Week 18th Sep - 22nd Sep 2023 (Week 38)

:rocket: Welcome to this edition of ‘This Week in Cybersecurity’ where together, we delve into a subject that affects us all: cybersecurity and privacy in the digital age. :rocket:

This week we’ve curated a few interesting articles covering topics such as a never-before-seen Linux backdoor, to UK Parliament passing of the highly debated Online Safety Bill, to vulnerabilities in GitLab and the upgraded Signal end-to-end encryption protocol. So dive into these short summaries below and keep yourself updated with the latest cybersecurity developments. :newspaper:

1. Apple rushes to patch 3 new zero-day flaw: iOS, macOS, Safari and more vulnerable

Apple has released security patches for three actively exploited zero-day flaws affecting iOS, iPadOS, macOS, watchOS and Safari. The vulnerabilities include a certificate validation issue in the Security framework, a kernel flaw, and a WebKit flaw that could lead to the execution of arbitrary code. The company acknowledges the issue may have been actively exploited on versions of iOS prior to iOS 16.7. The security researchers who discovered and reported this vulnerability believe it may have been used in a targeted spyware attack against members of civil society. It’s imperative that you always update to the latest versions to mitigate against such attacks and to take security precautions.

Date: Sep 22, 2023
Source: The Hacker News
Author: THN
Tag: Vulnerability, Spyware

2. GitHub passkeys generally available for passwordless sign-ins

GitHub has introduced passkeys for all users, allowing for secure, passwordless login. Passkeys are linked to specific devices and provide protection against phishing attacks and unauthorised access attempts. Users can now utilise personal identification methods such as PINs or biometric authentication, including fingerprints and facial recognition. GitHub introduced passkey support in July as part of a public beta push for passwordless authentication. They also plan to offer two-factor authentication by the end of the year. What are your thoughts on passkeys? Leave a comment below.

Date: Sep 21, 2023
Source: Bleeping Computer
Author: Sergiu Gatlan
Tag: Password Security, New Releases

3. Signal takes a quantum leap with E2EE protocol upgrade

Signal, a messaging platform, has announced an upgrade to its end-to-end encryption (E2EE) protocol to protect users from encryption-breaking attacks by quantum computers. While Quantum computers do not currently pose a threat to public key cryptography, they could potentially be a risk in the future. The upgraded Signal protocol advanced quantum resistance uses Post Quantum Extended Diffie-Hellman (PQXDH) and combines two shared secrets from X25519 and CRYSTALS-Kyber to make it harder to compromise encryption. While this improved security, experts also believe that this transition to a new cryptographic architecture was required to solve the ‘harvest now, decrypt later’ (HNDL) problem. Signal users can enjoy this feature by updating to the latest version.

Date: Sep 21, 2023
Source: Helpnet Security
Author: Helga Labus
Tag: Encryption, Data Privacy

4. GitLab releases urgent security patches for critical vulnerabilities

GitLab has released security patches to address a critical flaw discovered by security researcher Johan Carlsson that allows an attacker to run pipelines as another user. The issue affects all versions of GitLab Enterprise Edition from 13.12 to 16.2.7 and from 16.3 to 16.3.4. Exploitation of the flaw could allow a threat actor to access sensitive information or gain elevated privileges to modify source code or execute arbitrary code on the system resulting in damaging consequences. The vulnerability has been fixed in GitLab versions 16.3.4 and 16.2.7. Users are advised to update their GitLab installation to the latest version to mitigate against such attacks.

Date: Sep 20, 2023
Source: The Hacker News
Author: THN
Tag: Vulnerability, Software Security

5. UK passes the Online Safety Bill - and no, it does not ban end-to-end encryption

The UK’s Online Safety Bill has passed through Parliament. The Bill aims to address harmful criminal activities online such as child abuse, terrorist propaganda, and fraud, by forcing tech companies to help in tackling them. The law doesn’t ban end-to-end encryption, but it does require messaging platforms to use “accredited technology” to identify certain content, but only if the regulator Ofcom deems it “necessary and proportionate.” However, this raises significant barriers to implementing such technology. The Bill also introduces security requirements for platforms, including age verification and content protection, with hefty fines for non-compliance.

Date: Sep 19, 2023
Source: The Record
Author: Alexander Martin
Tag: Data Protection, Encryption

6. Chinese hackers have unleashed a never-before-seen Linux backdoor

Researchers have discovered a new backdoor for Linux used by threat actors linked to the Chinese government. The backdoor, dubbed SprySOCKS, originated from the Windows backdoor named Trochilus, but was later adapted for Linux. SprySOCKS implements standard backdoor capabilities such as collecting system information, opening remote shells for compromised systems and more. Researchers have attributed the backdoor to a threat actor called Earth Lusca which targets organisations around the world, particularly Asian governments, for both espionage and financial activities. Trend Micro researchers have provided IP addresses and other evidence that people can use to check if they’ve been compromised.

Date: Sep 19, 2023
Source: Ars TECHNICA
Author: Dan Goodin
Tag: Cyber Risk/Cyber Threats, Spyware

7.Microsoft AI research division accidentally exposed 38TB of sensitive data

Microsoft’s AI research division has accidentally exposed 38TB of sensitive data via a public GitHub repository since July 2020. Cybersecurity researchers Wiz discovered that the leak occurred when the researcher shared files using Azure SAS tokens that were misconfigured, resulting in permissions being granted to the entire storage account, exposing sensitive data such as private keys, secrets, passwords, and over 30,000 internal Microsoft Teams messages. Experts found the GitHub repository, highlighting the security risks of SAS tokens and the lack of monitoring and governance within Azure. Microsoft has confirmed that no customer data was exposed and the reported issue has been addressed.

Date: Sep 18, 2023
Source: Security Affairs
Author: Pierluigi Paganini
Tag: Data breach, Tech


That’s it for ‘This Week in Cybersecurity’ news roundup. :heart: :newspaper_roll:

Hope these short summaries have kept you informed with the latest news. These incidents underscore the ongoing importance of staying vigilant in the digital realm and adopt proactive security measures to protect sensitive information and digital assets.

Join this initiative and share any articles you come across in the “In the News” category of passbolt community forum and connect with others.

Cast your vote for the most interesting articles you’d featured in the monthly cybersecurity video. :white_check_mark: :partying_face:

  • :one: Apple patch
  • :two: GitHub introduced passkeys
  • :three: Signal E2EE protocol upgrade
  • :four: GitLab vulnerabilities
  • :five: UK’s Online Safety Bill
  • :six: Linux backdoor
  • :seven: Microsoft’s team exposed data
0 voters