Meiner Meinung nach wird in der Open-Source Szene die IT-Sicherheit nicht versprochen, sondern meistens rasch umgesetzt und frei verteilt. Auch wenn das hier nun anders ist.
»Linux – root-Lücke wird aktiv missbraucht:
Die IT-Sicherheitsbehörde CISA warnt vor aktiven Angriffen auf eine Linux-Lücke. Angreifer verschaffen sich damit root-Rechte.«
After several years of warning after warning after advisory after advisory and calls to repeatedly update or remove andNOT USE CHROME by the Department of Homeland Security, it should be inconceivable that anyone does - but they do.
Sometimes these are patched with automatic updates before horrific and catastrophic results occur, sometimes not. To be frank, part of the problem stems from the fact that Chrome is the largest attack surface out there where browsers are concerned, but notwithstanding it being the fav target are also serious privacy concerns that aren't shared by other chromium based browsers.
To be fair, many exploits are indeed shared by other chromium based browsers, but not most, while some are related to other browser capabilities, like WebRTC, but it's still best to just ditch Chrome and never look back.
Here's more coverage on vulnerabilities issued less than a month ago. It took 3 seconds to bring this up, and no, not using Google, which didn't reveal this when I tried that search engine in a subsequent search, lolz. Why would they return SERPs that poo poo their own product?
There's truly only one way to ensure safety - unplug. But there's a lot of simple things you can do to exact a reasonable level of security, so why not observe some of those best practices? It's not like it will cramp your style.
Anyway, that's my two cents. h/t to @darnell for raising awareness of this latest brokewell. Make sure you take the time to visit the link he's provided for you too.
There are plenty of #Browsers that run on #Android (to name a few, alphabetized):
Brave Browser
Chromium
DuckDuckGo
Firefox
Kiwi
Vivaldi
IMO, No one should be running Chrome - Desktop or otherwise. It's a privacy nightmare even when there aren't CERT warnings circulating.
Fortinet has revealed vulnerabilities in its FortiOS, FortiProxy, FortiClient Linux, and FortiClient Mac products, including a critical one that could allow remote code execution. This critical flaw, identified as CVE-2023-45590, has a high severity score and could enable an attacker to execute arbitrary code by tricking a user into visiting a malicious website. Other high-severity issues affect FortiOS and FortiProxy, where credentials are not adequately protected. A specific flaw (CVE-2023-41677) might allow an attacker to steal the administrator cookie under certain conditions. Additionally, FortiClientMac has vulnerabilities due to a lack of configuration file validation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning about the potential for cyber threat actors to exploit these vulnerabilities.
Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023
Highly recommend you do so, or at least read the executive summary its 🔥
"The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul..."
For the three reporters who have written articles about this, and the one who provided invaluable guidance, my gratitude is endless. This post doesn't apply to you, nor "the feds", the cybersecurity experts, or #lawyers (including and especially @eff), who were extremely helpful. The rest, however, should take note.
I've willingly laid my neck on a chopping block, unprotected, for over six months.
My outreach has been exhaustive:
• Attempted to engage with over 150 journalists and #news organizations,
• Coordinated frequently with the Cybersecurity and Infrastructure Security Agency (#CISA or "the feds"),
• Consulted with numerous cybersecurity experts,
• Sought advice from multiple lawyers,
• Spoke with ten state and state court CISOs,
• Attempted to talk to several dozen state and county court clerks and judges,
• Sent emails to every Florida State Senator, State Representative, and Supreme Court justice, and to multiple governors,
• Discussed with the staff of multiple U.S. Senators and U.S. Representatives,
• Contacted twelve vendors and over 40 employees
I've offered to write articles -- for free.
I've had no fewer than eight background checks done on me.
I've been cyberstalked by the Arizona Supreme Court.
I've put my job and my family's livelihood at risk in more ways than one.
I've made a grand total of $0; in fact, I've invested several hundred.
When I'm able to sleep, it's with one eye open, always waiting for "that" knock on the door.
After my first #disclosure, I prepared for a week to deal with what I expected to be a #media circus. What I received was one preemptive email from a state court #CISO (who was not affected) and one kind person (who is not a #journalist) on the #fediverse.
I've spent over 900 hours discovering, documenting, reporting, and disclosing vulnerabilities, trying to get this fixed on a mass scale, and attempting to contact the above list. I see no signs of this slowing down any time soon. All of this for what is merely a #hobby.
I've done my part. It's time for reporters to step up. The real-world harm these vulnerabilities have caused — and continue to cause — cannot be overstated. The need for widespread awareness and action is urgent.
Think twice before leaving old employee accounts active!
#CISA reports a major cyber attack on a state government organization. Attackers used leaked credentials from a former employee's administrator account to breach the network.
⚠️ #CISA warns of hackers exploiting a security flaw (CVE-2020-3259) in #Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software in #Akira#ransomware attacks.
🔒 #CISA teams up with #OpenSSF to introduce a framework called "Principles for Package Repository Security," aimed at fortifying open-source software ecosystems against cyber threats.
Hot off the press! CISA adds CVE-2023-43770 (6.1 medium) Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog.
🔗 (to be replaced later) https://www.cisa.gov/known-exploited-vulnerabilities-catalog
CISA, on behalf of the collective group of industry and government partners that comprise the Joint Cyber Defense Collaborative (JCDC), released JCDC’s 2024 Priorities. Similar to the 2023 JCDC Planning Agenda, JCDC’s 2024 Priorities will help focus the collective group on developing high-impact and collaborative solutions to the most pressing cybersecurity challenges.
'As part of the #Protect2024 initiative, CISA developed a webpage to serve as a central point for consolidated critical resources, training lists and security service offerings to support the over 8,000 election jurisdictions for the 2024 election cycle. '
This is why we can't have nice things. Businesses should be pissed about this. But why bother when you can have tax breaks.
Some top #cybersecurity experts are retreating from a #CISA program that enlists outside professionals, citing growing conservative backlash and management gripes.
Politico: Five external computer security professionals involved in CISA's Joint Cyber Defense Collaborative (JCDC) told POLITICO they and many colleagues have stopped contributing or have significantly pared back their involvement. While many of their complaints stem from how the program is organized, the discontent also represents another indirect impact of Donald Trump’s 2020 election fraud claims, now threatening to hamper largely apolitical cybersecurity work: CISA’s efforts to combat disinformation ahead of the 2020 election has made it a favorite target of conservatives, who accuse it of trying to censor their views online.
🔗 https://www.politico.com/news/2024/02/06/far-right-washington-private-hackers-00139413
Hot off the press! CISA adds CVE-2023-4762 (8.8 high Google Chrome Type Confusion in V8 JavaScript Engine) to the Known Exploited Vulnerabilities Catalog.
🔗 (to be replaced later) https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Horizon3 analyzed critical vulnerabilities from the CISA KEV catalog starting from January 2023 through January 2024, categorized the vulnerability root causes, and attempted to analyze if the current efforts in the information security industry match with the current threat vectors being abused.
🔗 https://www.horizon3.ai/analysis-of-2023s-known-exploited-vulnerabilities/