Cybersecurity ???And Much More Newsletter ?? Vol. 2 Num. 24

Greetings, friends.

Welcome to my newsletter, if you are not yet subscribed, please do. It might include books, articles, tech, tips, and cool stuff about cybersecurity.

Enjoy!

What’s Happening

???Don Not Forget About CISA’s Must Patch List

Last November, CISA added 10 new vulnerabilities to its “Known Exploited Vulnerabilities Catalog,” based on evidence of active exploitation. Malicious cyber actors often use these kinds of weaknesses to attack, and they pose a big risk to the federal enterprise.

?????U.S Bans Chinese Telecom Vendors ?????Over National Security Risks

The U.S. Federal Communications Commission (FCC) said in a formal statement that it will no longer approve electronic equipment made by Huawei, ZTE, Hytera, Hikvision, and Dahua because these companies pose an "unacceptable" threat to national security.

"The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here," FCC Chairwoman Jessica Rosenworcel?said?on November 25, 2022.

???Millions of Android Users are Still Exposed to Security Vulnerabilities in Arm’s GPU

Five medium-level security holes in Arm's Mali GPU driver haven't been fixed on Android devices for months, even though the chipmaker has released fixes. Google Project Zero found the bugs and told Arm about them. Arm said that the problems would be fixed in July and August 2022.

"These fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung, Xiaomi, Oppo, and others)," Project Zero researcher Ian Beer?said?in a report. "Devices with a Mali GPU are currently vulnerable."

?? New Google Chrome Zero-Day Vulnerability

Google fixed yet another zero-day flaw in its Chrome web browser on Thursday by putting out software updates.

The high-risk flaw, which has been given the number CVE-2022-4135, is a heap buffer overflow in the GPU component. On November 22, 2022, the flaw was reported by Clement Lecigne of Google's Threat Analysis Group (TAG).

???Atlassian Releases Patches for Critical Vulnerabilities

Atlassian, an Australian company that makes software, has released security updates to fix two major bugs in Bitbucket Server, Data Center, and Crowd. The weakness has been called a case of command injection using environment variables in the software, which could let an attacker who has permission to change their username run code on the affected system. As a temporary fix, the company suggests that users turn off the "Public Signup" option (Administration > Authentication).

???Facebook Fined $266M Over Privacy Breach

Monday, Ireland's data privacy authority penalized Facebook $277 million, raising the amount it has fined parent group Meta to over 1 billion euros.

The penalty was imposed as a result of an investigation that began in April 2021 into the discovery of a compiled dataset of Facebook personal data that had been made available online. Facebook was also ordered to take a range of corrective measures.

???Is Elon Musk Adding Encrypted ???Messages To The $8 Twitter Blue?

While security and privacy are both needed for establishing private communications, most of us are okay with encryption, because it’s secure. A blogger named Jane Wong leaked a screenshot that showed that Twitter might offer end-to-end encrypted messaging as part of its $8 subscription. This is a great feature that should be included by default and not as a paid add-on, but will it provide privacy? or just encryption like WhatsApp.

???Law enforcement agencies ?? extract data from your car’s infotainment systems

Modern infotainment systems provide law enforcement with important data. Many security experts have shown that modern cars' internet infotainment systems may be used by attackers. Law enforcement and intelligence agencies worldwide are buying car system vulnerabilities.

A security expert named Sam Curry warned about flaws in mobile apps that made Hyundai and Genesis cars made after 2012 vulnerable to attacks from afar. These weaknesses allow attackers to unlock and start automobiles. The experts used these holes to attack the SiriusXM platform that Toyota, Honda, FCA, Nissan, Acura, and Infinity use in their "smart vehicles.”

Security Bites

???Tips - ???Security - Are you still struggling with OpenSSL Remediation?

The OpenSSL Project team announced two high-severity vulnerabilities (CVE-2022-3602,?****CVE-2022-3786) on October 25th, which?affect all OpenSSL v3 versions up to 3.0.6.

While both vulnerabilities are hard (almost impossible) to exploit via a stack-based overflow related to the X.509 certificate verification constraint checking portion, they require that the malicious certificate be signed by a Certificate Authority (CA). CVE-2022-3602 and CVE-2022-3786 can be used to achieve a remote code execution (RCE) or denial of service (DoS) attack.

These vulnerabilities are?remediated in version 3.0.7, which was released on November 1st. But the irony is that the OpenSSL 1.x versions were not affected.

Are you still struggling with OpenSSL remediation? Well, here are a few tips to help you:

Before we get into the tips, I want to remind you that “you can’t fix what you can’t see." Your overall security depends on how well you can see your assets, users, and technologies. If your vulnerability management relies on a broken asset management process, you can’t say that you have control over patching your systems and applications in a timely manner.

Ok, let’s get to the tips:

• Discovery: Use your Vulnerability Management Solution to scan your assets and workload for OpenSSL versions.
• Analysis: Identify the host and workloads that are actively using OpenSSL. You will be surprised by the number of hosts having it enabled but never or rarely use it. This step will help you categorize your assets by criticality to help prioritize.
• Remediate: While immediate patching is not possible in real life, the responsibility might also differ based on the impacted assets, it could be the Dev, Network, or even a third party, based on the scenario. But the thing we should agree upon, is to follow the guidelines, in this case, disabling client TLS authentication until you are able to patch the impacted libraries.
• Detection and Response: Now that you’re able to detect, analyze and fix these vulnerabilities, it’s also crucial to be aware of the ongoing activities exploiting them or attempting to do so. This will rely on your detection, monitoring, alerting, and response skills and tooling.

In the end, patching vulnerabilities, like all vulnerabilities, will never eliminate the risk. It is a fact linked to the reality that there will always be a gray area you are unaware of. Even if you have a good security posture, you should always assume that you have been breached and conduct threat hunting.

My Favorites

??????Books I’m Currently Reading ????

Title: On War

Author: Gen. Carl von Clausewitz

Overview: Clausewitz had a lot of sayings, but the most well-known is "War is not just a political act; it is also a political instrument, a continuation of political relations, and the same thing done by other means." This is a definition of war that has become widely accepted.

??????Books I Recommend Reading ??

Title: Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

Author: Andy Greenberg

Overview: Sandworm is a scary, world-spanning detective story that looks at how this force threatens our national security and stability. As the Kremlin's role in manipulating other governments becomes clearer, Sandworm shows the truth not only about Russia's global digital offensive but also about a time when wars are no longer fought on the battlefield. It shows how the lines between digital and physical conflict, as well as between war and peace, have started to blur, which could shake the world.

???Podcast - The Jordan B. Peterson Podcast #307 with Dr. John Delony

Dr. Jordan Peterson's fascinating talk will alter your mind. This podcast explores how morals, music, religion, and other factors impact people and culture. It will help you understand your creativity, skills, and personality.

???Videos - A Tale of Two Studies: The Best and Worst of YubiKey Usability

Two-factor authentication (2FA) boosts password security. U2F security keys, which are small pieces of hardware that require users to press a button to prove who they are, have become more popular recently. Researchers gave the popular U2F security key YubiKey two user tests to find out how easy it is to use outside of an enterprise.

Quote of the Week

“There are only two ways to live your life. One is as though nothing is a miracle. The other is as though everything is a miracle.” ― Albert Einstein

If you’re interested in starting a career in cybersecurity, watch this one , and don’t forget to subscribe to my channel and leave a comment if there are any topics you’re interested in seeing in my next video.

Check out my other stuff here .

Resources

• SSL CVEs: CVE-2022-3602, CVE-2022-3786
• Google CVEs: CVE-2022-0609, CVE-2022-1096 , CVE-2022-1364, CVE-2022-2294, CVE-2022-2856 , CVE-2022-3075, CVE-2022-3723 .
• U.S Bans Chinese Telco: FCC Bans Authorizations for Devices That Pose National Security Threat .
• Android Arm’s GPU vulnerabilities: CVE-2022-33917 , CVE-2022-36449 .
• Atlassian Flaws: CVE-2022-43781, CVE-2022-43782 .
• Law enforcement agencies can extract data from the infotainment systems of cars.
• CISA’s Must-Patch List
• Irish regulator fines Facebook 265 million euros over privacy breach
• The Jordan B. Peterson Podcast #307 with Dr. John Delony
• A Tale of Two Studies: The Best and Worst of Yubikeys