Gentoo Linux Security Advisory 202407-4 - A vulnerability has been discovered in Pixman, which can lead to a heap buffer overflow. Versions greater than or equal to 0.42.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Pixman: Heap Buffer Overflow  
     Date: July 01, 2024  
     Bugs: #879207  
       ID: 202407-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Pixman, which can lead to a heap  
buffer overflow.

Background  
==========

Pixman is a pixel manipulation library.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
x11-libs/pixman  < 0.42.2      >= 0.42.2

Description  
===========

A vulnerability has been discovered in Pixman. Please review the CVE  
identifiers referenced below for details.

Impact  
======

An out-of-bounds write (aka heap-based buffer overflow) in  
rasterize_edges_8 can occur due to an integer overflow in  
pixman_sample_floor_y.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Pixman users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-libs/pixman-0.42.2"

References  
==========

[ 1 ] CVE-2022-44638  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44638

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-04

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-04

Gentoo Linux Security Advisory 202407-3 - A vulnerability has been discovered in Liferea, which can lead to remote code execution. Versions greater than or equal to 1.12.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Liferea: Remote Code Execution  
     Date: July 01, 2024  
     Bugs: #901085  
       ID: 202407-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Liferea, which can lead to remote  
code execution.

Background  
==========

Liferea is a feed reader/news aggregator that brings together all of the  
content from your favorite subscriptions into a simple interface that  
makes it easy to organize and browse feeds. Its GUI is similar to a  
desktop mail/news client, with an embedded web browser.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
net-news/liferea  < 1.12.10     >= 1.12.10

Description  
===========

A vulnerability has been discovered in Liferea. Please review the CVE  
identifier referenced below for details.

Impact  
======

A vulnerability was found in liferea. Affected by this issue is the  
function update_job_run of the file src/update.c of the component Feed  
Enrichment. The manipulation of the argument source can lead to os  
command injection. The attack may be launched remotely.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Liferea users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-news/liferea-1.12.10"

References  
==========

[ 1 ] CVE-2023-1350  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1350

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-03

Gentoo Linux Security Advisory 202407-1 - A vulnerability has been discovered in Zsh, which can lead to execution of arbitrary code. Versions greater than or equal to 5.8.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Zsh: Prompt Expansion Vulnerability  
     Date: July 01, 2024  
     Bugs: #833252  
       ID: 202407-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Zsh, which can lead to execution  
of arbitrary code.

Background  
==========

A shell designed for interactive use, although it is also a powerful  
scripting language.

Affected packages  
=================

Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
app-shells/zsh  < 5.8.1       >= 5.8.1

Description  
===========

Multiple vulnerabilities have been discovered in Zsh. Please review the  
CVE identifiers referenced below for details.

Impact  
======

A vulnerability in prompt expansion could be exploited through e.g.  
VCS_Info to execute arbitrary shell commands without a user's knowledge.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Zsh users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-shells/zsh-5.8.1"

References  
==========

[ 1 ] CVE-2021-45444  
      https://nvd.nist.gov/vuln/detail/CVE-2021-45444

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-01

This week on the Lock and Code podcast, we speak with Sarah Lamdan about library privacy and the fight to stop big data surveillance.

_This week on the Lock and Code podcast_…

More than 20 years ago, a law that the United States would eventually use to justify the warrantless collection of Americans’ phone call records actually started out as a warning sign against an entirely different target: Libraries.

Not two months after terrorists attacked the United States on September 11, 2001, Congress responded with the passage of The USA Patriot Act. Originally championed as a tool to fight terrorism, The Patriot Act, as introduced, allowed the FBI to request “any tangible things” from businesses, organizations, and people during investigations into alleged terrorist activity. Those “tangible things,” the law said, included “books, records, papers, documents, and other items.”

Or, to put it a different way: things you’d find in a library and records of the things you’d check out from a library. The concern around this language was so strong that this section of the USA Patriot Act got a new moniker amongst the public: “The library provision.”

The Patriot Act passed, and years later, the public was told that, all along, the US government wasn’t interested in library records.

But those government assurances are old.

What remains true is that libraries and librarians want to maintain the privacy of your records. And what also remains true is that the government looks anywhere it can for information to aid investigations into national security, terrorism, human trafficking, illegal immigration, and more.

What’s changed, however, is that companies that libraries have relied on for published materials and collections—Thomson Reuters, Reed Elsevier, Lexis Nexis—have reimagined themselves as big data companies. And they’ve lined up to provide newly collected data to the government, particularly to agencies like Immigrations and Customers Enforcement, or ICE.

There are many layers to this data web, and libraries are seemingly stuck in the middle.

Today, on the Lock and Code podcast with host Davd Ruiz, we speak with Sarah Lamdan, deputy director Office of Intellectual Freedom at the American Library Association, about library privacy in the digital age, whether police are legitimately interested in what the public is reading, and how a small number of major publishing companies suddenly started aiding the work of government surveillance:

> “Because to me, these companies were information providers. These companies were library vendors. They’re companies that we work with because they published science journals and they published court reporters. I did not know them as surveillance companies.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Busted for book club? Why cops want to see what you&#8217;re reading, with Sarah Lamdan (Lock and Code S05E14) 

Installers for three different software products developed by an Indian company named Conceptworld have been trojanized to distribute information-stealing malware.
The installers correspond to Notezilla, RecentX, and Copywhiz, according to cybersecurity firm Rapid7, which discovered the supply chain compromise on June 18, 2024. The issue has since been remediated by Conceptworld as of June 24

Supply Chain Attack / Threat Intelligence

Installers for three different software products developed by an Indian company named Conceptworld have been trojanized to distribute information-stealing malware.

The installers correspond to Notezilla, RecentX, and Copywhiz, according to cybersecurity firm Rapid7, which discovered the supply chain compromise on June 18, 2024. The issue has since been remediated by Conceptworld as of June 24 within 12 hours of responsible disclosure.

"The installers had been trojanized to execute information-stealing malware that has the capability to download and execute additional payloads," the company said, adding the malicious versions had a larger file size than their legitimate counterparts.

Specifically, the malware is equipped to steal browser credentials and cryptocurrency wallet information, log clipboard contents and keystrokes, and download and execute additional payloads on infected Windows hosts. It also sets up persistence using a scheduled task to execute the main payload every three hours.

It's currently not clear how the official domain "conceptworld\[.\]com" was breached to stage the counterfeit installers. However, once installed, the user is prompted to proceed with the installation process associated with the actual software, while it's also designed to drop and execute a binary "dllCrt32.exe" that's responsible for running a batch script "dllCrt.bat."

Besides establishing persistence on the machine, it's configured to execute another file ("dllBus32.exe"), which, in turn, establishes connections with a command-and-control (C2) server and incorporates functionality to steal sensitive data as well as retrieve and run more payloads.

This includes gathering credentials and other information from Google Chrome, Mozilla Firefox, and multiple cryptocurrency wallets (e.g., Atomic, Coinomi, Electrum, Exodus, and Guarda). It's also capable of harvesting files matching a specific set of extensions (.txt, .doc, .png, and .jpg), logging keystrokes, and grabbing clipboard contents.

"The malicious installers observed in this case are unsigned and have a file size that is inconsistent with copies of the legitimate installer," Rapid7 said.

Users who have downloaded an installer for Notezilla, RecentX, or Copywhiz in June 2024 are recommended to examine their systems for signs of compromise and take appropriate action – such as re-imaging the affected ones – to undo the nefarious modifications.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Indian Software Firm's Products Hacked to Spread Data-Stealing Malware

At the heart of every application are secrets. Credentials that allow human-to-machine and machine-to-machine communication. Machine identities outnumber human identities by a factor of 45-to-1 and represent the majority of secrets we need to worry about. According to CyberArk's recent research, 93% of organizations had two or more identity-related breaches in the past year. It is clear that we

At the heart of every application are secrets. Credentials that allow human-to-machine and machine-to-machine communication. Machine identities outnumber human identities by a factor of 45-to-1 and represent the majority of secrets we need to worry about. According to CyberArk's recent research, 93% of organizations had two or more identity-related breaches in the past year. It is clear that we need to address this growing issue. Additionally, it is clear that many organizations are OK with using plaintext credentials for these identities in private repos, thinking they will stay private. However, poor hygiene in private code leads to public leaks, as we see in the news too often. Given the scope of the problem, what can we do?

What we really need is a change in our processes, especially around the creation, storage, and working with machine identities. Fortunately, there is a clear path forward, combining existing secrets management solutions and secret detection and remediation tools, all while meeting the developers where they are.

**Making an end-to-end secrets security game plan**

When we think of remediating the machine identity problem, also known as secrets sprawl, we can lay out the problem in a couple sentences.

"_We have an unknown number of valid long-lived plaintext secrets spread throughout our code, configurations, CI pipelines, project management systems, and other sources, which we can not account for, and without a coherent rotation strategy. Meanwhile, developers continue to work with secrets in plaintext since it is a reliable, although problematic, way to get the application to work._"

Thinking through this working definition, we can make a multi-step plan to address each concern.

1.  Secrets Detection - Search through code and systems involved in the software development lifecycle to identify existing plaintext credentials, gathering as much information as possible about each.
2.  Secrets Management - Accounting for all known secrets through a centralized vault platform.
3.  Developer Workflows - Adjust processes and tools to make it easier to properly create, store, and call secrets securely.
4.  Secrets Scanning - Continuously monitoring for any new secrets that get added in plain text.
5.  Automatic Rotation - Regular replacement of valid secrets shortens their potential exploitation by malicious actors.

You can take this journey one step at a time, treating this as a phased rollout. Before you know it, you will be much closer to eliminating secrets sprawl and securing all your machine identities.

**Finding your secrets**

The first problem every team encounters when trying to get a handle on secret sprawl is determining what secrets they even have. A manual search effort to track down unknown secrets would quickly overwhelm any team, but fortunately, there are secrets scanning tools, such as GitGuardian's, that can automate this process and give insight into critical details. From a stable platform, you should provide a communication path to work with the developers for remediation.

**Implementing a centralized secrets vault**

Central to any good secrets management strategy is managing how secrets are stored and utilized. Enterprise vaults transparently allow you to account for all known secrets, encrypting them at rest and in transit. A good vault solution, including Conjure from Cyberark and Hashicorp Vault Enterprise. If all of your infrastructure is from the same provider, such as AWS or GCP, those are very good options as well.

**Securing the developer workflow**

Secrets management has historically been left in the hands of developers to figure out, leading to a wide variety of solutions like \`.env\` files and, unfortunately, hardcoding secrets into the codebase. Leveraging a centralized vault solution gives developers a consistent way to safely invoke the credentials from their applications throughout all environments. If you can offer a standardized approach that is just as easy to implement as what they are currently doing, you will find many developers will jump at the chance to guarantee their deployments are not blocked due to this security concern.

You will also want to consider shifting left. Command-line tools, such as ggshield, allow developers to add automatic Git hooks to scan for plaintext credentials before any commit is made. Stopping a secret from ever reaching a commit means no incident to deal with later and fixing the problem at the least expensive point in the software development life cycle.

**Secret scanning at every shared interaction**

You also need a way to account for the reality that sometimes accidents happen. Ongoing monitoring is needed to watch for any new issues that come from existing devs making a mistake or when new teams or subcontractors are hired who simply don't know your processes yet. Just as when first doing secrets detection, using a platform that gathers the information into a coherent incident will help you respond rapidly to these new issues. GitGuardian, for example, integrates at the code repository level to catch new plaintext credentials in seconds, automatically at every push or comment.

**Short-lived credentials should be the goal of automatic rotation**

If an attacker finds a valid secret, that makes their job a lot simpler, as they can just unlock any doors they encounter. If that same attacker finds an invalid secret, they can't do much with it. With a centralized vault in place, you can put auto-rotation plans in place. Most modern platforms and services have a way to generate new credentials through an API call and a way to invalidate existing secrets. With a little scripting, following one of the many guides put out by platforms such as AWS or CyberArk, it is possible to automate the safe replacement of any credential on a regular, even daily, schedule.

**End-to-end secrets security requires a plan**

The best time to address the issues surrounding end-to-end secrets security is right now. If you do not already have a game plan in place, today is the best time to start having those conversations. Start by asking questions like" "what secrets do we even have?" or "Do you have a vault in place?" Ultimately, we must empower developers with workflows and guardrails that let them focus on their development flow.

Keeping vigilant that new secrets are discovered and dealt with immediately is an ongoing process. it will take effort, including raising awareness and adopting the right processes and technologies, but any company can get a better handle on machine identities and secrets, end to end, across the organization.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

End-to-End Secrets Security: Making a Plan to Secure Your Machine Identities

While Kaspersky and TikTok make very different kinds of software, the US has targeted both over national security concerns. But the looming bans have larger implications for internet freedom.

On July 20, the United States Commerce Department will ban new sales of popular antivirus software made by Moscow-based Kaspersky Labs. The move comes just two months after US president Joe Biden signed a law that will effectively ban the social media app TikTok in the US if its Chinese parent company doesn't sell it off. The US government banned federal use of Kaspersky antivirus software in 2017, but as the US-Russia relationship has further deteriorated and the Kremlin has exerted more stringent control over the Russian tech sector, US officials have remained concerned about the potential for the Russian government to weaponize Kaspersky software.

In its campaigns to ban these pieces of foreign software as a matter of national security, though, the US government is setting a precedent that undermines tenets of a free and open internet in which users can access any information and software they choose.

“The risks to US national security addressed in this Final Determination stem not from whether Kaspersky's products are effective at identifying viruses and other malware, but whether they can be used strategically to cause harm to the United States,” the Department of Commerce wrote last week. Commerce Secretary Gina Raimondo told reporters on Tuesday that this is the first time the US Commerce Department has banned the sale of a cybersecurity product.

Kaspersky, naturally, countered that it believes the Commerce Department “made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services.” The company added that “Kaspersky does not engage in activities which threaten US national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted U.S. interests and allies.”

TikTok, meanwhile, has sued the US government, claiming that the potential ban of its app violates the First Amendment. The lawsuit points out that US lawmakers are forcing TikTok's China-based parent company, ByteDance, to sell TikTok to a company headquartered in the US based on “the _hypothetical_ possibility that TikTok could be misused in the future, without citing specific evidence.”

Unlike TikTok, a social media app that is built as a forum for discourse and can be downloaded for free, Kaspersky's antivirus product is paid software that is granted deep system access to monitor customers' devices and networks. Where TikTok's software is contained by the mobile operating systems it runs in, scanners like Kaspersky are given free rein by design, adding to cybersecurity concerns.

“The apps are fundamentally different,” says Patrick Wardle, a longtime Mac security researcher. “If a person of interest had Kaspersky antivirus and TikTok on their device, Kaspersky is probably the bigger problem, because it can give its developer unfettered access to the device. A mobile app like TikTok runs in an app sandbox and really can’t do much beyond you granting it access to specific data like your contacts.”

For that reason, Riana Pfefferkorn, a policy researcher at Stanford University, argues that the US government needs to share more specific and compelling information with the general public about why they should not do business with Kaspersky, rather than paternalistically banning the app. Similarly, throughout multiple administrations and terms, the White House and Congress have never released evidence or even made specific allegations about the threat TikTok may pose to US national security.

“After the TikTok law passed, it just feels like it’s open season on any tech company the government doesn’t like—so long as it’s not a domestic firm—and like the government has excused itself from giving the public the ample and damning evidence we should expect it to provide if it is to justify such drastic decisions,” Pfefferkorn tells WIRED.

Unlike a social media platform such as TikTok, where a US adversary like China might exert control to disseminate misinformation or influence public perception of key issues over time, antivirus software like Kaspersky could be directly exploited to steal data or even take control of targeted devices. And Kaspersky has been the target of multiple sophisticated hacking campaigns over the years, indicating that foreign intelligence agencies may be keen to determine what information the company has access to. But the slippery slope created by software bans is not inconsequential.

“The federal government rightfully has leeway to decide what software not to allow on its own networks on the basis of security and privacy concerns,” Pfefferkorn says. “But when it comes to the general public, the better approach is to set basic privacy and cybersecurity requirements for _all_ software, not just foreign-owned apps. That’s particularly true so long as data brokers remain free to sell Americans’ data to foreign governments.”

As the constant threat of software supply-chain attacks shows, strong security defenses and privacy guarantees are ultimately more durable and broadly protective than specific bans anyway. Meanwhile, Reuters reported on Tuesday that the Biden administration and the Commerce Department are investigating the access that China Mobile, China Telecom, and China Unicom have to US data through their cloud and internet routing services. The TikTok and Kaspersky crackdowns may be a glimpse of the US's growing digital isolationism.

The Problem the US TikTok Crackdown and Kaspersky Ban Have in Common

A list of topics we covered in the week of June 24 to June 30 of 2024

June 28, 2024 - The Arkansas Attorney General filed a lawsuit against webshop Temu for allegedly being dangerous malware which is after personal data.

June 27, 2024 - Researchers have found an online repository leaking sensitive data, including driving licenses and other identity documents.

June 27, 2024 - A competitor of the infamous Atomic Stealer targeting Mac users, has just launched a new campaign to lure in more victims.

June 26, 2024 - LockBit claimed to have breached Federal Reserve but in fact the data came from Evolve Bank & Trust

June 26, 2024 - Malwarebytes Premium blocked 100% of malware during the most recent testing by the AV Lab Cybersecurity Foundation.

 A week in security (June 24 &#8211; June 30) 

Google has announced that it's going to start blocking websites that use certificates from Entrust starting around November 1, 2024, in its Chrome browser, citing compliance failures and the certificate authority's inability to address security issues in a timely manner.
"Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust

Cybersecurity / Website Security

Google has announced that it's going to start blocking websites that use certificates from Entrust starting around November 1, 2024, in its Chrome browser, citing compliance failures and the certificate authority's inability to address security issues in a timely manner.

"Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations, and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted \[certificate authority\] owner," Google's Chrome security team said.

To that end, the tech giant said it intends to no longer trust TLS server authentication certificates from Entrust starting with Chrome browser versions 127 and higher by default. However, it said that these settings can be overridden by Chrome users and enterprise customers should they wish to do so.

Google further noted that certificate authorities play a privileged and trusted role in ensuring encrypted connections between browsers and websites, and that Entrust's lack of progress when it comes to publicly disclosed incident reports and unrealized improvement commitments poses risks to the internet ecosystem.

The blocking action is expected to cover Windows, macOS, ChromeOS, Android, and Linux versions of the browser. The notable exception is Chrome for iOS and iPadOS, due to Apple's policies that don't permit the Chrome Root Store from being used.

As a result, users navigating to a website that serves a certificate issued by Entrust or AffirmTrust will be greeted by an interstitial message that warns them that their connection is not secure and isn't private.

Affected website operators are urged to move to a publicly-trusted certificate authority owner to minimize disruption by October 31, 2024. According to Entrust's website, its solutions are used by Microsoft, Mastercard, VISA, and VMware, among others.

"While website operators could delay the impact of blocking action by choosing to collect and install a new TLS certificate issued from Entrust before Chrome's blocking action begins on November 1, 2024, website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store," Google said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google to Block Entrust Certificates in Chrome Starting November 2024

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps.

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**Your Phone's 5G Connection Is Vulnerable to Bypass, DoS Attacks**

By Nate Nelson, Contributing Writer, Dark Reading

Wireless service providers prioritize uptime and lag time, occasionally at the cost of security, allowing attackers to take advantage, steal data, and worse.

At the upcoming Black Hat 2024 in Las Vegas, a team of seven Penn State University researchers will describe how hackers can go beyond sniffing your Internet traffic by literally providing your Internet connection to you (over 5G). From there, spying, phishing, and plenty more are all on the table.

The Penn State researchers have reported all the vulnerabilities they discovered to the respective 5G mobile vendors, which have all since deployed patches.

A more permanent solution, however, would have to begin with securing 5G authentication. As Hussain says, "If you want to ensure the authenticity of these broadcast messages, you need to use public key infrastructure (PKI). And deploying PKI is expensive — you need to update all of the cell towers. And there are some non-technical challenges. For example, who will be the root certificate authority of the public keys?"

Read more: Your Phone's 5G Connection Is Vulnerable to Bypass, DoS Attacks

Related: Black Hat USA 2024 Sessions Agenda

**Dark Reading Confidential: Meet the Ransomware Negotiators**

Episode 2: Incident response experts-turned-ransomware negotiators Ed Dubrovsky, COO and managing partner of CYPFER, and Joe Tarraf, chief delivery officer of Surefire Cyber, explain how they interact with cyber threat actors who hold victim organizations' systems and data for ransom. Among their fascinating stories: how they negotiated with cybercriminals to restore operations in a hospital NICU where lives were at stake, and how they helped a church, where the attackers themselves "got a little religion."

Listen now: Meet the Ransomware Negotiators

Visit the podcast archive, available here.

**DR Global: China-Linked Cyber-Espionage Teams Target Asian Telecoms**

By Robert Lemos, Contributing Writer, Dark Reading

In the latest breaches, threat groups compromised telecommunications firms in at least two Asian nations, installing backdoors and possibly eavesdropping or pre-positioning for a future attack.

Tools from a trio of China-linked groups — Fireant, Neeedleminer, and Firefly — were used to compromise telecommunications companies in at least two Asian nations, according to an analysis published by technology giant Broadcom's Symantec cybersecurity division. The groups — also known as Mustang Panda, Nomad Panda, and Naikon, respectively — previously have been associated with widespread attacks against a variety of countries in the Asia-Pacific region.

Attackers see telecommunications companies as a strong launchpad from which to compromise other systems, eavesdrop on communications, or cybercrime

"There's the potential for eavesdropping and surveillance but also, because telecoms is critical infrastructure, you could create significant disruption in your target country," says Dick O'Brien, principal threat intelligence analyst for Symantec's threat hunter team. "We think that there is a distinct possibility that the motive for these attacks was similar to what the US government has been repeatedly warning about."

Read more: China-Linked Cyber-Espionage Teams Target Asian Telecoms

Related: Japan, Philippines & US Forge Cyber Threat Intel-Sharing Alliance

**Key Takeaways From the British Library Cyberattack**

Commentary by Steve Durbin, CEO, Information Security Forum

Knowledge institutions with legacy infrastructure, limited resources, and digitized intellectual property must protect themselves from sophisticated and destructive cyberattacks.

In October 2023, the British Library underwent a crippling cyberattack that cost the library £7 million (US$8.9 million) in recovery costs, or about 40% of its reserve budget. Although the online catalogue was restored in January, full recovery is not expected before the end of the year.

The British Library ransomware attack is a wake-up call for all knowledge institutions, libraries, and government-funded organizations that have similar risks in terms of legacy infrastructure, limited resources, and a significant portion of their intellectual property and research existing in a digital format. Such organizations should follow best practices to help protect themselves from sophisticated and destructive cyberattacks.

The institution issued a report outlining details of the attack and sharing valuable lessons, which include:

1.  Assess your technical debt;
    
2.  Maintain a holistic view of cyber-risk;
    
3.  Practice good information governance;
    
4.  And, adopt a defense-in-depth approach.
    

Read more on the lessons learned: Key Takeaways From the British Library Cyberattack

Related: Enhancing Incident Response Playbooks With Machine Learning

**The NYSE's $10M Wake-up Call**

Commentary by Jeffrey Wells, Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

The settlement between the SEC and the owner of the New York Stock Exchange is a critical reminder of the vulnerabilities within financial institutions' cybersecurity frameworks as well as the importance of regulatory oversight.

In 2018, a severe cyberattack on a subsidiary of Intercontinental Exchange Inc. (ICE), the owner of the New York Stock Exchange (NYSE), exposed highly sensitive information. The SEC's subsequent investigation revealed that ICE failed to implement adequate cybersecurity measures, compromising its systems.

As a result, ICE was required to pay a $10 million settlement. This incident is a stark reminder of the critical need for robust cybersecurity practices, particularly for entities handling such vital financial data.

The primary accountability lies with ICE, which neglected to enforce stringent cybersecurity protocols. The SEC's findings indicate that ICE's subsidiary had multiple vulnerabilities that must be addressed adequately. This lack of preparedness is a significant breach of fiduciary duty to protect sensitive financial information.

However, the $10 million fine, while significant, raises questions about whether it is enough to deter future negligence by major financial institutions.

Read more: The NYSE's $10M Wake-up Call

Related:  Don't Forget to Report a Breach: A Cautionary Tale

**CISA Releases Guidance on Network Access, VPNs**

By DR Techology Staff

CISA outlines how modern cybersecurity relies on network visibility to defend against threats and scams.

The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and similar entities in New Zealand, has issued guidance on modern approaches to network access security.

With the growing number of breaches and data incidents, organizations need to be thinking about, and planning to adopt, modern firewall and network access management technologies to gain visibility over the network.

CISA lays out three specific approaches its guidance: zero trust, secure service edge (SSE), and secure access service edge (SASE).

Read more: CISA Releases Guidance on Network Access, VPNs

Related: Attackers Target Check Point VPNs to Access Corporate Networks

Tag

#mac