In late October two new buffer overflow vulnerabilities, CVE-2022-3602 and CVE-2022-3786, were announced in OpenSSL versions 3.0.0 to 3.0.6. These vulnerabilities can be exploited by sending an X.509 certificate with a specially crafted email address, potentially causing a buffer overflow resulting in a crash or

Tuesday, November 1, 2022 15:11

In late October two new buffer overflow vulnerabilities, CVE-2022-3602 and CVE-2022-3786, were announced in OpenSSL versions 3.0.0 to 3.0.6. These vulnerabilities can be exploited by sending an X.509 certificate with a specially crafted email address, potentially causing a buffer overflow resulting in a crash or remote code execution (RCE). X.509 is the standard defining the format of public key certificates, commonly used in protocols including TLS as well as digital signatures. Importantly, these vulnerabilities can affect both the client and server in contrast to most vulnerabilities that typically impact one or the other, broadening the potential attack surface.  

These vulnerabilities could be very impactful as OpenSSL is widely used, and the affected version is included in some major Linux distributions. However, the affected version was released relatively recently in September of 2021 so adoption may not be as widespread as older versions, such as 1.1.1 and 1.0.2, which are currently unaffected by this vulnerability.  

For more information about these vulnerabilities’ impact on Cisco products, please refer to Cisco’s Security Advisory here.  

Cisco Talos is closely monitoring for potential exploitation attempts in the wild as new details of the vulnerabilities are released. We strongly recommend users mitigate affected systems as soon as possible by upgrading to version 3.0.7.  

**Vulnerability details**

A buffer overflow can be triggered by sending an X.509 certificate with a specially crafted email address in the “id-on-SmtpUTF8Mailbox” field ( OID 1.3.6.1.5.5.7.8.9 )  resulting in a crash (Denial of Service - DoS) or potential remote code execution on a vulnerable client or server. Potential opportunities for exploitation can occur if a server requests authentication information after a malicious client connects, or if a client connects to a malicious server, which would then make the client vulnerable.

CVE-2022-3602 is assigned for a 4-byte buffer overflow (single unsigned int overwrite) resulting in a crash or remote code execution. However, CVE-2022-3786 refers to the variable length overflow variant in the X.509 email address field with the potential to result in crashes.

**Coverage & Mitigations**

  
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

For more information about this vulnerability’s impact on Cisco products, please refer to Cisco’s Security Advisory here.  

Cisco Talos is releasing Snort Rules: **60790, 300306-300307** to protect against exploitation of CVE-2022-3602.  

The following ClamAV signatures have been released to detect malware artifacts related to this threat:

*   Multios.Exploit.CVE\_2022\_3602-9976476-0

Threat Advisory: High Severity OpenSSL Vulnerabilities

New web targets for the discerning hacker

New web targets for the discerning hacker

Last month two Italian security researchers revealed they had netted more than $46,000 in bug bounties after discovering a misconfiguration vulnerability in Akamai – despite receiving nothing from Akamai itself.

The exploit, which leveraged HTTP smuggling and hop-by-hop header abuse techniques, instead achieved payouts from several of the company’s customers. These included $25,200 from PayPal and rewards from Airbnb, Hyatt Hotels, Valve, Zomato, and Goldman Sachs.

In other payout news, researcher Saajan Bhujel bagged a $10,000 bounty from GitHub after finding a way to spoof the platform’s login interface. Bypassing HTML filtering in the MathJax display engine allowed him to inject form elements and change the website’s CSS, potentially fooling users into entering credentials into a fake login page.

Apple, meanwhile, has invited researchers to apply for the Apple Security Research Device Program, with applications open until the end of November.

Successful applications will receive a Security Research Device (SRD) – a specially-fused iPhone that allows iOS security research to be carried out without having to bypass its security features. Shell access is available, and researchers can run any tools, choose their own entitlements, and customize the kernel.

Apple has also revamped its ‘Apple Security Research’ website, with researchers now able to track bug reports via real-time status updates. The program has paid out nearly $20 million in bounties since launching 2.5 years ago.

Meanwhile, the Swiss National Cyber Security Centre (NCSC) has launched a private bug bounty program that involves probing the federal government’s web applications, APIs, and critical infrastructure.

Amazon’s new hardware-focused program, managed by HackerOne, is offering rewards ranging up to $25,00 for bugs in Fire, Echo, FireTV, Halo, Luna Controller, and Kindle devices, along with corresponding applications and firmware.

And finally, the US Department of Defense said it paid out a total of $75,000 in bounties for 648 bug reports submitted by 267 researchers during a hackathon that took place in July.

**The latest bug bounty programs for November 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Apple Security Research Device Program**

**Program provider:  
**Independent

**Program type:  
**Private

**Max reward:  
**$1 million

**Outline:  
**Apple will send selected security researchers a Security Research Device (SRD), a specially fused iPhone that allows shell access, kernel customization, and iOS security research without the need to bypass security features.

**Notes:  
**Applications can be submitted until November 30, 2022, with successful candidates receiving an SRD for 12-month renewable periods, and reports potentially eligible for rewards through the upgraded Apple Security Bounty.

Check out the Apple SRD bug bounty page for more details

**Amazon**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$25,000

**Outline:  
**Fire, Echo, FireTV, Halo, Luna Controller, and Kindle devices, along with corresponding applications and firmware, make up the 36 assets in scope under the Amazon Vulnerability Research Program.

**Notes:  
**Rewards for bugs in services and apps range up to $20,000, while bounties for devices rise higher still to $25,000.

Check out the Amazon bug bounty page for more details

**Beanstalk**

**Program provider:  
**Immunefi

**Program type:  
**Public

**Max reward:  
**$1.1 million

**Outline:  
**The bug bounty program for Beanstalk – a permissionless fiat stablecoin protocol built on Ethereum – centers on smart contracts and preventing the loss of user funds.

**Notes:  
**Beanstalk describes itself as forming “the monetary basis of an Ethereum-native, rent-free economy facilitated by the positive carry of its native fiat currency, a stablecoin called Bean”.

Check out the Beanstalk bug bounty page for more details

**BigCommerce**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**A NASDAQ-listed provider of Software-as-a-Service (SaaS) ecommerce services to retailers.

**Notes:  
**Valid targets include bigcommerce.net, bigcommerce.com, and related iOS and Android apps.

Check out the BigCommerce bug bounty page for more details

**Blend Labs**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Blend Labs is a provider of cloud-based software for financial services firms in the US.

**Notes:  
**Just one target is in scope – knox.beta.blendlabs.com – with blend.com not a viable target.

Check out the Blend Labs bug bounty page for more details

**Deribit**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$6,000

**Outline:  
**The Amsterdam-based cryptocurrency option exchange is offering between $2,500 and $6,000 for critical vulnerabilities.

**Notes:  
**Testing is only allowed within Deribit’s test environment.

Check out the Deribit bug bounty page for more details

**Jungle Smart Contract**

**Program provider:  
**HackenProof

**Program type:  
**Private

**Max reward:  
**$1 million

**Outline:  
**A peer-to-peer NFT marketplace for digital goods, art, collectibles, and other virtual assets backed by the blockchain.

**Notes:  
**Some 14 protocols are in scope.

Check out the Jungle Smart Contract bug bounty page for more details

**Lido on Polkadot and Kusama**

**Program provider:  
**Immunefi

**Program type:  
**Public

**Max reward:  
**$2 million

**Outline:  
**Lido, a liquid staking solution for Ethereum, has launched bug bounty programs focused on DOT (Polkadot) and KSM (Kusama).

**Notes:  
**Smart contract bugs could command rewards of up to $2 million, while flaws in websites and applications max out at $40,000.

Check out the Lido on Polkadot and Kusama bug bounty pages for more details

**Private Internet Access (PIA)**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$1,250

**Outline:  
**PIA, which already had a vulnerability disclosure program, is now incentivizing researchers to probe its technologies with rewards ranging up to $1,250.

**Notes:  
**Priority bugs are those enabling remote code execution, unlicensed access to VPN servers, or third-party monitoring or leaking of user data.

Check out the PIA bug bounty page for more details

**Rec Room**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**A video game and video game creation platform available on Windows, Xbox, PlayStation, Oculus Quest, Apple devices, and Android.

**Notes:  
**Rec Room web application and API are in scope, but the free, cross-platform Rec Room game is the “primary target”.

Check out the Rec Room bug bounty page for more details

**Redox**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Redox technology facilitates the transferring of electronic healthcare records between organizations.

**Notes:  
**Critical bugs ordinarily fetch rewards of between $3,000-$4500, but submissions that “reflect an understanding of the platform and can describe the vulnerability and its impact and how to resolve it clearly and concisely” could net bounties of $5,000.

Check out the Redox bug bounty page for more details

**Stravito**

**Program provider:  
**Intigriti

**Program type:  
**Public

**Max reward:  
**Undisclosed

**Outline:  
**The market research platform claims McDonalds, Electrolux, Comcast, and Carlsberg among its customers.

**Notes:  
**Said Stravito founder and CEO Thor Olof Philogène: “Partnering with Intigriti, the leaders in this space, allows us to add an additional layer of stress testing to ensure we continue delivering the most robust and secure platform in our space.”

Check out the Stravito bug bounty page for more details

**Swiss National Cybersecurity Centre**

**Program provider:  
**Bug Bounty Switzerland

**Program type:  
**Private

**Max reward:  
**Undisclosed

**Outline:  
**The Swiss National Cybersecurity Centre (NCSC) is seeking submissions for bugs in the federal government’s web applications, APIs, and critical infrastructure.

**Notes:  
**As previously reported by The Daily Swig, the program follows a pilot project conducted in 2021 where ethical hackers probed IT systems of the Swiss parliament and Federal Department of Foreign Affairs for security vulnerabilities.

Check out the Swiss NCSC bug bounty page for more details

**Other bug bounty and VDP news this month**

*   **HackerOne** is expanding numbers of its ‘Hacker Success Managers’ to assist bug hunters, and has launched a new attack surface management platform, HackerOne Assets
*   **Bugcrowd** is now a CVE numbering authority, and has also launched a program management platform to help customers coordinate pen test, bug bounty, VDP, and ASM assets
*   European platform **Intigriti** has launched Hybrid Pentesting, which purports to combine the ‘pay-for-impact’ bug bounty model with the dedicated resourcing strategy of penetration testing
*   **YesWeHack** has launched MyOpenVDP, a turnkey vulnerability disclosure program-hosting solution
*   **Open Bug Bounty** has surpassed the milestone of notching one million web security vulnerabilities (PDF) reported and patched eight years after the platform’s launch

Curated by Adam Bannister. Additional reporting by Emma Woollacott.

**PREVIOUS EDITION** Bug Bounty Radar // The latest bug bounty programs for October 2022

Bug Bounty Radar // The latest bug bounty programs for November 2022

New offering goes beyond industry requirements to help maximize the value of SIEM investments.

**P****LANO, Texas, Nov. 1, 2022 /PRNewswire/ —** Critical Start, a leading provider of Managed Detection and Response (MDR) cybersecurity solutions, today announced the launch of its new managed service for Security Information & Event Management (SIEM). Available to new and existing customers, the new service is an add-on to Critical Start's existing MDR for SIEM offering and supports Microsoft Sentinel™ and Splunk Cloud®. It simplifies the architecture and deployment of SIEM solutions to help organizations derive the maximum value from their SIEM investments for risk management, compliance and threat detection use cases, and holistically improve their security posture.

According to Gartner, "Managed SIEM has a compelling adoption rate as SIEM technologies are becoming more accessible and more mid-security-maturity buyers are entering the market having accelerated their security needs and maturity by adopting cloud-based IT."1

"SIEM solutions provide important security benefits but are often complex in nature and challenging to deploy, tune, manage and maintain. As a result, security leaders may be prevented from deploying or enhancing SIEM technologies, greatly limiting the improvement of their cybersecurity maturity," said Chris Carlson, SVP Product at Critical Start. "Our new managed service works cohesively with customers' SIEM products to handle the heavy lifting associated with implementation and customization, including recommendations for log source tuning to lower SIEM ingestion costs while maintaining robust threat detection visibility."

In addition to delivering all the requirements and optional features outlined in the 2022 Gartner _Market Guide for Managed SIEM Services__,_ Critical Start Managed SIEM experts help identify and continuously analyze log sources to ensure they are of high fidelity and provide the following value-added services:

*   Configuration and Customization – includes custom development for customer-specific dashboards, reports, and log sources to support security, risk, compliance and audit use cases.
*   Quarterly Service Reviews – provides visibility into how the SIEM is performing to help customers control costs and increase security outcomes.
*   Ingest Cost Analysis for Microsoft Sentinel - analyzes billing vs. ingest for specific Microsoft data sources recommending the appropriate commitment tiers over the length of the contract to maximize log ingest cost savings. This service is unique to Critical Start.
*   Data Source Health Monitoring – offers log source performance, availability and capacity monitoring to identify potential issues with log ingestion.
*   Risk Reduction Reviews – analyzes adding log sources and detection content to deliver the most coverage under the industry-standard NIST CSF and MITRE ATT&CK® Matrix Frameworks.
*   Ease of Upgrade – Managed SIEM is a service add-on to Critical Start's industry-leading MDR for SIEM offering. Customers can add Managed SIEM when they purchase the MDR service or anytime during the MDR contract term.

For additional details on this new service offering, visit Critical Start's Managed SIEM page.

1Gartner, _Market Guide for Managed SIEM Services_, Al Price, John Collins, Andrew Davies, Mitchell Schneider, Angel Berrios, August 17, 2022. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

**About Critical Start  
**Today's enterprise faces radical, ever-growing, and ever-sophisticated multi-vector cyber-attacks. Facing this situation is hard, but it doesn't have to be. Critical Start simplifies breach prevention by delivering the most effective managed detection and incident response services powered by the Zero Trust Analytics Platform™ (ZTAP™) with the industry's only Trusted Behavior Registry™ (TBR) and MOBILE**SOC**®. With 24x7x365 expert security analysts, and Cyber Research Unit (CRU), we monitor, investigate and remediate alerts swiftly and effectively, via contractual Service Level Agreements (SLAs) for Time to Detection (TTD) and Median Time to Resolution (MTTR), and 100% transparency into our service. For more information, visit criticalstart.com. Follow Critical Start on LinkedIn, Twitter, Facebook, Instagram.

Critical Start® Launches New Managed SIEM Service

Grant will be used to design reliable method of reducing cybersecurity gaps that lead to data breaches and develop a training course.

**DOBBS FERRY, N.Y., Oct. 31, 2022 /PRNewswire-PRWeb/ —** Mercy College has received a two-year $465,398 grant from the National Centers of Academic Excellence in Cybersecurity (NCAE-C), an arm of the National Security Agency (NSA). The grant will be used by College faculty and staff to design a reliable method of reducing cybersecurity gaps that lead to data breaches and to develop a training course at Mercy College for delivering the technology.

The grant stems from the NCAE-C's mission to create a collaborative cybersecurity educational program to engage experts in the field in solving the rising problem of data breaches. Mercy College has been tasked with addressing the human component in security breaches, especially those involving individuals, such as hackers or former employees, who break through security systems to access sensitive data.

Usman Rauf, Ph.D., assistant professor of cybersecurity, will serve as principal investigator (PI) on the grant. He will be assisted by co-PI, Zhixiong Chen, Ph.D., director of the Cyber Education Center at Mercy College, which has been designated by the NSA and the Department of Homeland Security as a Center of Academic Excellence on Cybersecurity Defense Education.

According to a recent data report from Verizon, up to two-thirds of breaches are not discovered until a year or more after the incident. "By then the damage is done, well before strategies for detection and deterrence are in place," said Rauf, whose 2021 paper on the subject was published in the journal Future Generation Computer Systems. "We propose to develop a system of detecting irregular or unexpected behavior that should be flagged as a threat." Once identified, an automated process will alert the system administrator and other authorities, enabling earlier intervention and minimizing the damage caused by the breach.

In a second phase, the team will design a novel master's level course, Cyber Threat Analytics, that will offer training in observation, analysis, and application. In the pilot program, Mercy College students will use state-of-the-art techniques and pipelines to learn how to detect and manage insider threats in a variety of scenarios. The team also expects to research and publish papers on multiple aspects of cyber threat analytics. "We are confident that the outcomes of this project will be of great benefit to industry and academia," Chen said.

"Mercy is proud to have been awarded a grant from the National Security Administration and for the opportunity to contribute to the advancement of the country's cybersecurity," said Mercy College President Tim Hall. "Through this grant, Mercy also looks forward to giving students the ability to learn in-demand industry skills that will benefit them upon graduation."

**About Mercy College**

  
Founded in 1950 by the Sisters of Mercy, Mercy College is an independent, coeducational college that offers more than 100 undergraduate and graduate degree and certificate programs within five schools: Business, Education, Health and Natural Sciences, Liberal Arts and Social and Behavioral Sciences. The vibrancy of the College culture is sustained by a diverse student body from around the region. The College offers campuses in Dobbs Ferry, the Bronx and Manhattan as well as online offerings.

Mercy College Awarded NSA Research Grant to Develop Cybersecurity Technology

** UNSUPPORTED WHEN ASSIGNED ** Oracle Solaris version 10 1/13, when using the Common Desktop Environment (CDE), is vulnerable to a privilege escalation vulnerability. A low privileged user can escalate to root by crafting a malicious printer and double clicking on the the crafted printer's icon.

CVE-2022-43752: .:: Phrack Magazine ::.

A vulnerability classified as critical was found in Axiomatic Bento4 5e7bb34. Affected by this vulnerability is the function AP4_Mp4AudioDsiParser::ReadBits of the file Ap4Mp4AudioInfo.cpp of the component mp4hls. The manipulation leads to heap-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-212563.

Hi, there.

There is an heap overflow in ReadBits, Ap4Mp4AudioInfo.cpp:66, in the newest master branch 5e7bb34, which seems to be incomplete fix of issue #194.

Here is the reproducing command:

POC:  
mp42hls\_ReadBits\_Ap4Mp4AudioInfo66.zip  
(unzip first)

Here is the reproduce trace reported by ASAN:

    ==64087==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000275 at pc 0x000000511365 bp 0x7fff4cecb370 sp 0x7fff4cecb368
     READ of size 1 at 0x602000000275 thread T0
         #0 0x511364 in AP4_Mp4AudioDsiParser::ReadBits(unsigned int)  /benchmark/Bento4/Source/C++/Codecs/Ap4Mp4AudioInfo.cpp:66:56
         #1 0x511a50 in AP4_Mp4AudioDecoderConfig::ParseExtension(AP4_Mp4AudioDsiParser&)  /benchmark/Bento4/Source/C++/Codecs/Ap4Mp4AudioInfo.cpp:159:20
         #2 0x513cdb in AP4_Mp4AudioDecoderConfig::Parse(unsigned char const*, unsigned int)  /benchmark/Bento4/Source/C++/Codecs/Ap4Mp4AudioInfo.cpp:317:30
         #3 0x5a093c in AP4_Mpeg2TsAudioSampleStream::WriteSample(AP4_Sample&, AP4_DataBuffer&, AP4_SampleDescription*, bool, AP4_ByteStream&)  /benchmark/Bento4/Source/C++/Core/Ap4Mpeg2Ts.cpp:442:44
         #4 0x50991a in WriteSamples(AP4_Mpeg2TsWriter*, PackedAudioWriter*, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, unsigned int, unsigned char)  /benchmark/Bento4/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:1274:40
         #5 0x50991a in main  /benchmark/Bento4/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:2188:14
         #6 0x7efd53469082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
         #7 0x41d8ed in _start ( /benchmark/Bento4/build-a/mp42hls+0x41d8ed)
     
     0x602000000275 is located 0 bytes to the right of 5-byte region [0x602000000270,0x602000000275)
     allocated by thread T0 here:
         #0 0x4f8017 in operator new[](unsigned long)  /dependence/llvm11/llvm-11.0.0.src/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102:3
         #1 0x560ebf in AP4_DataBuffer::AP4_DataBuffer(void const*, unsigned int)  /benchmark/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:68:20
         #2 0x5a093c in AP4_Mpeg2TsAudioSampleStream::WriteSample(AP4_Sample&, AP4_DataBuffer&, AP4_SampleDescription*, bool, AP4_ByteStream&)  /benchmark/Bento4/Source/C++/Core/Ap4Mpeg2Ts.cpp:442:44
         #3 0x50991a in WriteSamples(AP4_Mpeg2TsWriter*, PackedAudioWriter*, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, unsigned int, unsigned char)  /benchmark/Bento4/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:1274:40
         #4 0x50991a in main  /benchmark/Bento4/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:2188:14
         #5 0x7efd53469082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
     
     SUMMARY: AddressSanitizer: heap-buffer-overflow  /benchmark/Bento4/Source/C++/Codecs/Ap4Mp4AudioInfo.cpp:66:56 in AP4_Mp4AudioDsiParser::ReadBits(unsigned int)
     Shadow bytes around the buggy address:
       0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       0x0c047fff8000: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa fd fd
       0x0c047fff8010: fa fa 04 fa fa fa fd fd fa fa 00 05 fa fa 05 fa
       0x0c047fff8020: fa fa 06 fa fa fa 00 fa fa fa fd fd fa fa 04 fa
       0x0c047fff8030: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 00 00
     =>0x0c047fff8040: fa fa 00 00 fa fa 05 fa fa fa 00 04 fa fa[05]fa
       0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
       0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
       0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
       0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
       0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     Shadow byte legend (one shadow byte represents 8 application bytes):
       Addressable:           00
       Partially addressable: 01 02 03 04 05 06 07 
       Heap left redzone:       fa
       Freed heap region:       fd
       Stack left redzone:      f1
       Stack mid redzone:       f2
       Stack right redzone:     f3
       Stack after return:      f5
       Stack use after scope:   f8
       Global redzone:          f9
       Global init order:       f6
       Poisoned by user:        f7
       Container overflow:      fc
       Array cookie:            ac
       Intra object redzone:    bb
       ASan internal:           fe
       Left alloca redzone:     ca
       Right alloca redzone:    cb
       Shadow gap:              cc
     ==64087==ABORTING

CVE-2022-3784: Heap overflow in mp4hls, ReadBits, Ap4Mp4AudioInfo.cpp:66 · Issue #806 · axiomatic-systems/Bento4

CTO recognized as cybersecurity influencer for his research and thought leadership.

**SAN FRANCISCO, Oct. 31, 2022 /PRNewswire/** — Normalyze, a data-first cloud security platform, today announced that Ravi Ithal, chief technology officer and co-founder, has been named to the Enterprise Security Tech Cyber Influencer Top 10 List. The Enterprise Security Tech Cyber Influencer Top 10 list recognizes the top cybersecurity influencers providing immense value to the industry with groundbreaking research, visionary thought leadership, and consistent leadership and culture-building accolades.

The rise of cloud computing has increased the complexity of the enterprise attack surface. A recent survey from IDC found that 98% of organizations queried reported at least one cloud data breach in the past 18 months. As a result, security teams don't know where their data resides or its value, leading to difficulty avoiding data breaches. Normalyze's secret sauce is its ability to gather all security stakeholders, from the CISO to the security engineer, to DevOps, in one user interface to discover data, classify it, and prioritize discovery of attack paths that can lead to sensitive information.

"I've been fortunate enough to be part of some industry- and category-defining cybersecurity companies for a couple of decades now and I can tell you that cybersecurity has never been more important for economic and national security as it is now. It's incredibly humbling to be recognized for the accomplishment that led to assembling the smart team at Normalyze," said Ithal. "Cloud data is adding so much complexity right now and I really believe in the work we're doing at Normalyze to share best practices and let people trust their data in the cloud again."

"We need leaders in the cybersecurity industry now more than ever," said Jack Campbell, Managing Editor, Enterprise Security Tech. "The industry is bogged down by the daily cat-and-mouse game with cyber criminals, so we need industry leaders that are forward-looking and have a vision for how we can move the industry forward and solve macro security problems instead of simply firefighting. We're honored to be able to recognize these leaders for the value that they are bringing to the market and their dedication to moving the cybersecurity industry forward."

For more information about the Enterprise Security Tech Cyber Influencer Top 10 List, please visit this page.

**About Enterprise Security Tech**

Enterprise Security Tech is a specialized cyber media company with a global presence. The Enterprise Security Tech blog is a cybersecurity blog written for CISOs, CIOs, and security-minded CEOs that brings together critical news, expert insights, and product information to help security leaders make informed business decisions. Enterprise Security Tech is also home to The Cyber Jack Podcast, which brings listeners the latest cybersecurity insights via security experts from around the industry. For more information about Enterprise Security Tech, visit our website.

**About Normalyze:**

Normalyze is a pioneering provider of cloud data security solutions helping customers secure their data, applications, identities, and infrastructure across public clouds. With Normalyze, organizations can discover and visualize their cloud data attack surface within minutes and get real-time visibility and control into their security posture including access, configurations, and sensitive data to secure cloud infrastructures at scale. The Normalyze agentless and machine-learning scanning platform continuously discovers resources, sensitive data and access paths across all cloud environments. The company was founded by industry veterans Ravi Ithal and Amer Deeba and has several customers, including Corelight, Netskope, and Orkes. The company is funded by Lightspeed Venture Partners and Battery Ventures. For more information, please visit normalyze.ai.

**SOURCE:** Normalyze

Normalyze Co-Founder and CTO, Ravi Ithal, Named to the Enterprise Security Tech Cyber Influencer Top 10 List

Categories: News
Tags: week in security

Tags:  weekly blog roundup

The most important and interesting computer security stories from the last week.



(Read more...)




The post A week in security (October 24 - 30) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (October 24 - 30)

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 21 and Oct. 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for October 21 to October 28

The next generation of cybersecurity pros will need to participate frequently in relevant training to expand their skills and stay engaged.

The shortage of cybersecurity professionals worldwide is a growing concern for organizations of all sizes, as threats mount and attack vectors become more difficult to defend against.

CyberSeek.org counts nearly 770,000 open jobs in cybersecurity, and the data is showing that employer demand for cybersecurity workers is growing 2.4 times faster than the overall rate across the US economy.

To adequately train the next generation of cybersecurity pros, organizations need to start thinking more collaboratively, using virtual technologies as learning tools, and turning to upskilling to offer opportunities to in-house talent.

**Teaching the Why Along With the How**

Some of the changes in training and education approaches are fundamental, argues Andrew Hay, COO at Lares Consulting, an information security consulting firm.

"We often teach people the 'how' but never the 'why' when it comes to cybersecurity training," he says. "For example, we'll show someone how to run a tool to detect a vulnerability, but we won't educate them on why the vulnerability surfaced in the first place."

He says if you don't show people how to prevent vulnerabilities from occurring, you're doomed to keep showing them how to detect them after the fact.

"We have an entire team dedicated to showing our customers how to detect, mitigate, and prevent attacks within their organization," he says. "Not only do we show effect, but we also show cause." Hay says by training people to prevent insecure configurations in the first place, you can help them reduce their attackable surface area.

He adds that cyber-range and capture-the-flag (CTF) events are fantastic learning environments to hone your skills and grow as a cybersecurity professional.

"You'll get to experience how others think about attacking a system, what tools and techniques they use, and their thought process," Hay says. "It's invaluable."

**Playing NICE**

Danielle Santos, manager of communications and operations for NIST'S National Initiative for Cybersecurity Education (NICE), says investing in cybersecurity training and education now is critical to meet this growing demand.

"We are coordinating with government, academic, and industry partners to build on existing successful programs, facilitate change and innovation, and bring leadership and vision to increase the number of skilled cybersecurity professionals," she explains. By facilitating a mechanism whereby the educators, trainers, and employers can come together as a community, they are better positioned to have training that meets the workforce demand.

NICE is also responsible for maintaining the Workforce Framework for Cybersecurity, which describes tasks, knowledge, and skills that are needed to perform cybersecurity work. It provides a standard for training and certification providers to establish knowledge and skill requirements according to tasks in the workplace.

**Smashing Training Silos**

Mika Aalto, co-founder and CEO at Hoxhunt, a Helsinki-based provider of enterprise security awareness solutions, says that the motivation for training today is compliance-driven, not security-driven, which leads to training implementations that can't address human cybersecurity risk.

He argues that organizations should take a risk-based view of the actual attacks employees face and focus on building the right culture and driving the adoption of the correct habits.

"When it comes to the core sins, organizations are running punitive programs that fail to capture employees' hearts and minds," he says.

Making matters worse, training frequency is occasional, and curriculum is built with a one-size-fits-all mentality. "Today's technology allows us to automatically develop and deliver individual training experiences at scale, driving behavior change rather than raising awareness," he says.

From Aalto's perspective, another core sin is that the training often gets siloed. "Awareness professionals are blind to the attacks and metrics managed by security operations," he says. "They lack the cohesive processes and technology to share intelligence and augment detection and response capabilities."

He says that modern teams should work in harmony, with effective training platforms that enable employees to hunt attacks that have infiltrated the organization and integrate that data into operations to mitigate the threats in real time.

"Extending awareness into the center of the security stack is a game-changer in how training is conducted and leveraged," he adds.

**Innovations in Training**

Santos notes that over the past several years, simulated training has shown promise as a mechanism to learn new cybersecurity skills. Training offered through cyber ranges, for example, allows learners to experience simulated real-world scenarios and demonstrate applied knowledge and skills.

"Additionally, apprenticeships, while not new to the broader workforce, but relatively new as they apply to the cybersecurity workforce, is a proven approach to expanding cybersecurity talent," she says.

She highlights the US Departments of Commerce and Labor's recent partnership on a 120-day Cybersecurity Apprenticeship Sprint to promote the Registered Apprenticeship model as a way to develop and train a skilled and diverse cybersecurity workforce.

**Moving to New Training Models**

Kelly Albrink, Bishop Fox practice director for application security, points out that cybersecurity training has historically culminated in a multiple-choice test that relies on memorization.

"With the Internet at our fingertips, memorization is far less important than problem solving," she explains. "So, training should be more focused on hands-on exercises that directly map to what real cybersecurity work looks like."

She mentions her company's Bishop Fox Academy, an internal training program to help people gain both technical skills and soft skills. "Bishop Fox is one of the few companies with actual entry-level roles for junior consultants," Albrink says. "We have a formal mentor program that matches consultants based on their interests and specializations."

She says that in earlier iterations of the mentor program, the company received a lot of feedback from both mentors and mentees that they wanted more structure and guidance on how to get the most out of the program, which led to the creation of a worksheet to help guide initial conversations. It included both "getting to know you" questions to help pairs build an immediate connection, as well as guidance on goal setting.

"We also understand that not every mentor match is the best fit so, 2-3 times a year we give people the opportunity to get a new match or extend their current pairing," she adds. "I typically encourage people to have multiple mentors and receive mentoring on more than one topic."

**The Benefits of Upskilling**

"When you upskill existing cybersecurity, staff you can cut down the learning curve within your organization and often fill gaps faster," Ron Culler, vice president cyber learning officer at CompTIA, explains.

However, it's not just existing cybersecurity staff that should be the focus — he says organizations should be looking across their workforce and at all its IT staff. "Many of these individuals have strong foundational knowledge of the organization," he says. "They can be some of the best candidates to work in cybersecurity, simply because cybersecurity encompasses all aspects of an organization."

Santos agrees that upskilling is an effective approach to filling talent gaps more quickly in an organization. "It utilizes the existing workforce, many of whom have transferrable skills that can be applied to a cybersecurity," she says.

**Cybersecurity Touches All Aspects of an Organization**

CompTIA offers education, training, and certification options for individuals interested in working in cybersecurity and those already in the profession. Four certifications are specific to cybersecurity skills at different career levels — entry, mid, and advanced. Cybersecurity is also embedded in the company's other certifications in networking, data, cloud computing, and other disciplines.

Culler points out that traditional approaches have often focused on individuals with a heavy background in technology.

"While this is still needed, cybersecurity encompasses much more than just tech," he says. "Diverse experiences and skills are needed to fill gaps in cybersecurity roles throughout organizations."

As he puts it, cybersecurity is not a technology issue, but rather something that touches every aspect of an organization.

**Training the Next Generation of Hackers**

From Albrink's perspective, you can't buy enough senior talent to meet the demands of the market. The only viable solution is to train the next generation of hackers.

"In terms of best practices, newcomers often want to learn everything and get overwhelmed," she says. "If they pick two focuses, and those two things synergize well, they'll be much better set up for success."

She adds that learning in a vacuum, like simply reading a book or watching a video, doesn't lead to good results. "I always recommend that you pick a hands-on project to apply what you're trying to learn," she says. "For example, every webapp hacker should build and deploy their own app."

She says that gives you a much better perspective on how difficult it can be to put common defensive recommendations into practice and helps you to better understand the struggles that developers face.

**More Flexibility, More Investment**

Albrink says she's seen a trend of publicly available training moving to a more on-demand subscription-based model. "This gives learners the flexibility to fit their training schedule to their busy lives," she says. "So, instead of trying to knock out a red team lab in 30, 60, or 90 days, they get access for a year."

The downside is the training has become a lot more expensive and out of reach for most people paying for it themselves.

Santos explains the US Department of Commerce supports a workforce development model, to include training, that leans on an employer-driven regional approach. "An employer-driven approach aims to ensure that the supply of cybersecurity talent is job-ready," she says.

Culler agrees it's important to invest in cybersecurity training now because cybersecurity threats aren't going away or lessening. "We need a cyber aware and cyberskilled workforce for organizations to remain competitive and thrive in the current environment and into the future," he says.

From Aalto's perspective, the key word is "invest." He points out that around 90% of breaches contain a human element, almost always initiated by a phishing attack, and yet only 3% of security budgets go to awareness.

"That imbalance tilts the advantage towards the threat actors, whose attacks get more relentless and sophisticated by the day," he says.

In a risk landscape where cybersecurity is increasingly expensive and hard to get, and where regulations tighten all the time, it's up to organizations to take a risk-based approach to protect themselves where they're most vulnerable — their people.

"It works, if your training is done right," Aalto says.

Tag

#ios