The Chinese government recently began saber-rattling about American cyberespionage. The catch? It’s all old news.

For the best part of a decade, US officials and cybersecurity companies have been naming and shaming hackers they believe work for the Chinese government. These hackers have stolen terabytes of data from companies like pharmaceutical and video game firms, compromised servers, stripped security protections, and highjacked hacking tools, according to security experts. And as China’s alleged hacking has grown more brazen, individual Chinese hackers face indictments. However, things may be changing.

Since the start of 2022, China’s Foreign Ministry and the country’s cybersecurity firms have increasingly been calling out alleged US cyberespionage. Until now, these allegations have been a rarity. But the disclosures come with a catch: They appear to rely on years-old technical details, which are already publicly known and don’t contain fresh information. The move may be a strategic change for China as the nation tussles to cement its position as a tech superpower.

“These are useful materials for China’s tit-for-tat propaganda campaigns when they faced US accusation and indictment of China’s cyberespionage activities,” says Che Chang, a cyber threat analyst at the Taiwan-based cybersecurity firm TeamT5.

China’s accusations, which were noted by security journalist Catalin Cimpanu, all follow a very similar pattern. On February 23, Chinese security company Pangu Lab published allegations that the US National Security Agency’s elite Equation Group hackers used a backdoor, dubbed Bvp47, to monitor 45 countries. The _Global Times_, a tabloid newspaper that’s part of China’s state-controlled media, ran an exclusive report on the research. Weeks later, on March 14, the newspaper had a second exclusive story about another NSA tool, NOPEN, based on details from China’s National Computer Virus Emergency Response Center. A week later, Chinese cybersecurity firm Qihoo 360 alleged that US hackers had been attacking Chinese companies and organizations. And on April 19, the _Global Times_ reported on further National Computer Virus Emergency Response Center findings about HIVE, malware developed by the CIA.

The reports are accompanied with a flurry of statements—often in response to questions from the media—by China’s Foreign Ministry spokespeople. “China is gravely concerned over the irresponsible malicious cyber activities of the US government,” Foreign Ministry spokesperson Wang Wenbin said in April after one of the announcements. “We urge the US side to explain itself and immediately stop such malicious activities.” Over the first nine days of May, Foreign Ministry spokespeople commented on US cyber activities at least three times. “One cannot whitewash himself by smearing others,” Zhao Lijian said in one instance.

While cyber activity undertaken by state actors is often wrapped in highly classified files, many hacking tools developed by the US are no longer secret. In 2017, WikiLeaks published 9,000 documents in the Vault7 leaks, which detailed many of the CIA’s tools. A year earlier, the mysterious Shadow Brokers hacking group stole data from one of the NSA’s elite hacking teams and slowly dripped the data to the world. The Shadow Brokers leaks included dozens of exploits and new zero-days—including the Eternal Blue hacking tool, which has since been used repeatedly in some of the largest cyberattacks. Many of the details in the Shadow Brokers leaks match up with details about NSA which were disclosed by Edward Snowden in 2013. (An NSA spokesperson said it has “no comment” for this story; the agency routinely does not comment on its activities.)

Ben Read, director of cyberespionage analysis at the US cybersecurity firm Mandiant, says China’s state media push of alleged US hacking seems to be consistent, but it mostly contains older information. “Everything that I've seen they've written about, they tie back to the US through either the Snowden leaks or Shadow Brokers,” Read says.

Pangu Lab’s February report on Bvp47—the only publication on its website—says it initially discovered the details in 2013 but pieced them together after the Shadow Brokers leaks in 2017. “The report was based on a decade-old malware, and the decryption key is the same” as in WikiLeaks, Che says. The details of HIVE and NOPEN have also been available for years. Neither Pangu Labs or Qihoo 360, which has been on the US government sanctions list since 2020, responded to requests for comment on their research or methodology. A Pangu spokesperson previously said it recently published the old details, and it had taken a long time to analyze the data.

Megha Pardhi, a China researcher at Takshashila Institution, an Indian think tank, says the publications and follow-up comments from officials can serve multiple purposes. Internally, China can use it for propaganda and to send a message to the US that it has the capability to attribute cyber activity. But beyond this, there is a warning to other countries, Pardhi says. “The message is that even though you're allied with the United States, they're still gonna come after you.”

“We oppose and crack down in accordance with law all forms of cyberespionage and attacks,” Liu Pengyu, a spokesperson for the Chinese Embassy in the US, says in a statement. Liu did not respond directly to questions around the apparent uptick in finger-pointing at the US this year, the evidence that was being used to do so, or why this may be happening years after details originally emerged. China is widely considered to be one of the most sophisticated and active state cyber actors—involved in spying, hacking for espionage, and gathering data. Western officials consider the country to be the biggest cyber threat, ahead of Russia, Iran, and North Korea.

“Recently, there have been many reports of US carrying cybertheft and attacks on China and the whole world,” Liu says in a statement that reflects comments made by China’s Foreign Ministry spokespeople this year. “The US should reflect on itself and join others to jointly safeguard peace and security in cyberspace with a responsible attitude.”

Many of the disclosures in 2022—there are only a handful of previous Chinese accusations against the US—stem from private cybersecurity companies. This is similar to how Western cybersecurity companies report their findings; they are not always incorporated into government talking points, however, and state-backed media is all but nonexistent.

The potential shift in tactics could play into wider policies around technology use and development. In recent years, China’s policies have focused on positioning itself as a dominant force in technology standards in everything from 5G to quantum computers. A raft of new cybersecurity and privacy laws have detailed how companies should handle data and protect national information—including the potential for hoarding previously unknown vulnerabilities.

“One explanation is, possibly, that we are engaged in a kind of ideological—or if you want to put it more prosaically, a marketing—battle with China,” says Suzanne Spaulding, a senior adviser at the Center for Strategic and International Studies and previously a senior cybersecurity official in the Obama administration. The US-China relationship has been fraught in recent years, with tensions rising over national security issues, including concerns about the telecom giant Huawei. “China is offering, around the world, a competing model to Western-style democracy,” Spaulding says, noting that China may be responding to Western countries coming together on multiple issues since Russia invaded Ukraine.

In July 2021, China’s Ministry of Industry and Information Technology published plans to boost the private security industry by 2023. Companies based in China should spend more on their defenses against cyberattacks, the government department said at the time. It also said the whole cybersecurity industry within China should look to grow in size in the coming years, as well as bolster the development of network monitoring systems and threat detection techniques. “What we've started to see over the last couple of years, increasingly, is that companies in China are building their own capabilities,” says Adam Meyers, head of intelligence at the US cybersecurity firm CrowdStrike. “There's been a few that have waded into the threat intelligence space.”

But publicizing details of the long-known incidents still raises plenty of questions. Mandiant’s Read says he wonders exactly how many cyberespionage cases Chinese companies and authorities are finding. The answer would provide significant clues about their true capabilities. Read says: “Is this 50 percent of what they're finding? Is this 1 percent of what they're finding? Is this 90 percent of what they're finding?”

The move appears to be strategic, says TeamT5’s Che. “Considering the close relationship between China's cybersecurity firms and the Chinese government, our team surmises that these reports could be a part of China’s strategic distraction when they are accused of massive surveillance systems and espionage operations.”

The Mystery of China’s Sudden Warnings About US Hackers

For the best part of a decade, US officials and cybersecurity companies have been naming and shaming hackers they believe work for the Chinese government. These hackers have stolen terabytes of data from pharmaceutical companies to video game firms, compromised servers, stripped security protections, and highjacked hacking tools, according to security experts. And as China’s alleged hacking has grown in aggression, individual Chinese hackers face indictments. However, things may be changing.

Since the start of 2022, there has been a marked uptick in China’s Foreign Ministry and the country’s cybersecurity firms calling out alleged US cyberespionage. Until now, these allegations have been a rarity. But the disclosures come with a catch: They appear to rely on years-old technical details, which are already publicly known and don’t contain fresh information. The move may be a strategic change for China as the nation tussles to cement its position as a tech superpower.

“These are useful materials for China’s tit-for-tat propaganda campaigns when they faced US accusation and indictment of China’s cyberespionage activities,” says Che Chang, a cyber threat analyst at Taiwan-based cybersecurity firm TeamT5.

China’s accusations, which were noted by security journalist Catalin Cimpanu, all follow a very similar pattern. On February 23, Chinese security company Pangu Lab published allegations that the US National Security Agency’s elite Equation Group hackers used a backdoor, dubbed Bvp47, to monitor 45 countries. The _Global Times_, a tabloid newspaper that’s part of China’s state-controlled media, ran an exclusive report on the research. Weeks later, on March 14, the newspaper had a second exclusive story about another NSA tool, NOPEN, based on details from China’s National Computer Virus Emergency Response Center. A week later, Chinese cybersecurity firm Qihoo 360 alleged that US hackers had been attacking Chinese companies and organizations. And on April 19, the Global Times reported on further National Computer Virus Emergency Response Center findings around HIVE, malware developed by the CIA.

The reports are accompanied with a flurry of statements—often in response to questions from the media—by China’s Foreign Ministry spokespeople. “China is gravely concerned over the irresponsible malicious cyber activities of the US government,” Foreign Ministry spokesperson Wang Wenbin said in April after one of the announcements. “We urge the US side to explain itself and immediately stop such malicious activities.” Over the first nine days of May, Foreign Ministry spokespeople commented on US cyber activities at least three times. “One cannot whitewash himself by smearing others,” Zhao Lijian said in one instance.

While cyber activity undertaken by state actors is often wrapped in highly classified files, many hacking tools developed by the US are no longer a secret. In 2017, WikiLeaks published 9,000 documents in the Vault7 leaks, which detailed many of the CIA’s tools. A year earlier, the mysterious Shadow Brokers hacking group stole data from one of the NSA’s elite hacking teams and slowly dripped the data to the world. The Shadow Brokers leaks included dozens of exploits and new zero-days—including the Eternal Blue hacking tool, which has since been used repeatedly in some of the largest cyberattacks. Many of the details in the Shadow Brokers leaks match up with details about NSA which were disclosed by Edward Snowden in 2013. (An NSA spokesperson said it has “no comment” for this story; the agency routinely does not comment on its activity.)

Ben Read, director of cyberespionage analysis at US cybersecurity firm Mandiant, says China’s state media push of alleged US hacking seems to be consistent, but it mostly contains older information. “Everything that I've seen they've written about, they tie back to the US through either the Snowden leaks or Shadow Brokers,” Read says.

Pangu Lab’s February report on Bvp47—the only publication on its website—says it initially discovered the details in 2013 but pieced them together after the Shadow Brokers leaks in 2017. “The report was based on a decade-old malware, and the decryption key is the same” as in WikiLeaks, Che says. The details of HIVE and NOPEN have also been available for years. Neither Pangu Labs or Qihoo 360, which has been on the US government sanctions list since 2020, responded to requests for comment on their research or methodology. Although a Pangu spokesperson previously said it recently published the old details, and it had taken a long time to analyze the data.

Megha Pardhi, a China researcher at Takshashila Institution, an Indian think tank, says the publications and follow-up comments from officials can serve multiple purposes. Internally, China can use it for propaganda and to send a message to the US that it has the capability to attribute cyber activity. But beyond this, there is a warning to other countries, Pardhi says. “The message is that even though you're allied with the United States, they're still gonna come after you.”

“We oppose and crack down in accordance with law all forms of cyberespionage and attacks,” Liu Pengyu, a spokesperson for the Chinese Embassy in the US, says in a statement. Liu did not respond directly to questions around the apparent uptick in finger-pointing at the US this year, the evidence that was being used to do so, or why this may be happening years after details originally emerged. China is widely considered to be one of the most sophisticated and active state cyber actors—involved in spying, hacking for espionage, and gathering data. Western officials consider the country to be the biggest cyber threat, ahead of Russia, Iran, and North Korea.

“Recently, there have been many reports of US carrying cyber theft and attacks on China and the whole world,” Liu says in a statement that reflects comments made by China’s Foreign Ministry spokespeople this year. “The US should reflect on itself and join others to jointly safeguard peace and security in cyberspace with a responsible attitude.”

Many of the disclosures in 2022—there are only a handful of previous Chinese accusations against the US—stem from private cybersecurity companies. This is similar to how Western cybersecurity companies report their findings; they are not always incorporated into government talking points, however, and state-backed media is all but nonexistent.

The potential shift in tactics could play into wider policies around technology use and development. In recent years, China’s policies have focused on positioning itself as a dominant force in technology standards in everything from 5G to quantum computers. A raft of new cybersecurity and privacy laws have detailed how companies should handle data and protect national information—including the potential for hoarding previously unknown vulnerabilities.

“One explanation is, possibly, that we are engaged in a kind of ideological—or if you want to put it more prosaically, a marketing—battle with China,” says Suzanne Spaulding, a senior adviser at the Center for Strategic and International Studies and previously a senior cybersecurity official in the Obama administration. The US-China relationship has been fraught in recent years, with tensions rising over national security issues including concerns of telecom giant Huawei. “China is offering, around the world, a competing model to Western-style democracy,” Spaulding says, noting that China may be responding to Western countries coming together on multiple issues since Russia invaded Ukraine.

In July 2021, China’s Ministry of Industry and Information Technology published plans to boost the private security industry by 2023. Companies based in China should spend more on their defenses against cyberattacks, the government department said at the time. It also said the whole cybersecurity industry within China should look to grow in size in the coming years, as well as bolster the development of network monitoring systems and threat detection techniques. “What we've started to see over the last couple of years, increasingly, is that companies in China are building their own capabilities,” says Adam Meyers, vice president of intelligence at US cybersecurity firm CrowdStrike. “There's been a few that have waded into the threat intelligence space.”

But publicizing details of the long-known incidents still raises plenty of questions. Mandiant’s Read says he wonders exactly how many cyberespionage cases Chinese companies and authorities are finding. The answer would provide significant clues about their true capabilities. Read says: “Is this 50 percent of what they're finding? Is this 1 percent of what they're finding? Is this 90 percent of what they're finding?”

The move appears to be strategic, says TeamT5’s Che. “Considering the close relationship between China's cybersecurity firms and the Chinese government, our team surmises that these reports could be a part of China’s strategic distraction when they are accused of massive surveillance systems and espionage operations.”

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with version 8.3-rc-1 and prior to versions 12.10.3 and 14.0, one can ask for any file located in the classloader using the template API and a path with ".." in it. The issue is patched in versions 14.0 and 13.10.3. There is no easy workaround for this issue.

@@ -24,6 +24,8 @@

import java.lang.reflect.Type;

import java.net.URL;

import java.nio.charset.StandardCharsets;

import java.nio.file.Path;

import java.nio.file.Paths;

import java.util.AbstractSet;

import java.util.Arrays;

import java.util.Collections;

@@ -896,14 +898,23 @@ private EnvironmentTemplate getFileSystemTemplate(String templateName)

: null;

}

  

private Template getClassloaderTemplate(String suffixPath, String templateName)

private Template getClassloaderTemplate(String prefixPath, String templateName)

{

return getClassloaderTemplate(Thread.currentThread().getContextClassLoader(), suffixPath, templateName);

return getClassloaderTemplate(Thread.currentThread().getContextClassLoader(), prefixPath, templateName);

}

  

private Template getClassloaderTemplate(ClassLoader classloader, String suffixPath, String templateName)

private Template getClassloaderTemplate(ClassLoader classloader, String prefixPath, String templateName)

{

String templatePath = suffixPath + templateName;

String templatePath = prefixPath + templateName;

  

// Prevent access to resources from other directories

Path normalizedResource = Paths.get(templatePath).normalize();

// Protect against directory attacks.

if (!normalizedResource.startsWith(prefixPath)) {

this.logger.warn("Direct access to skin file \[{}\] refused. Possible break-in attempt!", normalizedResource);

  

return null;

}

  

URL url = classloader.getResource(templatePath);

CVE-2022-29253: XWIKI-19349: Bad handling of classloader templates path resolution · xwiki/xwiki-platform@4917c8f

In libjpeg before 1.64, BitStream<false>::Get in bitstream.hpp has an assertion failure that may cause denial of service. This is related to out-of-bounds array access during arithmetically coded lossless scan or arithmetically coded sequential scan.

@@ -42,7 +42,7 @@

\* Definition of how to request a given rectangle for display,

\* for load or for checking for a necessary update.

\*

\* $Id: rectanglerequest.hpp,v 1.12 2017/11/28 13:08:07 thor Exp $

\* $Id: rectanglerequest.hpp,v 1.13 2022/05/23 05:56:51 thor Exp $

\*

\*/

  

@@ -105,19 +105,29 @@ struct RectangleRequest : public JObject, private Explicit {

RectangleRequest(const struct RectangleRequest &req)

: Explicit()

{

// Not nice, but this is really faster and simpler

memcpy(this,&req,sizeof(struct RectangleRequest));

// Not linked in any way if this is new.

rr\_pNext = NULL;

rr\_pNext = NULL;

rr\_Request = req.rr\_Request;

rr\_usFirstComponent = req.rr\_usFirstComponent;

rr\_usLastComponent = req.rr\_usLastComponent;

rr\_cPriority = req.rr\_cPriority;

rr\_bIncludeAlpha = req.rr\_bIncludeAlpha;

rr\_bUpsampling = req.rr\_bUpsampling;

rr\_bColorTrafo = req.rr\_bColorTrafo;

}

//

// Assignment operator.

RectangleRequest &operator\=(const struct RectangleRequest &req)

{

// Not nice, but this is really faster and simpler

memcpy(this,&req,sizeof(struct RectangleRequest));

// Not linked in any way if this is new.

rr\_pNext = NULL;

// Not linked in any way if this is new.

rr\_pNext = NULL;

rr\_Request = req.rr\_Request;

rr\_usFirstComponent = req.rr\_usFirstComponent;

rr\_usLastComponent = req.rr\_usLastComponent;

rr\_cPriority = req.rr\_cPriority;

rr\_bIncludeAlpha = req.rr\_bIncludeAlpha;

rr\_bUpsampling = req.rr\_bUpsampling;

rr\_bColorTrafo = req.rr\_bColorTrafo;

//

return \*this;

}

CVE-2022-31620: Added out-of-bounds checks for lossless symbol decoding and AC context · thorfdbg/libjpeg@ef4a29a

Gartner's security service edge fundamentally changes how companies should be delivering data protection in a cloud and mobile first world.

Do you live life on the edge? If you're a rock climber, skydiver, or striving to be a TikTok dance influencer, the answer might be yes. Putting yourself out there requires risk but can be rewarding. Why? When you are able to confidently look risk in the eye and say "I win," that dopamine hit makes you feel invincible! So, do you feel the same way about your data protection? Letting your data protection live on the edge might sound risky, but in reality it's a step in the right direction, and it dramatically transforms how you think and deliver data security.

Before we get too far into it, let's actually explore what the "edge" means. If you're familiar with Gartner's latest collection of letter-soup offerings for the security industry, you probably know where this is going. Secure access service edge (SASE) and its better half, security service edge (SSE), are frameworks that define how organizations should think about cloud security platforms. In short, organizations are being encouraged to double down on SSE, which unifies all security services into a zero-trust cloud platform. SSE follows the user over any connection, drives down risk with always-on protection, and ditches the cost and complexity of point products like SWG, DLP, VPN, CASB, firewalls, and sandboxes. It's the next big thing, but how does this change data protection?

Let's start with the traditional view of data protection, which has been driven by DLP and CASB vendors over the last several years. The discussion focuses on how users interact with data, how the data is handled (sometimes dangerously), and how the internal threat to your data should be controlled. It's the standard data-protection pitch you've probably heard multiple times. Well, here are the real questions: What about the _external_ threat? Which has the most potential to damage your organization: internal or external threats? I often talk to customers that know they are losing data due to accidental user error but have come to accept it as background noise. Those same customers, when a data breach happens, spring into action with the force of a thousand caffeinated SOC employees. See my point? Now, please don't get me wrong — the internal threat shouldn't be neglected, but it's clear that the best strategy should masterfully combine both external and internal data threat protection. This is why SSE is such a powerful concept — if delivered correctly.

Since SSE focuses on incorporating data protection into a larger zero-trust, cyber-threat story, we should understand what that means. Like any great architecture, it starts with a strong foundation. In the case of SSE, that foundation without a doubt is inline proxy inspection, which enables SSL inspection. Want to keep data from leaking to the Internet? Want full visibility to find and classify sensitive data? Want to stop data exfiltration during a breach? They all require full, scalable SSL inspection. Inline inspection sets up everything else, which is why it's so important to get that part right. But there's a big caveat here — your inline security cloud needs to prove that it can deliver when the going gets tough. If it can't perform or scale, everyone across the organization will immediately know there's a problem.

After that, stopping external and internal threats with SSE becomes easy. First, start with SWG to block risky destinations and content. This prevents external threats like phishing and ransomware from targeting your users and data. Add to that a helping of sandbox and AI/ML to quickly stop zero-days and advanced threats. Now, move to DLP, which is the core building block of great data protection. Define this to find and control your sensitive content and then send it hunting across your data in motion and at rest in your clouds (with CASB). Since you're already inline, and everything is unified, you only have one policy, which reduces complexity and alert noise. You get full control over user and cloud app activity, and can ensure data isn't accidentally or maliciously lost. Once you've tackled the basics, you can move on to other aspects of data protection, like browser isolation for BYOD or UEBA to quickly zero in on suspicious activity. Best of all, services can be easily added as you grow.

Hopefully, you're beginning to see that the right SSE platform can drastically change how you deliver data protection. It applies a more holistic approach to securing data, and equally focuses on external and internal threats, while drastically reducing cost, complexity, and overall risk. So as you look to evolve your data protection strategy, remember to live life on the edge! And maybe keep those TikTok videos to yourself.

**About the Author**

    

Steve Grossenbacher is Director of Product Marketing at Zscaler, where he currently focuses on data protection. Prior to Zscaler, Steve held marketing, competitive, sales engineering and support positions at McAfee and Xerox Engineering Systems. With more than 20 years of experience in the network and security industry, he has helped companies navigate the ever-changing world of IT and currently helps organizations securely transform their networks to a cloud-first architecture

Is Your Data Security Living on the Edge?

Open source software community initiative utilizes blockchain technology.

**Sunnyvale & San Diego, Calif., May 25, 2022** — (swampUP 2022) – JFrog Ltd. (“JFrog”) (NASDAQ: FROG), the Liquid Software company and creators of the JFrog DevOps Platform, today introduced Project Pyrsia, an open-source software community initiative that utilizes blockchain technology to secure software packages (A.K.A Binaries) from vulnerabilities and malicious code. Available for sign-ups immediately, Project Pyrsia is an open-source-based, decentralized, secure build network and software package repository aimed at helping developers establish chain of provenance for their software components, creating greater confidence and trust.

“Open-source is everywhere, and while it has always been seen as a seed for innovation and modernization, the recent rise of software supply chain attacks has made every organization vulnerable,” said Shlomi Ben Haim, Co-Founder and CEO, JFrog. “Led by developers and for developers, JFrog is proud to work with the community on developing Project Pyrsia so everyone can continue to embrace open source with confidence, while protecting the software supply chain.”

Open-source software is a critical element of nearly every technology we use today – from our operating systems and browsers to the applications and services on which we depend to run our lives. Yet there’s no question the volume, sophistication and severity of software supply chain attacks has increased in the last year. In recent months the JFrog Security Research team tracked over 20 different open-source software supply chain attacks – two of which were zero-day threats. While open-source components are designed to make development more efficient, not knowing where your software comes from makes it hard-to-spot risks–seeding doubt and uncertainty about its safety.

Thus, JFrog and other open-source technology leaders, including Docker, DeployHub, Futureway, and Oracle – worked together to establish the Project Pyrsia network for validating the source and security of open-source software packages. With Pyrsia, developers can confidently use open-source software knowing their components have not been compromised, without needing to build, maintain, or operate complex processes for securely managing dependencies.

“At JFrog we believe open-source security will only be successful if we provide the community with the same tools and services that are available to enterprises,” said Stephen Chin, VP of Developer Relations, JFrog. “The combination of an open-source, customizable architecture, and a robust, active community makes Pyrsia the most transparent and trustworthy way to obtain secure software packages. We’re grateful for the help of our industry partners and the community for joining us in securing open source so it can remain a true fountain of innovation.”

Pyrsia aims to seamlessly integrate with the package management systems developers are already using today, so they can certify their software components without foregoing compatibility, security, or efficiency. Utilizing standards like Sigstore’s Cosign and Notary V2 allows developers to quickly access their containers leveraging the Pyrsia network. Using digital signatures, developers receive an immutable chain of evidence for their code, providing peace of mind from knowing the exact source of their packages.

To help guide developers on the process of using Pyrsia for validating software components, a select few entities will build and publish images that will be available for everyone’s use -otherwise known as ‘bootstrapping’ the project. Organizations interested in supporting Pyrsia can volunteer their resources to help establish the project’s first distributed network. From there, Project Pyrsia’s decentralized framework will help provide:

· An independent, secure build network for open-source software

· Trustworthiness of software packages

· Completeness of known open-source software dependencies

For more information on Project Pyrsia or to sign-up to be a contributor visit https://pyrsia.io/. You can also learn more about the project in this blog or chat directly with JFrog Community leaders and Project Pyrsia experts during swampUP 2022 taking place in San Diego, May 25 – 26. For more information and to register visit https://swampup.jfrog.com/.

**Supporting Quotes from Industry Partners**

_“The DeployHub team’s focus is firmly rooted in securing the supply chain, and there is no better place to start than fully auditing the build and package step. To that end, Pyrsia is the first open-source project to introduce improvements in this area via a ‘consensus build network.’ Disruption in this area is long overdue. DeployHub is proud to be part of this innovative team.” – Steve Taylor, CTO DeployHub, Inc._

_“At Docker we feel this is an exciting time for the community to work together on innovation around the supply chain and its core, critical components for build and packaging. We are excited to join and work together with the community on Project Pyrsia. There is a huge opportunity to build new kinds of infrastructure over the core container primitives that will foster innovation and better developer experiences.” – Justin Cormack, CTO, Docker_

_“Open-source project Pyrsia is developing a third-party attested, decentralized, distributed software package network that delivers secure, transparency and integrity for the open-source software package supply chain. Futurewei is committed to collaborating with open-source communities to accelerate the innovations for digital transformation via open-source, open standard, and open ecosystems. As open-source software becomes more pervasive, securing the open-source software supply chain becomes a critical issue. We are thrilled to be a founding member of Project Pyrsia and delighted to have the opportunity to collaborate with other members to accelerate Pyrsia for a secure and trusted open-source software supply chain ecosystem – bringing value to the open-source community.”– David Lai, Director, Cloud Infrastructure and Platform Architecture Open-Source Ecosystem Partnerships, Futurewei Technologies, Inc._

JFrog Launches Project Pyrsia to Help Prevent Software Supply Chain Attacks

Company will detail enhancements to Vulnerability Management, Detection and Response solution next month.

FOSTER CITY, Calif., May 25, 2022 /PRNewswire/ -- Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, today announced it is holding the Qualys Security Conference (QSC) San Francisco in tandem with RSAC on June 7-8.

At the event, Qualys will unveil significant updates to the company's Vulnerability Management, Detection and Response (VMDR) solution. The new enhancements redefine how enterprises manage cybersecurity risk with an unprecedented capability to prioritize and remediate at scale.

Through keynotes, live demonstrations, customer presentations, training sessions and networking, the Qualys customer community will dive into the profound impact of the digital journey and converse on best practices and case studies on risk management and security automation.

The week will feature talks from Qualys experts, customer success stories and a feature keynote at the Cloud Security Alliance CxO Trust Summit:

**Qualys QSC San Francisco Featuring VMDR Live  
**QSC San Francisco will be held in person at the Palace Hotel in San Francisco. To view the full schedule and to register for the event, visit the website.

**Highlights include:**

*   **Sumedh Thakar, President and CEO:** Security Automation for the Digital Journey
*   **Nagi Prabhu, Chief Product Officer:** Bringing the Unified Power of the Qualys Cloud Platform to Address Today's Security Challenges
*   QSC customer presentations from **First American Financial** and others.
*   **VMDR LIVE:** Redefining Cybersecurity Risk Management with VMDR
    *   Introducing VMDR 2.0 with TruRisk
    *   Fireside chat with Brian Penn, **Aflac**
    *   Join VMDR Live virtually at www.qualys.com/vmdr-live.
*   **Qualys Cocktail Reception:** Come network with Qualys experts, customers and industry practitioners on Tuesday, June 7 at 6:00 pm PT at the Palace Hotel.
*   **Training Sessions:** On Wednesday, June 8, Qualys will lead two training courses, including an introduction to Qualys VMDR and How to Manage and Secure Your Container Assets.

**Qualys at RSAC  
**Attendees with RSAC credentials are welcome to join the following RSAC events to network with industry peers and learn more about Qualys:

*   **CxO Trust Summit at RSAC****: Jonathan Trull, CISO at Qualys:** Measuring the Maturity of Your Cloud Security Program. June 6, 8:30 am – 3 pm PT, RSAC – Moscone Center South, level 3
*   **DevOps Connect – DevSecOps @RSAC****:** Connect with the Qualys DevOps team to learn more about VMDR and our cloud-based IT, security and compliance solutions. June 7, 8:30 am – 4 pm PT, RSAC – Moscone Center South

**About Qualys**  
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based Security, Compliance and IT solutions with more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings.

The Qualys Cloud Platform leverages a single agent to continuously deliver critical security intelligence while enabling enterprises to automate the full spectrum of vulnerability detection, compliance, and protection for IT systems, workloads and web applications across on premises, endpoints, servers, public and private clouds, containers, and mobile devices. Founded in 1999 as one of the first SaaS security companies, Qualys has strategic partnerships and seamlessly integrates its vulnerability management capabilities into security offerings from cloud service providers, including Amazon Web Services, the Google Cloud Platform and Microsoft Azure, along with a number of leading managed service providers and global consulting organizations. For more information, please visit www.qualys.com.

Qualys to Unveil VMDR 2.0 at Qualys Security Conference in San Francisco

Corelight Investigator aids threat hunting and investigation through intelligent alert aggregation, built-in queries and scalable search

SAN FRANCISCO, May 25, 2022 /PRNewswire/ -- Corelight, the leader in open network detection and response (NDR), today announced Corelight Investigator, a SaaS-based solution that extends the power of open-source driven network evidence to SOC teams everywhere. Investigator delivers advanced capabilities for transforming network and cloud activity into evidence in a fast, intuitive platform that is easy to deploy and use.

Based on insights learned from savvy defenders in the Zeek open source community, Corelight Investigator provides not only advanced analytics and open access to the best network evidence, but the ability to do custom evidence enrichment unique to each environment. With Corelight Investigator, security teams can quickly accelerate threat hunting and investigations by mapping threat activity across the MITRE ATT&CK® framework and reduce alert volume with intelligent alert scoring.

"We believe that evidence is at the heart of cybersecurity for any organization," said Brian Dye, CEO of Corelight. "We have the privilege of working with defenders of critical infrastructure that can afford data lake architectures and in-house analytics teams to execute their evidence-driven cyber strategy. Corelight Investigator brings the design patterns of those elite defenders to the broader enterprise by combining advanced analytics and threat hunting capability with the power of Zeek, the industry de-facto standard for network evidence."

**Full network visibility with next-level analytics  
**Corelight Investigator brings complete visibility of the network, both on-premise and in the cloud, with evidence that spans months and years, not days and weeks. Customers can leverage machine learning, behavioral analysis, threat intelligence and signatures, mapped to the MITRE ATT&CK framework, to enable broad coverage of network-centric threats.

This evidence leads to specialized detections and enables the threat hunting necessary for advanced, persistent, and personalized attacks. In addition, it supports custom enrichment of network evidence - such as asset information, vulnerabilities, or per-asset context - and links threat hunting and incident response through custom alerts, queries, and dashboards.

"Unlike competitive 'closed' solutions, Corelight Investigator brings a new level of openness to the SaaS NDR market that enables customers to fully understand the logic behind machine learning based detections, and freely integrates these alerts with their existing tools for the broadest coverage," said Clint Sand, senior vice president of product for Corelight.

**Powered by open source and novel research  
**"Along with the advanced analytics that Corelight Labs provides, another advantage of Corelight Investigator is its ability to harness the analytical power of the open source Zeek and Suricata communities. That provides broad-based threat coverage including rapid zero-day response capabilities," said Vern Paxson, co-founder and chief scientist for Corelight. "The open-source nature of Zeek helps us illuminate _why_ a detection happened, as well as rich information about its surrounding context."

Corelight Investigator customers can access richly detailed, interlinked Zeek logs including access to DNS responses, file hashes, SSL as well as logs created by Corelight Labs - which continually creates new analytics for evolving threats and vulnerabilities using cross-customer visibility with the speed of SaaS – for both investigating those alerts and enabling threat hunting.

"As attacks continue to evolve and grow in sophistication, security teams need NDR solutions that provide not only timely and accurate detections, but the supporting context to respond quickly and effectively," said John Grady, senior analyst with ESG. "Corelight meets these requirements by bringing rich network evidence from its decades-long open source Zeek heritage, combined with novel analytics from an array of inferences, making it a powerful contender in the space."

**University of Missouri powers network visibility with Corelight Investigator  
**For many organizations, it is not possible to staff a full security or development team dedicated to parsing the expansive volumes of network traffic. This is true for the research and support services team at the University of Missouri that needed a solution that could provide full network visibility without the management overhead and other fine-tuning often required with competing solutions.

"We are a large university and we need to have full network visibility," said Aaron Scantlin, security analyst at University of Missouri. "It was simple to set up, which means the rest of my time is spent doing advanced analysis and other work."

In addition, Corelight Investigator quickly identifies threats on the network so the team can take immediate action as well as provides access to the raw data for additional investigation.

"Corelight Investigator ingests events so that we can query them in a snap," said Scantlin. "It improves our security posture by providing instant access to events we need to act on."

**Pricing and availability  
**Corelight Investigator joins the Corelight Sensor product portfolio and will be generally available in June. Corelight customers and prospects can contact sales directly for pricing information. More information Corelight Investigator can be found on the Corelight website.

**About Corelight  
**Corelight provides security teams with network evidence so they can protect the world's most critical organizations and companies. Corelight's global customers include Fortune 500 companies, major government agencies, and large research universities. Based in San Francisco, Corelight is an open-core security company founded by the creators of Zeek®, the widely-used network security technology. For more information, www.corelight.com.

Corelight Announces New SaaS Platform for Threat Hunting

### Impact
A DTLS Client could provide a Certificate that it doesn't posses the private key for and Pion DTLS wouldn't reject it. 

This issue affects users that are using Client certificates only. The connection itself is still secure. The Certificate provided by clients can't be trusted when using a Pion DTLS server prior to v2.1.5

### Patches
Upgrade to Pion DTLS v2.1.5

### Workarounds
No workarounds available, upgrade to Pion DTLS v2.1.5

### References
Thank you to [Juho Nurminen](https://github.com/jupenur) and the Mattermost team for discovering and reporting this. 

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Pion DTLS](http://github.com/pion/dtls)
* Email us at [team@pion.ly](mailto:team@pion.ly)

**Client Certificates are accepted without CertificateVerify**

Moderate severity GitHub Reviewed Published May 25, 2022 in pion/dtls • Updated May 25, 2022

**Package**

gomod github.com/pion/dtls (Go )

**Affected versions**

< 2.1.5

**Patched versions**

2.1.5

**Description**

**Impact**

A DTLS Client could provide a Certificate that it doesn't posses the private key for and Pion DTLS wouldn't reject it.

This issue affects users that are using Client certificates only. The connection itself is still secure. The Certificate provided by clients can't be trusted when using a Pion DTLS server prior to v2.1.5

**Patches**

Upgrade to Pion DTLS v2.1.5

**Workarounds**

No workarounds available, upgrade to Pion DTLS v2.1.5

**References**

Thank you to Juho Nurminen and the Mattermost team for discovering and reporting this.

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in Pion DTLS
*   Email us at team@pion.ly

**References**

*   GHSA-w45j-f832-hxvh
*   https://nvd.nist.gov/vuln/detail/CVE-2022-29222
*   pion/dtls@d2f7971
*   https://github.com/pion/dtls/releases/tag/v2.1.5

 Sean-Der published the maintainer security advisory

May 16, 2022

**Severity**

Moderate

5.9

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

**Weaknesses**

CWE-295

**CVE ID**

CVE-2022-29222

**GHSA ID**

GHSA-w45j-f832-hxvh

**Source code**

github.com/pion/dtls

Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator. Read more and discuss here.

GHSA-w45j-f832-hxvh: Client Certificates are accepted without CertificateVerify

Philips Interoperability Solution XDS versions 2.5 through 3.11 and 2018-1 through 2021-1 are vulnerable to clear text transmission of sensitive information when configured to use LDAP via TLS and where the domain controller returns LDAP referrals, which may allow an attacker to remotely read LDAP system credentials.

Tag

#ssl