suite, clarified that these trusted third parties include companies like Mixpanel, an analytics service company that tracks user interactions with web and mobile applications.

While WIRED found several churches recommending Fortify to their congregations, Olsen says neither Fortify nor Impact Suite count religious institutions as customers.

When WIRED tested the Fortify software, we found that the app also utilizes other technology to track users. For instance, because it includes Facebook’s Pixel, data related to Fortify’s masturbation-tracking form is sent to Facebook. While the data does not appear to include the contents of the tracking form, it does have metadata about the form itself, including when it was filled out. Facebook appears to store that data and, when possible, associates it with a user’s account. After setting up a test account with Facebook, logging in, and then interacting with Fortify, we were able to see interactions with Fortify in a copy of the test account’s data obtained through Facebook’s privacy center.

Fortify’s inclusion of Facebook’s Pixel isn’t just a privacy issue, it’s a security problem. While testing the app, we also noticed that the password to our account was sent in plaintext to Facebook in the URL of the tracking requests. Facebook claims to have filtering mechanisms to prevent its systems from storing this type of personal information, but Fortify’s apparent oversight is still concerning to experts like Galperin. “That’s a huge vulnerability,” she says. “It’s the sort of behavior that makes me feel like they don’t have security experts reviewing the app or its policies.”

Facebook spokesperson Emil Vazquez says companies that share sensitive user data with the Meta-owned social media platform are violating its policies. “Advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies,” Vazquez says. “Our system is designed to filter out potentially sensitive data it is able to detect.” Facebook did not say whether its filters detected the plaintext passwords sent by Fortify.

After being notified of the password issue, Olsen said Fortify would stop transmitting users’ unencrypted passwords to Facebook. As we went to press, the issue had not yet been addressed.

Hao-Wei Lin has since moved on from Gracepoint but is still processing the trauma he feels the church has caused him. I met him earlier this month at his thesis exhibition at Parsons School of Design in New York City, where he is about to get his Master of Fine Arts in photography. He tells me that it was only after he went back to school that he felt he was in a safe enough space to start processing what he went through at Gracepoint.

Hao-Wei Lin’s photography was somber, but not without humor. One was of a 3D rendering of a room where he says he and other members of Gracepoint would meet after their Sunday service. A solitary figure is hunched over praying, his head resting in the seat of his plastic chair. As I look at the photo, Hao-Wei Lin tells me he wants the viewer to feel like they are a surveillance camera perched in the top corner of the room. The name of his work: “Covenant Eyes.”

The Ungodly Surveillance of Anti-Porn ‘Shameware’ Apps

Red Hat Security Advisory 2022-6536-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.5.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.11.5 bug fix and security update  
Advisory ID:       RHSA-2022:6536-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6536  
Issue date:        2022-09-20  
CVE Names:         CVE-2015-20107 CVE-2021-3121 CVE-2022-0391  
                   CVE-2022-21123 CVE-2022-21125 CVE-2022-21166  
                   CVE-2022-28199 CVE-2022-30629 CVE-2022-34903  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.11.5 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.11.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.11.5. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHSA-2022:6535

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Security Fix(es):

* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index  
validation (CVE-2021-3121)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

You may download the oc tool and use it to inspect release image metadata  
as follows:

(For x86_64 architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.5-x86_64

The image digest is  
sha256:fe4d499ac9fc7d12fcfccf3d6ae8a916c31e282d18adbebb0456c0fd6aef02c9

(For s390x architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.5-s390x

The image digest is  
sha256:c816b9487177b51db60875c794679b6df41c74d522ca00376cb9f86f9b44b577

(For ppc64le architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.5-ppc64le

The image digest is  
sha256:528174504037b4b9d8fda04bdad3f4acf7f68eeadb3a8fe2539f7a8a9bdff76a

(For aarch64 architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.5-aarch64

The image digest is  
sha256:04d3f194379cdd1c0e8015fd51038967c5fdb2eff52c6c60645b3a9381ed5f04

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Details on how to access this content are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation  
2024946 - Ingress Canary does not respect router sharding on default IngressController  
2104825 - Installer creates unnecessary master_ingress_cluster_policy_controller security group rule  
2108214 - Route status isn't always getting cleared with routeSelector updates  
2108595 - etcd Dashboard should be removed on guest cluster of hypershift  
2109193 - Power VS machine Processor is always defaulted to 0.5  
2109887 - [UI] MultiClusterHub details after it's creation starts flickers, disappears and appears back (happened twice)  
2110528 - Route status isn't always getting cleared with routeSelector updates  
2111345 - should use the same value for AlertRelabelConfig with oc explain  
2117424 - Backport:  https://github.com/openshift/kubernetes/pull/1295

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-1007 - CVE-2021-3121 telemeter-container: [1924548] telemeter-container: gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation [openshift-4]  
OCPBUGS-1070 - Update ODC owners  
OCPBUGS-1104 - package-server-manager does not migrate packageserver CSV from v0.17.0 to v0.18.3 on OCP 4.8 -> 4.9 upgrade  
OCPBUGS-1145 - Bug 2085336 - [IPI-Azure] Fail to create the worker node which HyperVGenerations is V2 or V1 and vmNetworkingType is Accelerated  
OCPBUGS-1233 - [IPI] nodelink controller is not able to reconcile and match nodes and machines with logical interfaces defined by nmstate at baremetalhost creation  
OCPBUGS-1261 - Backport: https://github.com/openshift/kubernetes/pull/1295  
OCPBUGS-393 - Setting disableNetworkDiagnostics: true does not persist when network-operator pod gets re-created  
OCPBUGS-455 - [vsphere] update install-config description for diskType  
OCPBUGS-524 - Plugin page error boundary message is not cleared after leaving page  
OCPBUGS-668 - Prefer local dns does not work expectedly on OCPv4.11  
OCPBUGS-744 - [4.11] Spoke BMH stuck ?provisioning? after changing a BIOS attribute via the converged workflow  
OCPBUGS-746 - [4.11] Supermicro server FirmwareSchema CR does not contain allowable_values, attribute_type and read_only flag  
OCPBUGS-747 - [4.11] Disconnected IPI OCP cluster install on baremetal fails when hostname of master nodes does not include the text "master

6. References:

https://access.redhat.com/security/cve/CVE-2015-20107  
https://access.redhat.com/security/cve/CVE-2021-3121  
https://access.redhat.com/security/cve/CVE-2022-0391  
https://access.redhat.com/security/cve/CVE-2022-21123  
https://access.redhat.com/security/cve/CVE-2022-21125  
https://access.redhat.com/security/cve/CVE-2022-21166  
https://access.redhat.com/security/cve/CVE-2022-28199  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYypf3NzjgjWX9erEAQi2+g//e7w8ENLVf90+9hEvNCJQkUk4fj1Tcuh/  
8h5rggfxHSIUdloqrvB3g3rxEflxDVeGR1VEOQz+WDW+rHFfk1WzRUIdYHBxPw+K  
S+SlOQybNr50P6Dtgb7FZNfvC6XU0wemC5qDFJgw4kIFf0irZZin+EGGMeMN/S6w  
CNRLb28zcOesG6FH1CnKkeUMeJHBj4+ZXFQXCXkLZBUswmYzwe9gTCdnvCtjrCbw  
OBWe3ATZdChrhRkgiymfQSvrVqgIvYAcfPRlLiUhS09dqXtyBXLJ6ug5v1jERYCx  
jFV4L3jf1mCkSRFLRNSry0o7YdmdKT6s1Rn/C7UjLD++i2iNM1bORKBAOPwcCdPL  
j+wykhTP2v3EXhxMerk5iLqu5wbmlEEBVwIjNan/qAP06zAs25Lwy4x6wOqVudnC  
zrGYp1zmmA6fS2q7XiUIb9QnBfTpPBY/QQcPwovRWoXsv7Hb9yMEQDP1RcZRcsER  
dNn825lo4j8U+12qySctvguQ8TTJoRKxUIO0V4D7r33jf468Z5qB6cvFpjYWCtlN  
Kp2btFYdoDzRkkplhlWUnwqEdjs/1a1yh2BJuaWZTl9kxOG1/39U1+zaGbPzFk4T  
28KK31vWz+x5R+kO433MV6hRzBLLVC5PgfcwPSSmJBhRSDNJoHLMpIxGE97h+xLR  
fzfZ+WswY5c=Qqzx  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6536-01

By Owais Sultan
In this article, we’ll be exploring the landscape of DeFi, demonstrating how the recent DeFiChain developments are set to innovate the industry as a whole and drive the usability of DeFi.
This is a post from HackRead.com Read the original post: How DeFiChain gives DeFi a major boost with innovative decentralized assets

Decentralized finance (DeFi) is an industry that provides a range of benefits to investors. From permissionless access to the complete transparency of blockchain, these systems allow users a new way to trade, buy, sell, and exchange.

With a total value of $40 billion (as of Feb 2021) locked in different protocols, the popularity of DeFi has become incredibly visible over recent months.

Processing from a small financial system into a global movement, DeFi has now reached every corner of our world. However, there are some apparent limitations of DeFi. As it’s a decentralized system, it cannot interact with centralized assets, meaning that stock options, commodities, and indices were off the table.

DeFiChain, a blockchain system, is set to change that, with its introduction of decentralized assets bridging the gap. In this article, we’ll be exploring the landscape of DeFi, demonstrating how the recent DeFiChain developments are set to innovate the industry as a whole and drive the usability of DeFi.

**How has the DeFi Landscape changed?**

Decentralized finance began with the creation of Bitcoin, with the creator intending it to be a digital currency that could be used without having to rely on centralized intermediaries. What started with a rejection of centralized banking and governance has grown into an incredibly rich and comprehensive ecosystem.

Currently, there are over 18,000 cryptocurrencies alongside Bitcoin as of July 2022. The second-largest cryptocurrency is Ethereum, which has a total market cap of over $140 billion, accounting for 15.3% of the total crypto market cap. One of the main reasons that Ethereum has grown to be so popular is the ease of creating decentralized applications on this system.

Ethereum has a fantastic level of documentation, comprehensive unit test frameworks, debuggers, critical developer tools, and a range of tutorials and other learning materials. Quite simply, it has absolutely everything that a developer would need when creating a decentralized application.

The dApp industry has steadily grown over recent years, spanning across financial, healthcare, education, and even property inventions. The versatility of the system, and the benefits of bringing blockchain to different industries, have made the creation of dApps a useful way of expanding the utility of this ecosystem.

DeFi has become all-encompassing, spanning across different industries and weaving its way onto the world’s stage. Yet, while decentralized finance does have a range of benefits, there are also areas in which it falls short. One of these main roadblocks is the fact that, as a decentralized system, it currently has no way of allowing investors to trade stocks on its platforms.

This is due to the fact that stocks are a centralized unit, making them incompatible with DeFi. While this was an issue that seemed insurmountable, the arrival of decentralized assets on the DeFiChain blockchain is set to change the industry forever. 

Let’s take a look at how DeFiChain is combating this issue for DeFi. 

**How DeFiChain’s Decentralized Assets boost the utility of DeFi**

While investors in DeFi can put money into their favorite cryptocurrencies and dApps, they have always fallen short at accessing actual stocks. However, with DeFiChain’s development of decentralized assets, this is all set to change.

A decentralized asset, also known as dAsset or dToken, is a token on the DeFiChain blockchain that gives you price exposure (not ownership) to real-world stocks. For the stocks, TSLA, APPL, FB, there exist dTSLA, dAPPL, dFB, each of which attempts to mirror the price of the real stock. Anyone can mint new dTokens by depositing BTC, DFI, USDT, USDC, or DUSD as collateral in the DeFiChain Vault.

These creations essentially mean that users of DeFiChain can buy a decentralized asset that aims to reflect the real asset, providing them with a method of trading stocks on a decentralized system. They seamlessly allow investors to diversify their portfolios without leaving the DeFi ecosystem.

Any user on the platform is able to mint tokens, with interest rates being based on the amount of collateral provided. These dAssets are then tradable on decentralized exchanges, meaning that users are able to trade their dTokens just like they would with real stocks. People who couldn’t buy US stocks due to geographical restrictions or other limitations can get price exposure to their favorite assets from anywhere in the world.

Just like that, DeFiChain bridges the impossible gap between centralized and decentralized systems without compromising their DeFi platform with centralism. With DeFiChain, what was once thought impossible has become a working reality. 

**Moving towards passive income**

One central aspect that is rarely achieved within centralized systems is passive income. While there are some elements to stock trading that could be considered passive income streams, like dividend payments, they are typically only around 5%, which is far less than one would need to see any substantial returns.

DeFi has a solution for this, found within any proof-of-stake system. Typically, users can put their proof-of-stake cryptocurrencies into a liquidity pool. These liquidity pools allow the proof-of-stake coins to validate transactions more quickly, allowing for scalability and rapid transaction processing.

The development of POS cryptocurrencies has solved the central problem that was impacting Ethereum, which has notoriously high ‘gas fees’ for completing transactions. As this network can only process around 30 transactions per second, with a potential demand seeking upwards of 100,000 transactions per second, there is a massive queue for processing on this blockchain.

To push transactions to the front of the queue and make sure that they are safely recorded into the next block, Ethereum asks users to pay a gas fee. This has made development within dApplications costly, as users that want instant transactions will always have to pay a fee. POS cryptocurrencies allow users to process many more transactions per second.

For example, Solana can produce 50,000 transactions each second, meaning there is never really a queue to process your transaction, there is almost no gas fee. This is achieved by creating large liquidity pools, with these pools filled with users’ cryptocurrency being used to validate transactions quickly.

In return for putting their POS crypto into these liquidity pools, users are given a reward in terms of passive income. Over time, you’ll be rewarded with interest in the cryptocurrency that you’ve put in. Whole industries have arisen from this ‘staking’ model, with people seeking to maximize their yields in a practice that’s known as yield farming.

People who stake crypto can expect to get anywhere from 10% – 100% annualized returns on their investment, making this an incredible opportunity for DeFi users. 

**How DeFiChain Takes This Further**

DeFiChain builds upon typical staking protocols and offers even further utility for its investors. While a traditional investor, after buying a stock, will only make money once they sell it at a profit, DeFiChain is changing the game. Once a user buys one of their dToken assets, they’re able to then put that into a liquidity mining pool.

Not only do they gain a profit from their dToken going up in value, but they are also able to get a passive income from putting their dAssets into these liquidity pools. This dual income strategy takes what’s phenomenal about yields within DeFi systems and brings it to dAssets.

With this integration, DeFiChain essentially innovates the field of DeFi, providing a whole new way to make money when taking on decentralized ecosystems. 

**Final Thoughts**

With the introduction of dAssets, DeFiChain has created a new investment pathway for DeFi that radically shifts what is possible within these ecosystems. What’s more, considering that these dTokens can then be entered into liquidity mining pools for additional rewards, this system also creates a new way of earning passive income.

The benefits of DeFiChain for investors are impressive, creating new systems and then pushing that system as far as possible for user benefit. With future plans to bring the actual stock price and the dAsset price closer than ever, through their DeFiChain Improvement Proposal (DFIP), this system will be incredibly advantageous to users.

While still only a young blockchain, with innovative features, exciting updates, and future foresight, DeFiChain is shaping up to be an industry-changing blockchain ecosystem.

1.  The Benefits Of Blockchain In The Travel Industry
2.  This AI Can Generate Unique and Free Bored Ape NFTs
3.  If Bitcoiners Want Bitcoin To Make It Big, They Need DeFi
4.  If the Ethereum Merge Fails, L2s Will Be More Vital Than Ever
5.  Naoris Protocol Will Use Blockchain To Plug Web3 Security Gaps

How DeFiChain gives DeFi a major boost with innovative decentralized assets

At the SecTor 2022 conference in Toronto next month, researchers from Lookout will take a deep dive into Hermit and the shadowy world of mobile surveillance tools used by repressive regimes.

While NSO Group's Pegasus spyware is perhaps the highest-profile surveillance weapon used by repressive governments against civil society, a recently discovered, powerful mobile reconnaissance malware dubbed Hermit has come to light, being touted by an Italian developer as a "lawful intercept" tool.

At the upcoming SecTor 2022 conference in Toronto, Christoph Hebeisen, director of security intelligence research at Lookout, and Paul Shunk, security researcher at the firm, will lay out Hermit's surveillance capabilities, against the backdrop of the growing nation-state market and use of these shadowy applications.

So far, Lookout has observed the Hermit spyware being used by the government of Kazakhstan after the violent suppression of protests with the help of Russian armed forces; being applied by Italian law enforcement; and being deployed against the Kurdish minority in the conflict-plagued northeastern Syrian region of Rojava.

**Hermit: Hiding Out 1 Tier Below Pegasus**

The researchers will kick off their Oct. 5 session, entitled "A Hermit Out of Its Shell," with a discussion of where Hermit fits into the mobile spyware picture. It was developed by an Italy-based vendor called RCS Lab and a related company called Tykelab Srl, according to Hebeisen, and is usually distributed on both Android and iOS platforms by masquerading as legitimate mobile apps rather than in attacks that exploit software vulnerabilities.

"There's a varied market for these; NSO Group is certainly placed at the top of the field, and everybody recognizes the name, because they use zero-click exploits to get their surveillance malware onto the device without the user even noticing anything," Hebeisen tells Dark Reading. "But then there is a tier of these weapons just below that, which are distributed as apps, and they are very effective even though they require a little bit of social engineering to get onto a target's device. That's where Hermit plays."

In terms of its capabilities, he adds that Hermit packs an info-vacuuming punch. In addition to "standard" spyware fare like tracking users' locations, accessing device microphones and cameras, eavesdropping on calls and texts, and stealing media files, it also offers the ability to sniff out every scrap of content and data housed in any of the apps that users have installed, including encrypted messaging apps.

"This is a very sophisticated surveillance tool," Hebeisen says. "It takes over the operating system completely and can spy on literally everything. Given how deeply ingrained into our lives phones are these days and especially our all of our private activities, this is practically a perfect tool to find out everything an attacker ever wanted to know about somebody."

He adds that under the hood, the malware is designed to be agile and flexible.

"Hermit is built in a very enterprise way in that it's modular," Hebeisen explains. "So we suspect that that might actually be part of the business model, where they can sell different tiers of this surveillance kit by including or excluding certain modules."

From a broader perspective, Hermit showcases an uncomfortable reality when it comes to next-gen mobile malware: "Despite mobile operating systems being much more modern than many of the desktop systems and having many more security controls already in place, it's still possible for attackers to get past them and then actually use the legitimate functionality of the operating system against targets," Hebeisen says.

**Nation-State Spyware: A Growing Threat**

It should be noted that companies operating in this gray space, including RCS Labs, NSO Group, FinFisher creator Gamma Group, Israeli company Candiru, and Russia's Positive Technologies, maintain that they only sell to legitimate intelligence and enforcement agencies. That however is a claim that many reject, including the US government, which recently sanctioned several of these organizations for contributing to human rights abuses and the targeting of journalists, human rights defenders, dissidents, opposition politicians, business leaders, and others.

Nonetheless, Hebeisen notes that there are more and more mobile spyware tools being developed for the blossoming so-called "lawful intercept" market, indicating ongoing demand. When one is struck down, "there are plenty of other companies standing in the wings just waiting to take over," he says.

The demand makes sense from the geopolitical perspective as nations move away from kinetic conflict.

"As opposed to physical arms, for which you have to deal with all kinds of export controls if you want to sell those to regimes that are known for human rights violations, it seems much easier to get around that when you're dealing with surveillance tools, which are essentially just a different set of weapons in the fight," Hebeisen explains.

Sophisticated Hermit Mobile Spyware Heralds Wave of Government Surveillance

An unpatched flaw in more than 350,000 unique open source repositories leaves software applications vulnerable to exploit. The path traversal-related vulnerability is tracked as CVE-2007-4559.

A 15-year-old flaw in the Python open source programming language has remained unpatched in many places, making its way into hundreds of thousands of both open source and closed source projects worldwide. This is inadvertently creating a broadly vulnerable software supply chain that most affected organizations are unaware of, researchers warned.

That's according to the Trellix Advanced Research Center, whose analysts found that a path traversal-related vulnerability, tracked as CVE-2007-4559, presently remains unpatched in more than 350,000 unique open source repositories, leaving software applications vulnerable to exploit.

In a blog post published Sept. 21, principal engineer and director of vulnerability research Douglas McKee said that the code base in question is present in software that spans a vast number of industries — primarily software development, artificial intelligence/machine learning, and code development, but also including sectors as diverse as security, IT management, and media. 

The Python tarfile module also exists in a default module in any project using Python, and is currently found extensively in frameworks created by AWS, Facebook, Google, Intel, and Netflix, as well as applications used for machine learning, automation, and Docker containerization, researchers said.

While the bug allows attackers to escape the directory that a file is supposed to be extracted to, actors can also exploit the flaw to execute malicious code, researchers said.

"Today, left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface," McKee said.

**New Problem, Old Vulnerability**

After finding that Python's tarfile module wasn't properly checking for path traversal vulnerabilities in an enterprise device recently, Trellix researchers thought they had stumbled across a new zero-day Python vulnerability, McKee wrote in the post. However, they soon realized that the flaw was one that had already been discovered.

Further digging and later cooperation from GitHub revealed that there are about 2.87 million open source files that contain Python’s tarfile module in about 588,000 unique repositories. Results of Trellix analysis found that about 61% of those instances are vulnerable, which led researchers to a current estimate of 350,000 vulnerable Python repositories.

**In Open Source, There's No One to Blame**

There are a number of reasons that the flaw has been able to spread throughout software unchecked for so long; however, it would be unfair to put specific blame on the Python project, various maintainers of the project, or any developers using the platform, McKee noted.

"Let's start by being explicitly clear — there is no one party, organization, or person to blame for the current state of CVE-2007-4559, but here we are anyway," he wrote.

Because open source projects like Python are run and maintained by a nebulous group of volunteers and not one federated organization — and in this case, a nonprofit foundation, to boot — it's harder to track and fix even known issues in a timely manner, McKee observed.

Further, "it is not uncommon for libraries or software development kits … to consider the responsibility for securely leveraging their APIs as part of the developer's responsibility," he said.

Indeed, Python has put a warning in its documentation of the tarfile function about the risks of using it, explicitly telling developers never to "extract archives from untrusted sources without prior inspection" due to the directory traversal issue.

While a warning is "a positive step" toward spreading awareness of the issue, it clearly hasn't prevented the vulnerability from being perpetuated, since it's still up to developers leveraging the code base to ensure that the software they build is secure, McKee observed.

He added that exacerbating the problem is the fact that most of the Python tutorials for developers on how to use the platform's modules — including Python's own documentation and popular sites like tutorialspoint, geeksforgeeks, and askpython.com — aren't clear on how to avoid insecure use of the tarfile module, he noted.

This discrepancy has allowed the vulnerability to be programmed into the supply chain, a trend that will likely continue for years to come unless there's broader awareness of the problem, McKee noted.

**'Incredibly Easy' to Exploit the Flaw**

On the technical front, CVE-2007-4559 is a path traversal attack in Python's tarfile module that allows an attacker to overwrite arbitrary files, by adding the ".." sequence to filenames in a TAR archive. 

The actual flaw arises from two or three lines of code using unsanitized tarfile.extract() or the built-in defaults of tarfile.extractall(), noted Trellix vulnerability researcher Charles McFarland in a separate blog post on the problem published Wednesday.

"Failure to write any safety code to sanitize the members' files before calling or tarfile.extract() tarfile.extractall() results in a directory traversal vulnerability, enabling a bad actor access to the file system," he wrote.

For an attacker to take advantage of this vulnerability they need to add ".." with the separator for the operating system ("/" or "\\") into the file name to escape the directory the file is supposed to be extracted to, Schulz detailed. Python's tarfile module lets developers do exactly that, he noted.

Trellix vulnerability research intern Kasimir Schulz — whose research on a separate issue is actually responsible for bringing the extensive Python tarfile bug to light — described in detail in a third separate Trellix blog post he wrote published Wednesday how "incredibly easy" it is to exploit CVE-2007-4559.

Tarfiles in Python contain a collection of multiple different files and metadata that's later used to unarchive the tarfile itself, Schulz explained in his post. The metadata contained within a TAR archive includes but is not limited to information such as the file name, the size and checksum of the file, and information about the owner of the file when the file was archived.

"The tarfile module lets users add a filter that can be used to parse and modify a file's metadata before it is added to the TAR archive," Schulz wrote. This enables attackers to create their exploits with as little as six lines of code, he said.

Schulz goes on in his post to explain in detail how he used the flaw and a custom-built script called Creosote — which searches through directories scanning for and then analyzing Python files — to execute malicious code within Spyder IDE, a free and open source scientific environment written for Python that can be run on Windows and macOS.

**Spotlight on the Supply Chain**

The tarfile issue once again highlights the software supply chain as an attack surface, one that has risen in prominence in recent years due to the broad impact attackers can have by targeting flawed code that's present across multiple platforms and thus enterprise environments. This can serve to expansively widen the impact of malicious campaigns without extra work on the part of threat actors.

There have been numerous examples already of what can happen across the supply chain in these types of attacks, with the now-infamous SolarWinds and Log4J scenarios being among the most prominent. The former started in late December 2020 with a breach in the SolarWinds Orion software and spread deep into the next year with multiple attacks across various organizations. The latter saga unfolded in early December 2021 with the discovery of a flaw dubbed Log4Shell in a widely used Java logging tool that spurred multiple exploits and made millions of applications vulnerable to attack, many of which remain unpatched today.

Lately, attackers have begun to see the benefit of going directly after open source code repositories to plant their own malicious code that can be exploited later for supply chain attacks. In fact, the Python project has found itself directly in the crosshairs.

In late August, attackers targeted users of the Python Package Index (PyPI) with their first-ever phishing attack aimed at stealing users' credentials so threat actors could load compromised packages to the repository. Earlier that month, PyPI already had removed 10 malicious code packages from the registry after a security vendor warned that threat actors were embedding malicious code into the package installation script.

15-Year-Old Python Flaw Slithers into Software Worldwide

Categories: Personal
Tags: school

Tags:  back to school

Tags:  social media

Tags:  twitter

Tags:  facebook

Tags:  instagram

Tags:  tik-tok

Tags:  sharing

Tags:  safety

Tags:  kids

Tags:  adults

Tags:  parents

Tags:  children

Tags:  teens

Tags:  teen

Tags:  teenagers

We have some suggestions for helping your kids keep themselves safe on social media as they head back into school.



(Read more...)




The post 5 things to teach your kids about social media appeared first on Malwarebytes Labs.

With children now back at school, it’s time to think about social media, and their use of it.

Are they already firing out tweets, chatting in Discord channels, or even just looking to set up a Tik-Tok account? Now is the time to consider giving your kids some security and privacy tips for all their social media needs.

**1\. Get to grips with default settings**

Most sites are in the business of making your data their business. EULAs and privacy policies are frequently terribly confusing for grown ups. Expecting a child to make sense of 1,000 very legal words is unfeasible. Social networks are absolutely in the business of providing services for free, and then using analytics to drive advertising on their sites.

Often, privacy settings are defaulted in a way which makes it easier for marketing/advertising/data-gulping to take place. Some examples:

*   Allow third party/relevant advertising tailored to your interests
    
*   GPS location set to on (usually ties into the targeted advertising point above)
    
*   Find your friends (in other words, import your address book and make connections between email addresses and social media profiles)
    

These are things which may sound helpful, and no doubt are to some, but everybody using an app does not need any or all of these enabled by default. With this in mind, here’s what to tell your kid about default settings:

_Look out for anything mentioning offers, location, advertising, relevant content, and finding friends. All of these options and settings help the site you’re using to operate, but they're not necessarily going be helpful for you too. Before you start posting, ensure options like location in particular are disabled unless you have a very good reason for needing it._

**2\. It’s all about location**

We touched on this briefly above, but this is a key component of your “Please watch out for these things” conversation. Trolling. Doxxing (grabbing personal details in a way which identifies an individual and then publishing them online). Swatting (sending fake emergency calls to law enforcement which results in armed officers crashing through your door). All of these things are very bad, and you don’t want your child getting tangled up in any of it.

Sadly, location services on social networks can cause problems in this area. Sometimes location is kept private for the user only. Other times, the location is in full view. It may be somewhat generic and say a major city like London, or it may drill down to a street.

Even without tech related issues or troublesome settings, the real-world can also give details away. Thanks to open-source tools, reverse image searches, and crowd-sourcing data, it’s never been easier to give the locational game away:

*   A letter in a photograph with your address on it
*   Unique identifiers (views outside a window, for example)
*   Regional dialects or other specific references in the background of video footage

Almost anything can provide somebody with the clue to get an idea of where your child may be living. Here’s what to tell your child:

_Pay close attention to the world around you if you’re a fan of streaming, Tik-Tok, or selfies. Keep your home, identifiable locations, and anything with your name and address on it out of shot. Even grown ups make these mistakes, so it’s very easy to accidentally do it yourself. Oh, and if you’re going on holiday you may wish to reference it only once you’ve returned home. Tales of empty houses being broadcast to the world at large on social media may not end well._

**3\. The value of anonymity**

Back in the olden days, most of us were online using a pseudonym. It wasn’t massively common to have your real name or other potentially unique identifiers following you around from site to site. In fact, for the first few years of my security career, writers and journalists referred to me as my online handle because they didn’t actually know my name.

This is a far cry from what we currently have, with real names everywhere, verified profiles, authentication, and the common refrain that only people with something to hide don’t use their real name.

The reality is, people don’t use their real name online for all sorts of valid reasons. There might be domestic abuse or harassment issues. They may live somewhere where free speech or being critical of their government is frowned upon.

However, it’s important to note that you don’t have to be in one of the above awful scenarios to insist on anonymity of one form or another. Indeed, going down the anonymous route from the get-go may help ward off potentially unpleasant situations at a future date anyway.

Most sites will allow you to use whatever visible username you like. A few insist on real names, but it’s unlikely your kids are currently hanging out on Facebook. While you’re usually asked to put a real name alongside your online handle, it’s not mandatory and there’s a good chance nobody will ever check what you put there. Nor are the platforms likely to suddenly lock an account and demand additional verification of some kind at a later date. Here’s what you should tell your children about this issue:

_There’s nothing wrong with being anonymous on social media, and unless the site explicitly asks for a real name and additional information you shouldn’t feel pressured into handing it over. Keeping yourself anonymous also helps to ward off some of the issues related to location oversharing. Pick the level of generic anonymity that you’re comfortable with._

**4\. Watch out for the fakers**

Social media is rife with scams, and scammers will happily target anyone in front of them. In fact, some will actively target children specifically because of their likely inexperience in spotting a fake-out. Kids are also unlikely to use additional security measures like two-factor authentication. This means less work for the attacker. Fortunately you can help with this.

Any platform you can think of has scams particularly suited to it. Instagram is awash with Bitcoin scams and bogus competitions. Twitter has lots of phishing, NFT scams, bogus video game downloads, and get rich quick schemes. Facebook sees a fair amount of fake PlayStation sales and more generic Messenger scams. Compromised verified accounts, which add legitimacy to fraud, are common across all platforms.

What you should tell your kids:

_Every site has its own groups of scammers, each with their own preferred method of attack. Spend a few minutes reading the site’s security pages to ensure you keep your account safe from harm. If an offer or deal sounds too good to be true, it probably is. Very few social media giveaways are genuine._

_If you receive direct messages from strangers, or you’ve been notified that you violated a website policy and need to re-verify your identity, come and tell us and we’ll take a look for you. Never, ever grant someone access to your account…even if they claim to be employees for the site. This is never going to be a genuine request from a member of staff and you may lose your account._

**5\. Be honest and respect privacy**

Many times, young children and teens don’t want the hassle of locking everything down and micromanaging passwords or security settings. They may already have email addresses and various social media accounts. Are those email addresses locked down? Using two-factor authentication? Do your kids know their way around the various security settings across all of their logins? How about password managers?

In these cases, parents often offer to help. Where younger children are concerned, I know some parents who use one of their pre-locked down email addresses to tie social media accounts to. Most of the time, you don’t really need to do much with whatever address you link to Twitter or Tik-Tok or anywhere else, you just need it to tie your username to. As a result, hooking the accounts to a secure email managed by parents can be a quick and easy win for everybody.

Of course, there are privacy issues here to consider. The older the child, the more likely they may be to send other social media users direct messages. Parents should be open about this; some platforms send a digest of all private messages to the connected email account. You can turn this feature on and off in Twitter, for example, but every site is different. You should see how your child feels about this. Some may not care, but others most definitely will. What to tell them:

_I’m happy to micromanage the security practices behind the scenes. The trade-off is that some, or all, of what you do may be sent back to me through the email used to register the account. We can check how the site in question works in relation to this, and set it in a way you’d be comfortable with. Remember that sites often change existing features or add new ones, and we may have to adjust as we go._

**Closing out the Summer**

It’s not easy getting kids ready to go back to school. It’s even trickier to ensure they keep themselves safe from harm online. We hope the advice above will be helpful to you in getting one of those two gargantuan tasks off the table. Stay safe out there!

5 things to teach your kids about social media

A stacked combination of hardware and software protects the next version of Windows against the latest generation of firmware threats.

Microsoft on Tuesday released a hefty PDF detailing Windows 11's new security-focused features, with a heavy emphasis on supporting zero trust.

For a couple of years now, Microsoft, Google, and Amazon have been working with the US federal government on improving cybersecurity through zero trust, among other techniques. It's no coincidence that these are the big three cloud service providers, of course; they are best positioned to institute controls to prevent catastrophic cyberattacks.

But Microsoft is also moving security way down the stack to where cloud rivals can't follow: firmware.

**Hardware Security Under Attack**

While network-level security is mandatory, it is not sufficient to protect against attackers who target firmware and other low-level elements of a computer.

Flaws in firmware for CPUs, printers, and other hardware can open a door to a corporate network. Malware like TrickBot, MoonBounce, and LoJax that worms its way into the silicon is difficult to dislodge.

"These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors which store sensitive business information," Microsoft stated in the new report. "With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone." 

Besides the extra strength of the protection, Microsoft touts less slowdown using hardware-based protection versus running it in software.

The foundation of the built-in hardware security is a partnership between hardware root-of-trust and silicon-assisted security.

**Hardware Root-of-Trust**

Hardware root-of-trust is, by definition, "a starting point that is implicitly trusted." In the case of a PC, it's the part that checks BIOS code to ensure it's legitimate before it boots up. And anyone who's had to remove malware from a machine with infected BIOS knows how vital that is.

The new security measures include storing sensitive data such as cryptographic keys and user credentials isolated from the operating system within a separate secure area. Microsoft requires a Trusted Platform Module (TPM) 2.0 chip to be installed on both new and upgraded Windows 11 machines. The company had required TPM 2.0 capabilities on all new Windows 10 machines, but the latest version of Windows won't even run if the PC doesn't have a TPM 2.0 security chip.

"With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind additional barriers separated from the operating system," Microsoft wrote in its new report. "As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering."

To provide TPM 2.0 protection directly on the motherboard, Windows 11 machines include the Microsoft Pluton security processor on the system-on-chip. While Pluton is not brand new – it was previewed back in November 2020 – integrating TPM 2.0 capabilities in this way eliminates one attack vector: the bus interface between the CPU and the TPM chip.

Not all Windows 11 machines will have a Pluton chip, but they will all have a TPM 2.0 chip.

**Silicon-Assisted Security**

The silicon-assisted security measures in Windows 11 start with a secure kernel carved out using virtualization-based security (VBS). 

"The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory," Microsoft wrote. "Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment."

Hypervisor-protected code integrity (HCVI) uses VBS to check the validity of code within the secure VBS environment instead of in the main Windows kernel. Kernel mode code integrity (KMCI), as that's called, fends off attempts to modify drivers and the like. KMCI verifies that all kernel code is properly signed and has not been altered before it allows it to run. HVCI is supported in all versions of Windows 11 and enabled by default in most editions.

A further measure of protection against such attacks as memory corruption and zero-day exploits is offered by hardware-enforced stack protection. 

"Based on Controlflow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack," Microsoft explained. The OS does this by creating a "shadow stack," set apart from other stacks, for return addresses.

To protect against physical incursions where an intruder surreptitiously installs malware from a device, Microsoft's line of Secured-core PCs will only run executables signed by "known and approved authorities," keeping external peripherals from accessing memory without authorization.

Even more firmware protection comes from Windows 11's universal implementation of the Unified Extensible Firmware Interface (UEFI) Secure Boot standard. The TPM stores a boot audit log, the Static Root of Trust for Measurement (SRTM), to check whether any attempts to subvert the boot were made.

UEFI is not unique to Windows machines, of course, but Windows 11 adds Dynamic Root of Trust for Measurement (DRTM) that checks the UEFI boot process for suspicious activity before allowing it to continue. Non-PC devices such as the Surface tablet use Firmware Attack Surface Reduction in place of DRTM.

Silicon-assisted security is part of the Pro, Pro Workstation, Enterprise, Pro Education, and Education versions of Windows 11. The Home editions will have some of these protections but not the full slate. See Microsoft's website for comparisons.

Tag

#ios