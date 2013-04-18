Security Leftovers
Security updates for Wednesday [LWN.net]
Security updates have been issued by Debian (exo and ntfs-3g), Fedora (collectd, golang-github-cli-gh, grub2, qemu, and xen), Red Hat (httpd:2.4, kernel, and postgresql), SUSE (drbd, fwupdate, neomutt, and trivy), and Ubuntu (apache2, openssl, openssl1.0, and qemu).
CISA Releases Security Advisories Related to OT:ICEFALL (Insecure by Design) Report
CISA is aware that Forescout researchers have released OT:ICEFALL, a report on 56 vulnerabilities caused by insecure-by-design practices in operational technology across multiple vendors. The vulnerabilities are divided into four main categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functionality.
Useful web hosting tips that can help secure your site
Website security is about preparing for the worst if applied security mechanisms fail. After all, protecting your site from every threat on the book can be laborious. However, it does not mean website owners should not try. It simply refers to the two sides of the coin: preventing attacks or other interruptions and mitigating successful ones.
Thus, it might be an excellent idea to review the security of your business website to ensure you don’t end up a victim of vicious attacks. Considering that, here are the top 7 definitive web hosting tips to help secure your site for the foreseeable future.
Free Training Course Teaches How to Secure a Software Supply Chain with Sigstore [Ed: OpenSSF (former Microsoft) telling you to deny people who want to run applications of their choice; they call that "security"]
Learn the Principles of DevSecOps in New, Free Training Course [Ed: This is what Zemlin et al are 'teaching']
At the most basic level, there is nothing separating DevSecOps from the DevOps model. However, security, and a culture designed to put security at the forefront has often been an afterthought for many organizations. But in a modern world, as costs and concerns mount from increased security attacks, it must become more prominent. It is possible to provide continuous delivery, in a secure fashion. In fact, CD enhances the security profile. Getting there takes a dedication to people, culture, process, and lastly technology, breaking down silos and unifying multi-disciplinary skill sets. Organizations can optimize and align their value streams towards continuous improvement across the entire organization.
Keeping PowerShell: Measures to Use and Embrace [Ed: Has CISA become a "damage control" or PR department of Microsoft?]
Cybersecurity authorities from the United States, New Zealand, and the United Kingdom have released a joint Cybersecurity Information Sheet (CIS) on PowerShell. The CIS provides recommendations for proper configuration and monitoring of PowerShell, as opposed to removing or disabling it entirely due to its use by malicious actors after gaining access into victim networks. These recommendations will help defenders detect and prevent abuse by malicious cyber actors, while enabling legitimate use by administrators and defenders.
For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.
For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.
This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."
This is good news, because according to Aqua Security researchers, exploitation would have had a massive impact on "basically everyone." In effect, this is a near hit for the industry as miscreants could have exploited the hole to exfiltrate cloud credentials from private repos or potentially tamper with software projects.
Google Releases Security Updates for Chrome | CISA
Google has released Chrome version 103.0.5060.53 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.
