Improper Handling of Length Parameter Inconsistency in GitHub repository francoisjacquet/rosariosis prior to 10.0.

CVE-2022-2714: huntr – Security Bounties for any GitHub repository

SecDevOps is, just like DevOps, a transformational change that organizations undergo at some point during their lifetime. Just like many other big changes, SecDevOps is commonly adopted after a reality check of some kind: a big damaging cybersecurity incident, for example.
A major security breach or, say, consistent problems in achieving development goals signals to organizations that the

SecDevOps is, just like DevOps, a transformational change that organizations undergo at some point during their lifetime. Just like many other big changes, SecDevOps is commonly adopted after a reality check of some kind: a big damaging cybersecurity incident, for example.

A major security breach or, say, consistent problems in achieving development goals signals to organizations that the existing development framework doesn't work and that something new is needed. But what exactly is SecDevOps, why should you embrace it – and how can you do it more easily in practice?

**The fundamentals of SecDevOps**

By itself, SecDevOps is not just one single improvement. You may see it as a new tool, or set of tools, or perhaps a different mindset. Some might see SecDevOps as a culture. In reality, it's all of those factors wrapped into a new approach to development that's intended to put security first.

SecDevOps rely on highly reproducible scenarios, touching on topics such as system provisioning and deployment, code management, and building pipelines. However, most importantly, SecDevOps addresses cybersecurity posture. Everyone in the organization must reflect a security-first approach where, at every level, security issues are foreseen, identified, and corrected. In essence, putting the Sec in front of DevOps means shifting security to the front of the development framework. Security is not an afterthought; it is the first thing that teams think about when developing an application, and security policies are defined right at the start of the project.

**Theory, yes… but you need tools to execute**

Giving security such a prime position in the development workflow matters because of the usual cybersecurity factors. Building security into the DevOps workflow contributes to improved vulnerability management, including better patch management through live patching, both of which are critical aspects of overall cybersecurity posture.

A great idea, viewpoint, or approach will only get you so far, however. You also need tools that can help you implement these ideas in practice. Which tools you need depends on your unique development requirements – but there are a few common needs.

Consistent patch management is one of those common needs, and to help organizations better adjust their processes and indeed to help them get started with SecDevOps, TuxCare's ePortal offering has a script-friendly API endpoint that helps organizations include TuxCare's KernelCare live patching into their workloads more easily.

The API simplifies the integration of KernelCare live patching deployment and configuration at an earlier development stage. In providing this tool, we illustrate how automation in the SecDevOps paradigm not only simplifies operations but also ensures the availability of key tools as soon as systems are provisioned – while also making it easy to remove the tools as systems are decommissioned - enabling a reproducible, security-first mindset to permeate a system's lifetime from deployment to teardown..

**Pick the right tools to attain SecDevOps now**

SecDevOps translates into a more secure environment over the entire lifecycle of a system – but every organization needs practical tools that help make SecDevOps a reality. While SecDevOps as a concept can drive the development practices that underpin security in your organization, implementation success often lies in the tools used.

TuxCare's range of tools provides an easy-to-follow recipe with examples for Chef, Ansible, and Puppet. Whichever DevOps tools your organization uses, it can make use of the TuxCare ePortal API. And if you're using something else entirely, our code samples will still guide you in the right direction.

At the end of the day, it doesn't matter what toolset you use. It's critical that your organization embraces SecDevOps – and deploys a comprehensive toolset that automatically ingrains SecDevOps principles into everyday development practices.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Integrating Live Patching in SecDevOps Workflows

OS Command Injection vulnerability in Hitachi RAID Manager Storage Replication Adapter allows remote authenticated users to execute arbitrary OS commands. This issue affects: Hitachi RAID Manager Storage Replication Adapter 02.01.04 versions prior to 02.03.02 on Windows; 02.05.00 versions prior to 02.05.01 on Windows and Docker.



**Security information for Hitachi Disk Array Systems**

*   Vulnerability description
*   Affected products
*   Permanent action
*   Interim action
*   References
*   Revision history

September 6, 2022  
Hitachi, Ltd. IT Platform Products Management Division

Hitachi Disk Array Systems have the following vulnerability.

**Security Information ID**

Hitachi-sec-2022-307

**Affected products**

The following table shows the affected products.

Product Name

Hitachi RAID Manager SRA

Software Version

*   Hitachi RAID Manager SRA: 02.01.04 \*
*   Hitachi RAID Manager SRA: 02.02.00 \*
*   Hitachi RAID Manager SRA: 02.03.01
*   Hitachi RAID Manager SRA: 02.05.00 \*\*

\* Product end of support.  
\*\* Both SRA for Docker and Windows are affected.

*   page top

**Permanent action**

1.  Please perform <Procedure for deleting log files> action described in **"Interim action"**.
2.  Please apply the countermeasure version. The countermeasure version is as follows.
    *   Hitachi RAID Manager SRA 02.03.02
    *   Hitachi RAID Manager SRA 02.05.01

*   page top

**Interim action**

Workaround for vulnerability i):  

\- Do not use characters other than the usable characters described below for the following information registered in the "Add Array Manager" window of SRM.

<Registered information>  
✔ IP address or host name of the RAID Manager server  
✔ Username for connecting to the RAID Manager server using SSH  
✔ Password for connecting to the RAID Manager server using SSH  

<Usable characters>  
   One-byte alphanumeric characters and the following symbols  
   Hyphen (-), comma (,), period (.), colon (:), at mark (@), underscore (\_), slash (/)

\- The password might be already recorded in the SRM log files. Delete the log files by using the following procedure.  
    Notes:

*   This procedure deletes the log file.
*   If other problems occur on the SRM server, resolve them, and then perform the procedure.
*   Do not perform any operation, such as registration or recovery, on SRM during the procedure.

<Procedure for deleting log files (for Docker RMSRA)>

1.  Restart the SRM server.
2.  Enable an SSH access to the SRM server. For the procedure, see the following web page:  
    https://docs.vmware.com/en/Site-Recovery-Manager/8.5/com.vmware.srm.install\_config.doc/GUID-DAB15876-4376-4D4B-A90A-1C54524685AE.html
3.  Log in to the SRM server using SSH. (Use the admin user and the password you have set at the time of deployment.)
4.  Run the su command to become a root user.
5.  Run the following command to move to the log directory:  
      cd /var/log/vmware/srm
6.  Run the following command to check if the password is recorded in the archived log file:  
      gunzip -c vmware-dr-<file generation number>.log.gz | grep " sh:" | wc -l
7.  If the output result of Step 6 is 1 or greater, the password might be recorded. Delete the log file by running the following command:  
      rm vmware-dr-<file generation number>.log.gz

<Procedure for deleting log files (for Windows RMSRA)>

1.  Restart the SRM server.
2.  Access the SRM server as a user with administrator privileges by using a remote desktop connection.
3.  Open the explorer and move to the following directory:  
      <SRM installation drive>:  
      \\ProgramData\\VMware\\VMware vCenter Site Recovery Manager\\Logs
4.  Copy the .gz archive log file to another directory.  
      Name of the file to be copied:  
      vmware-dr-<file generation number>.log.gz
5.  Prepare a tool that decompresses the .gz archive log file that you copied in Step 4 and decompress the log file.
6.  Run the following command at the command prompt and check if the password is recorded in the decompressed log file:  
      find "operable program or batch file." vmware-dr-<file generation number>.log
7.  If an applicable part is output as a result of the command in Step 6, the password might be recorded. Delete the archived log file stored in the log directory.  
      Log directory name:  
      <SRM installation drive>:  
      \\ProgramData\\VMware\\VMware vCenter Site Recovery Manager\\Logs  
       File name:  
      vmware-dr-<file generation number>.log.gz

<Procedure for deleting log (for both Docker/Windows RMSRA)>  
    If a log transfer setting and the like is configured on the SRM server, run the same check for transferred logs and delete logs as necessary.

Workaround for vulnerability ii):  
    Closely manage access rights to SRM.

*   page top

*   page top

**Revision history**

*   September 6, 2022: This security information page is published.

*   Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide accurate information about security countermeasures. However, since information about security problems constantly changes, the contents of these Web pages are subject to change without prior notice. When referencing information, please confirm that you are referencing the latest information.
*   The Web pages include information about products that are developed by non-Hitachi software developers. Vulnerability information about those products is based on the information provided or disclosed by those developers. Although Hitachi is careful about the accuracy and completeness of this information, the contents of the Web pages may change depending on the changes made by the developers.
*   The Web pages are intended to provide vulnerability information only, and Hitachi shall not have any legal responsibility for the information contained in them. Hitachi shall not be liable for any consequences arising out of or in connection with the security countermeasures or other actions that you will take or have taken (or not taken) by yourself.
*   The links to other web sites are valid at the time of the release of the page. Although Hitachi makes an effort to maintain the links, Hitachi cannot guarantee their permanent availability.
*   VMware, VMware Site Recovery Manager, and VMware SRM are trademarks or registered trademarks of VMware, Inc. in the United States and other countries.
*   Docker is a trademark or a registered trademark of Docker, Inc. in the United States and/or other countries. Docker, Inc. and other parties may also have trademark rights in other terms used herein.
*   Microsoft, Windows are trademarks of the Microsoft group of companies.

CVE-2022-34883: Vulnerability Information: Hitachi Storage Solutions: Hitachi

OS Command Injection vulnerability in Hitachi RAID Manager Storage Replication Adapter allows remote authenticated users to execute arbitrary OS commands. This issue affects: Hitachi RAID Manager Storage Replication Adapter 02.01.04 versions prior to 02.03.02 on Windows; 02.05.00 versions prior to 02.05.01 on Windows and Docker.

*   Vulnerability description
*   Affected products
*   Permanent action
*   Interim action
*   References
*   Revision history

September 6, 2022  
Hitachi, Ltd. IT Platform Products Management Division

Hitachi Disk Array Systems have the following vulnerability.

**Security Information ID**

Hitachi-sec-2022-307

**Affected products**

The following table shows the affected products.

Product Name

Hitachi RAID Manager SRA

Software Version

*   Hitachi RAID Manager SRA: 02.01.04 \*
*   Hitachi RAID Manager SRA: 02.02.00 \*
*   Hitachi RAID Manager SRA: 02.03.01
*   Hitachi RAID Manager SRA: 02.05.00 \*\*

\* Product end of support.  
\*\* Both SRA for Docker and Windows are affected.

*   page top

**Permanent action**

1.  Please perform <Procedure for deleting log files> action described in **"Interim action"**.
2.  Please apply the countermeasure version. The countermeasure version is as follows.

*   Hitachi RAID Manager SRA 02.03.02
*   Hitachi RAID Manager SRA 02.05.01

*   page top

**Interim action**

Workaround for vulnerability i):  

\- Do not use characters other than the usable characters described below for the following information registered in the “Add Array Manager” window of SRM.

<Registered information>  
✔ IP address or host name of the RAID Manager server  
✔ Username for connecting to the RAID Manager server using SSH  
✔ Password for connecting to the RAID Manager server using SSH  

<Usable characters>  
   One-byte alphanumeric characters and the following symbols  
   Hyphen (–), comma (,), period (.), colon (:), at mark (@), underscore (\_), slash (/)

\- The password might be already recorded in the SRM log files. Delete the log files by using the following procedure.  
    Notes:

*   This procedure deletes the log file.
*   If other problems occur on the SRM server, resolve them, and then perform the procedure.
*   Do not perform any operation, such as registration or recovery, on SRM during the procedure.

<Procedure for deleting log files (for Docker RMSRA)>

1.  Restart the SRM server.
2.  Enable an SSH access to the SRM server. For the procedure, see the following web page:  
    https://docs.vmware.com/en/Site-Recovery-Manager/8.5/com.vmware.srm.install\_config.doc/GUID-DAB15876-4376-4D4B-A90A-1C54524685AE.html
3.  Log in to the SRM server using SSH. (Use the admin user and the password you have set at the time of deployment.)
4.  Run the su command to become a root user.
5.  Run the following command to move to the log directory:  
      cd /var/log/vmware/srm
6.  Run the following command to check if the password is recorded in the archived log file:  
      gunzip -c vmware-dr-.log.gz | grep " sh:" | wc -l
7.  If the output result of Step 6 is 1 or greater, the password might be recorded. Delete the log file by running the following command:  
      rm vmware-dr-.log.gz

<Procedure for deleting log files (for Windows RMSRA)>

1.  Restart the SRM server.
2.  Access the SRM server as a user with administrator privileges by using a remote desktop connection.
3.  Open the explorer and move to the following directory:  
      <SRM installation drive>:  
      \\ProgramData\\VMware\\VMware vCenter Site Recovery Manager\\Logs
4.  Copy the .gz archive log file to another directory.  
      Name of the file to be copied:  
      vmware-dr-.log.gz
5.  Prepare a tool that decompresses the .gz archive log file that you copied in Step 4 and decompress the log file.
6.  Run the following command at the command prompt and check if the password is recorded in the decompressed log file:  
      find "operable program or batch file." vmware-dr-.log
7.  If an applicable part is output as a result of the command in Step 6, the password might be recorded. Delete the archived log file stored in the log directory.  
      Log directory name:  
      <SRM installation drive>:  
      \\ProgramData\\VMware\\VMware vCenter Site Recovery Manager\\Logs  
       File name:  
      vmware-dr-.log.gz

<Procedure for deleting log (for both Docker/Windows RMSRA)>  
    If a log transfer setting and the like is configured on the SRM server, run the same check for transferred logs and delete logs as necessary.

Workaround for vulnerability ii):  
    Closely manage access rights to SRM.

*   page top

*   page top

**Revision history**

*   September 6, 2022: This security information page is published.

*   Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide accurate information about security countermeasures. However, since information about security problems constantly changes, the contents of these Web pages are subject to change without prior notice. When referencing information, please confirm that you are referencing the latest information.
*   The Web pages include information about products that are developed by non-Hitachi software developers. Vulnerability information about those products is based on the information provided or disclosed by those developers. Although Hitachi is careful about the accuracy and completeness of this information, the contents of the Web pages may change depending on the changes made by the developers.
*   The Web pages are intended to provide vulnerability information only, and Hitachi shall not have any legal responsibility for the information contained in them. Hitachi shall not be liable for any consequences arising out of or in connection with the security countermeasures or other actions that you will take or have taken (or not taken) by yourself.
*   The links to other web sites are valid at the time of the release of the page. Although Hitachi makes an effort to maintain the links, Hitachi cannot guarantee their permanent availability.
*   VMware, VMware Site Recovery Manager, and VMware SRM are trademarks or registered trademarks of VMware, Inc. in the United States and other countries.
*   Docker is a trademark or a registered trademark of Docker, Inc. in the United States and/or other countries. Docker, Inc. and other parties may also have trademark rights in other terms used herein.
*   Microsoft, Windows are trademarks of the Microsoft group of companies.

*   page top

CVE-2022-34883: Security information for Hitachi Disk Array Systems(September 6, 2022):Vulnerability Information:Storage Solutions:Hitachi

Not all security teams are born equal. Each organization has a different objective.
In cybersecurity, adopting a proactive approach is not just a buzzword. It actually is what makes the difference between staying behind attackers and getting ahead of them. And the solutions to do that do exist!
Most attacks succeed by taking advantage of common failures in their target's systems. Whether new or

Not all security teams are born equal. Each organization has a different objective.

In cybersecurity, adopting a proactive approach is not just a buzzword. It actually is what makes the difference between staying behind attackers and getting ahead of them. And the solutions to do that do exist!

Most attacks succeed by taking advantage of common failures in their target's systems. Whether new or not, known, unknown, or even unknown, attacks leverage security gaps such as

unpatched or uncharted vulnerabilities, misconfigurations, out-of-date systems, expired certificates, human errors, etc.

As attackers rely on a range of automated offensive testing tools to scan their targets' attack surfaces and propagate inside their network, a purely reactive defensive stance based on detection and response is increasingly likely to be overwhelmed by an attack.

The logical tactical move is to emulate attackers' TTPs and behaviors beforehand by integrating attack simulation tools to continuously validate the impermeability of the attack surface as a whole, the efficacy of security controls, as well as access management and segmentation policies, etc.

As cyber attackers typically move on to the next target when they meet a challenge, organizations that have already implemented proactive tools and processes benefit twice. Run-of-the-mill cyber attackers are frustrated and deterred, and attackers targeting them specifically have to work much harder to find a way in without detection and progress unimpeded within the network.

These organizations' mature, forward-looking cyber security thinking puts them ahead of the curve in terms of impregnability.

Practically, there are different angles from which to look at and integrate attack simulation tools that can vary depending on your objectives, such as, for example.

► **Boosting prevention capabilities**

Using a Breach and Attack Simulation (BAS) solution continuously validates your security controls efficacy, provides actionable remediation guidance for uncovered security gaps, and optimizes the remediation prioritization efforts in line with the attack success likelihood uncovered through attack simulations.

When available in a BAS solution package, integrated immediate threat intelligence further elevates resilience against emerging threats by automatically verifying your system's ability to thwart such new threats and providing preventative recommendations to plug any uncovered security gap that could be leveraged by those new threats.

**► Strengthening Detection and Response**

Running automated recon attacks shores up your attack surface management procedure by uncovering all exposed assets, including long-forgotten or clandestinely added shadow IT, while integrating continuous outside-in attack simulation capabilities with your SIEM/SOAR tool stack shines a bright light on its limits and flaws. By granularly comparing the progression of simulated attacks launched with the proportion of those detected and stopped, it gives a clear, comprehensive picture of the detection and response array's actual efficacy.

With a detailed map of security gaps and capability redundancies, rationalizing the tool stack by implementing recommended tool configuration fixes and eliminating redundant tools positively impacts detection and response and, as a bonus, prevents environmental drift.

Once integrated, these capabilities can also be used to run in-house Incident Response exercises with minimal preparation required and at zero extra cost.

**► Customizing risk management**

Incorporating security validation into organizational risk management and GRC procedures and providing continuous security assurance accordingly might require a certain level of customizing the available off-the-shelf attack scenarios validating the security controls and outside-in attack campaigns.

A Purple Teaming Framework with template attacks and modulable widgets to facilitate ad hoc attack mapping saves red teams hours of grunt work which maximizes the use of in-house red teams and accelerates scaling up their operations without requiring additional resources.

When starting from zero in-house adversarial capabilities, the recommended progression to integrate security validation solutions is to:

**1 — Add security control validation capabilities**

Tightening security controls configuration is a crucial element of preventing an attacker who gained an initial foothold in your system from propagating through your network. It also provides some protection against zero-day attacks and some vulnerabilities that take advantage of misconfigurations or leverage security gaps found in vendors' default configurations.

**2 — Integrate with SIEM/SOAR and verify SOC procedures' efficacy**

As mentioned in the "Strengthening Detection and Response" section above, integrating security validation solutions with your SIEM/SOAR array streamlines its efficacy and improves security. The data produced can also be used to optimize the people and process aspects of the SOC by ensuring that the team's time is focused on the tasks with the highest impact instead of investing their best energy in protecting low-value assets.

**3 — Prioritize remediation**

Operationalizing the remediation guidance included in the data collected in steps 1 and 2 should be correlated with the attack likelihood and impact factors associated with each uncovered security gap. Integrating the results of the simulated attacks in the vulnerability prioritization process is key to streamlining the process and maximizing the positive impact of each mitigation performed

**4 — Verify the enforcement of segmentation policies and hygiene**

Running end-to-end attack scenarios maps the attack route and identifies where segmentation gaps allow attackers to propagate through your network and achieve their goals.

**5 — Evaluate the overall breach feasibility**

Running recon and end-to-end outside-in attack campaigns to validate how a cyber attacker can progress through your environment from gaining access all the way to exfiltrating the crown jewels.

Typically, forward-thinking organizations already try to control their fate by adopting a proactive approach towards cyber security where they leverage breach and attack simulation and attack surface management to identify gaps in advance. Usually, they would begin the journey with the goal of prevention – making sure they finetune all security controls and maximize their effectiveness against known and immediate threats. The next step would be running SOC and incident response exercises to make sure nothing goes undetected, moving onwards to vulnerability patching prioritization.

Most mature enterprises with plenty of resources are also interested in automating, customizing, and scaling up their red team activities.

The bottom line is that when you are looking at incorporating a continuous threat exposure management program, you are likely to find many different point solutions but eventually, regardless of the particular objective of each team, like in real-life, it is best to find a partner that with whom you can scale up.

_**Note** — This article is written and contributed by Ben Zilberman, Product Marketing Director at Cymulate._

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

What Is Your Security Team Profile? Prevention, Detection, or Risk Management

Categories: News
The most important and interesting computer security stories from the last week.



(Read more...)




The post A week in security (August 29 - September 4) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

Privacy VPN

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (August 29 - September 4)

Plus: An unsecured database exposed face recognition data in China, ‘Cuba’ ransomware knocks out Montenegro, and more.

As summer winds down, researchers warned this week about systemic vulnerabilities in mobile app infrastructure, as well as a new iOS security flaw and one in TikTok. And new findings about ways to exploit Microsoft’s Power Automate tool in Windows 11 show how it can be used to distribute malware, from ransomware to keyloggers and beyond.

The anti-Putin media network February Morning, which runs on the communication app Telegram, has taken on a crucial role in the underground resistance to the Kremlin. Meanwhile, the “California Age-Appropriate Design Code” passed the California legislature this week with major potential implications for the online privacy of kids and everyone.

Plus, if you’re ready to take a more radical step to protect your privacy on mobile, and feel like a badass while doing it, we’ve got a guide to setting up and using burner phones.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

The data broker Fog Data Science has been selling access to what it claims are billions of location data points from over 250 million smartphones to local, state, and federal law enforcement agencies around the US. The data comes from tech companies and cell phone towers and is collected in the Fog Reveal tool from thousands of iOS and Android apps. Crucially, access to the service is cheap, often costing local police departments less than $10,000 per year, and investigations by the Associated Press and Electronic Frontier Foundation found that law enforcement sometimes pulls location data without a warrant. The EFF conducted its investigation through more than 100 public records requests filed over several months. “Troublingly, those records show that Fog and some law enforcement did not believe Fog’s surveillance implicated people’s Fourth Amendment rights and required authorities to get a warrant,” the EFF wrote.

An unprotected database containing information on millions of faces and license plates was exposed and publicly accessible in the cloud for months until it was finally protected in mid-August. TechCrunch linked the data to Xinai Electronics, a tech company based in Hangzhou in eastern China. The company develops authentication systems for accessing spaces like parking garages, construction sites, schools, offices, or vehicles. It also touts additional services related to payroll, employee attendance and performance tracking, and license plate recognition. The company has a massive network of cameras deployed across China that record face and license plate data. Security researcher Anurag Sen alerted TechCrunch to the unprotected database, which also exposed names, ages, and resident ID numbers in face data. The exposure comes just months after an enormous database from the Shanghai police leaked online. 

Montenegro authorities said on Wednesday that a gang called “Cuba” targeted its government networks with a ransomware attack last week. The gang also claimed responsibility for the attack on a dark-web site. Montenegro’s National Security Agency (ANB) said the group is linked to Russia. The attackers reportedly deployed a malware strain dubbed “Zerodate” and infected 150 computers in 10 Montenegrin government agencies. It is unclear whether the attackers exfiltrated data as part of the hack. The United States Federal Bureau of Investigation is sending investigators to Montenegro to aid in analyzing the attack.

On Monday, the US Federal Trade Commission announced it is suing the data broker Kochava for selling geolocation data harvested from apps on “hundreds of millions of mobile devices.” The data could be used, the FTC said, to track people’s movements and reveal information about where they go, including showing visits to sensitive locations. “Kochava’s data can reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities,” the agency wrote. “The FTC alleges that by selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence.” The lawsuit aims to stop Kochava from selling sensitive location data, and the agency is requesting that the company delete what it already has.

In August, the prolific ransomware gang Cl0p hacked South Staff Water, a water supply company in the UK. The gang said it even had access to SSW’s industrial control network, which handles things like water flow. The hackers published screenshots allegedly showing their access to water supply control panels. Experts told Motherboard that it appears the hackers really could have meddled with the water supply, underscoring the risks when critical infrastructure networks aren’t adequately siloed from regular business networks. “Yes, there was access, but we made only screenshots,” Cl0p told Motherboard. “We do not harm people and treat critical infrastructure with respect. … We didn’t really go into it because we didn’t want to harm anyone.” SSW said in a statement, “This incident has not affected our ability to supply safe water.”

Police Across US Bypass Warrants With Mass Location-Tracking Tool

Our digital future depends on the choices we make today. We need to invest in cybersecurity technologies and skills so that humanity can control its future.

As we observe the evolution of the war in Ukraine, particularly the use of cyberwarfare, we are presented with many questions about the long-term evolution of the cybersecurity landscape. Likewise, we've seen the pandemic bring about the rapid acceleration of digitalization — its place in our lives is no longer in question. But before plunging headfirst into this technological race, should we not ask ourselves where this evolution might be taking us of in terms of cybersecurity?

Based on the trends we're seeing develop in 2022, we have several diverging roads ahead of us. For a moment, let's take a look at four possible scenarios that could emerge over the next 20 years. The one in which we end up will be the result of choices we make right now about how to regulate and implement cybersecurity measures and countermeasures; perhaps this will inspire us to do things differently.

**1\. Peace in the Digital Space, for the Common Good**

In 2040, due to technological breakthroughs caused by intense research and a worldwide awareness of the importance of preserving this now vital new space, the digital space is declared a "common good of humanity" by the United Nation's General Assembly. It is therefore protected by international conventions that prohibit its militarization, respect privacy, and enforce a high level of security to eliminate criminal action. A special agency based on the model of the WHO or the UNHCR is created to protect it.

**2\. A Balance of Power in Digital Space**

In 2040, through global investment and regulation, the digital space has become a vital area with a high level of security. Only the most powerful states are able to confront each other in this digital space — and at great expense. They do so with restraint because their societies and economies, as well as global trade, would suffer from a deterioration of digital security (just as today, aerial combat is rare, due to the high price of modern fighter planes and the high utilization of airspace by citizen travelers). Cybercrime would have disappeared because of the cost and the expertise it requires. The digital space would be globally inaccessible to non-state players. A Digital Security Council would be created, with the great digital powers as its only permanent members.

**3\. Digital Insecurity on a Controlled Scale**

Digital insecurity is present in 2040 as it is today, but it remains on a small scale and does not call into question the model we know. States adopt positions, establish regulations, and implement policy incentives to strengthen the level of security. They do so while continuously conducting offensive actions to preserve their interests, even if it means destabilizing what they are building. Cybercrime persists by exploiting vulnerabilities and reusing offensive techniques and tools developed by states, but its impact is sustainable, both politically and economically, thanks to cyber insurance. Unfortunately, as in the material space, the weakest — i.e., vulnerable users, small businesses, and fragile states — are the first victims.

**4\. The Global Digital Space Collapses, Regional Alternatives Rise**

A few years after a wave of global-scale attacks which in some cases generated major human and economic consequences, the unfettered expansion of the digital space has resulted in total collapse by 2040. The global model has become untenable, due to uncontrolled data localization, technological monopolies dictating conditions, toothless international law, and ineffective national rights. It is therefore deeply questioned by states and citizens. New spaces, based on a national or regional approach, have been built. Beyond the legal aspects, they rely on differentiated technologies to avoid systemic effects. Quality and safety are regulated, potentially at the expense of price and innovation, and interfaces are controlled. By losing its universal specificity, the digital space has aligned itself with the physical space, for better or for worse.

**What's Likely?**

The first scenario, resolutely optimistic and therefore unlikely, is nevertheless plausible and would allow everyone to take advantage of the benefits of digital technology. Many precedents currently exist to safeguard areas such as Antarctica or the deep seabed, and these have continued to be respected, so why not the digital space? More broadly, a high level of confidence in the digital space allows technological acceleration to address the major challenges of our time, particularly around healthcare and energy.

The beginnings of the fourth scenario are already perceptible with the balkanization of China and Russia. In that scenario, insecurity both of state and of cybercriminal origin has not disappeared — it has increased further in the most fragile regions, which we are seeing today with cyberattacks on Ukraine, Taiwan, and other rivals.

Obviously, the future is unwritten, and the most likely scenario will be a combination of the four. One certainty remains: the need to invest in cybersecurity technologies and skills so that humanity can control its future. If we can create a world where cybersecurity is global and digital systems are impervious to attack, we can establish a safe place for international commerce, communications, and community to flourish.

4 Scenarios for the Digital World of 2040

New web targets for the discerning hacker

New web targets for the discerning hacker

The otherwise typically low-key month of August also brings infosec’s most renowned conference: Black Hat USA, which this year brought a word of warning for bug bounty hunters.

Dylan Ayrey, CEO of Truffle Security, cited a number of cases in which poor research and shoddy data governance has led to the leak of users’ personally identifiable information. In some cases, the data is still available long after the corresponding ticket has been closed, he warned.

“These privacy leaks in bug bounties are really common, and for every example that we can share publicly there are 100 examples that can’t be shared publicly,” said Ayrey.

In another, alleged example of suboptimal bug bounty practices CrowdStrike came under fire recently over its vulnerability disclosure process.

Pascal Zenker, a partner of Swiss security analyst service Modzero AG, claimed the Texas-based cybersecurity firm’s bug bounty program, run through HackerOne, is “NDA-ridden”, while the disclosure process “turned unprofessional in the end”.

CrowdStrike, however, defended its actions and countered that Modzero had not responded to attempts to “continue the dialogue” until six weeks had elapsed.

Among the most notable new bug bounty programs this month is Google’s latest VRP, this time focused on its open source projects, such as Golang, Angular, and Fuchsia.

Announced on August 30, the Open Source Software Vulnerability Rewards Program (OSS VRP) is designed to stem the rising tide of attacks against the software supply chain.

There were several notable payouts on existing Google VRPs, most notably when Alesandro Ortiz netted $20,000 from the tech giant – giving $4,000 to a collaborator – for unearthing a bug in the Chromium project. This allowed attackers to bypass site isolation protection through iFrames and popup windows to steal private information, read and modify cookies, and gain access to microphone and camera feeds, among other exploits.

Meanwhile, researcher ‘NDevT’ discovered two XSS vulnerabilities in Google Cloud, DevSite, and Google Play that could lead to account hijacks. They won $3,000 and $5,000 in bug bounties for their pains.

And there was a $5,000 payout for a third Google issue, with Adi Cohen discovering an XSS in AMP for Email that involved tricking Gmail’s dynamic email feature into a rendering context that the browser would not use to render a given piece of code.

Finally, in non-Google payout news, there were $4,000 and $5,000 rewards respectively for serious GitHub Pages and Reddit issues, while a Yahoo hackathon paid out $218,121 for 218 bug submissions related to its text search engine tool Vespa.

**The latest bug bounty programs for September 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Abraxas VOTING**

**Program provider:  
**Bug Bounty Switzerland

**Program type:  
**Semi-public

**Max reward:  
**$10,000

**Outline:  
**VOTING will be used to manage ballots and aggregate tallied votes in Swiss elections.

**Notes:  
**The maximum reward is around 10,000 Swiss francs, which equates to roughly the same amount in US dollars.

Apply to hack on the program via Bug Bounty Switzerland

**Airlock**

**Program provider:  
**Bug Bounty Switzerland

**Program type:  
**Semi-public

**Max reward:  
**Undisclosed

**Outline:  
**Airlock’s Secure Access Hub, a web application firewall (WAF), protects more than 30,000 web applications worldwide.

**Notes:  
**“This program is built in the style of a CTF competition,” said the company.

Apply to hack on the program via Bug Bounty Switzerland

**Cornershop by Uber**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**Uber’s on-demand grocery delivery service is offering $2,500 for critical vulnerabilities and $1,000 for high severity flaws.

**Notes:  
**Seven assets in scope: the .cornershopapp.com website, iOS and Android apps, source code, two domains containing internal assets, and QA environment.

Check out the Cornershop bug bounty page for more details

**Ethereum – Enhanced**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**$1m

**Outline:  
**Bug bounty rewards for the Ethereum blockchain have quadrupled for a two-week period – ending September 8 – when related to the network’s transition to proof-of-stake.

**Notes:  
**The application of a fourfold multiplier to payouts means ethical hackers could earn up to $1 million for the submission of valid critical vulnerabilities.

Check out our earlier coverage for more details

**Google OSS VRP**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**$31,337

**Outline:  
**Google’s Open Source Software Vulnerability Rewards Program (OSS VRP) focuses on the public repositories of Google-owned GitHub organizations such as GoogleAPIs and GoogleCloudPlatform, as well as their third-party dependencies.

**Notes:  
**Ranging from $100 to $31,337, rewards will typically be higher for particularly sensitive projects – such as Bazel, Angular, Golang, Protocol buffers, and Fuchsia – and vulnerabilities that can lead to supply chain compromise.

Check out the Google OSS VRP bug bounty page for more details

**Pogo**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,000

**Outline:  
**Pogo is a mobile app that offers users a way to leverage their personal data online in order to access earn credits and discounts for shopping, finances, and more.

**Notes:  
**In scope are the platform’s production Android and iOS apps and API endpoint used by the mobile apps.

Check out the Pogo bug bounty page for more details

**Proton**

**Program provider:  
**Bug Bounty Switzerland

**Program type:  
**Semi-public

**Max reward:  
**$30,000

**Outline:  
**If you are accepted onto the program, privacy-preserving email service Proton “will give you early and exclusive access to not published versions of the applications and their source code”.

**Notes:  
**Swiss platform also promises attractive bounties, “a constructive dialogue, fair rules and a legal safe harbor”.

Apply to hack on the program via Bug Bounty Switzerland

**Secure Open Source Rewards**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**$10,000

**Outline:  
**Developers and security researchers have been invited to suggest ways to “harden critical open source projects” by the Linux Foundation, with Google’s open source security team providing initial sponsorship.

**Notes:  
**Rewards range from $505 for minor improvements up to $10,000 or more for “complicated, high-impact, and lasting improvements that almost certainly prevent major vulnerabilities”.

Check out our earlier coverage for more details

**Starbucks – Enhanced**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$6,000

**Outline:  
**Bug reports that include a unique Nuclei Template to validate the finding will now earn researchers a $250 bonus.

**Notes:  
**Launched in 2016, the Starbucks program has 36 assets in scope, approaching 1,500 resolved reports, and average payouts of $250-$500 at the time of writing.

Check out the Starbucks bug bounty page for more details

**Trendyol**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**Trendyol Group, Turkey’s largest ecommerce platform, has launched an ongoing bug bounty program after what it said was a successful, time-limited HackerOne Challenge.

**Notes:  
**Critical bugs will command rewards ranging between $2,000-$3,000, while high severity issues will net bug hunters between $750-$1,250.

Check out the Trendyol bug bounty page for more details

**Other bug bounty and VDP news this month**

*   Switzerland’s National Cyber Security Centre has announced the launch, later this year, of a new bug bounty program for the Swiss federal government following a 2021 pilot
*   Staying in Switzerland, federal postal service Swiss Post offered rewards up to 30,000 francs ($30,530) during a four-week bug bounty program that concludes today (September 2)
*   New or improved bug bounty or penetration testing tools showcased at Black Hat USA 2022 included pen test management platform AttackForge, open source recon framework ReNgine, and pen testing tools AWSGoat and AzureGoat

Curated by Adam Bannister. Introduction by Emma Woollacott.

**PREVIOUS EDITION** Bug Bounty Radar // The latest bug bounty programs for August 2022

Bug Bounty Radar // The latest bug bounty programs for September 2022

Thousands of corporate mobile apps developed by businesses for use by their customers contain hardcoded AWS tokens that can be easily extracted and used to access the full run of corporate data stored in cloud buckets.

Thousands of customer-facing Android and iOS mobile apps — including banking apps — have been found to contain hardcoded Amazon Web Services (AWS) credentials that would allow cyberattackers to steal sensitive information from corporate clouds.

Symantec researchers uncovered 1,859 business apps that use hardcoded AWS credentials, specifically access tokens. Of these, three-quarters (77%) contain valid AWS access tokens for logging into private AWS cloud services; and close to half (47%) contain valid AWS access tokens that also crack open millions of private files housed in Amazon Simple Storage Service (Amazon S3) buckets.

That means that a malicious-minded user of the app could easily extract the tokens and be off to the data-theft races, tapping into the cloud resources of the businesses that created the applications.

**Thanks, Mobile Software Supply Chain**

This unfortunate state of affairs is thanks to a mobile code supply chain issue, Symantec researchers said — vulnerable components that allow developers to embed hardcoded access tokens.

"We discovered that over half (53%) of the apps were using the same AWS access tokens found in other apps," they said in an analysis on Sept. 1. "Interestingly, these apps were often from different app developers and companies. \[Eventually\] the AWS access tokens could be traced to a shared library, third-party SDK, or other shared component used in developing the apps."

The firm found that these shared, hardcoded AWS tokens are used by in-house app developers for a variety of reasons, including downloading or uploading large media files, recordings, or images from the company cloud; accessing configuration files for the app; collecting and storing user-device information; or accessing individual cloud services that require authentication, such as translation services. However, the tokens' reach into the cloud is often far greater than the developer may realize.

"The problem is, often the same AWS access token exposes all files and buckets in the Amazon S3 cloud, often corporate files, infrastructure files and components, database backups, etc.," according to the analysis. "Not to mention cloud services beyond Amazon S3 that are accessible using the same AWS access token."

As an example, one of the apps uncovered by the analysis was created by a B2B company that offers an intranet and communication platform. It also provides a mobile software-development kit (SDK) for customers to use to access the platform.

"Unfortunately, the SDK also contained the B2B company's cloud infrastructure keys, exposing all of its customers' private data on the B2B company's platform," Symantec researchers noted, adding that they notified all organizations using vulnerable apps of the issue. "Their customers' corporate data, financial records, and employees' private data was exposed. All the files the company used on its intranet for over 15,000 medium-to-large-sized companies were also exposed."

The same situation held true for a collection of mobile banking apps on iOS that rely on the AI Digital Identity SDK for authentication. The SDK embeds AWS tokens that could be used to access private authentication data and keys belonging to every banking and financial app using it, as well as 300,000 banking users' biometric digital fingerprints used for authentication, and other personal data (names, dates of birth, and more).

"Apps with hardcoded AWS access tokens are vulnerable, active, and present a serious risk," Symantec researchers concluded. "\[And\] this is not an uncommon occurrence."

****Avoiding Cloud Compromise via Mobile Apps****

Organizations can take steps to ensure that the apps they build for their customers don't unwittingly offer a path to cyberespionage, according to Scott Gerlach, co-founder and CSO at StackHawk.

"Adding DevSecOps tools, like secret scanning, to continuous integration/continuous development pipelines (CI/CD) can help ferret out these types of secrets when building software," he noted in a statement. "And it's critical that you understand how to manage and securely provision AWS and other API keys/tokens to prevent unwarranted access."

From a design perspective, developers can also replace hardcoded credentials with API calls to a repository or software as-a-service (SaaS) vault, or to use temporary tokens, according to Tony Goulding, cybersecurity evangelist at Delinea.

"\[That way\] they can pull a credential or key down in real-time that doesn't persist on the device, in the app, or a local config file," he said in a statement. "An alternative approach is to use the AWS STS service to provision temporary tokens to grant access to AWS resources. They're similar to their long-term brethren except they have a short lifespan that's configurable — as little as 15 minutes. Once they expire, AWS won't recognize them as valid, preventing an illicit API request using that token."

Tag

#ios