Let's Bake It!
Cyber Bakery Chronicles

Your Weekly Cybersecurity Update (04 October 2024)

  • Rackspace Internal Monitoring Web Servers Hit By Zero Day
  • CISA Boss Calls for More Secure Software Development
  • NIST Proposes Sweeping Changes to Password Policies: Mandatory Resets and Character Rules Out
  • Critical Vulnerability Found in Nvidia Container Toolkit
  • Remote Code Execution Flaw Found in CUPS Printing System (Limited Impact)
  • Privacy Group Claims Mozilla’s “Privacy-Preserving” Feature Tracks Users

Rackspace Internal Monitoring Web Servers Hit By Zero Day

Rackspace discovered a bug in a third-party utility on September 24, 2024, which gave criminals access to internal monitoring web servers. Customer performance monitoring was not affected, but customers couldn’t access their monitoring dashboard. Rackspace isolated the affected equipment, collaborated with ScienceLogic to develop and apply a patch, and initiated the rotation of internal device agent credentials as a precaution. ScienceLogic identified the vulnerable program and pushed out a fix to its clients. They declined to name the exploited bundled software to reduce potential customer risk and provided a patch. Rackspace emphasised that its monitoring services continued to run despite the web interface being taken offline.

CISA Boss Calls for More Secure Software Development

Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), has urged software developers to prioritize security in their products. In a keynote address at the mWISE conference, Easterly criticized the industry for producing buggy and insecure code that enables cybercriminals to exploit vulnerabilities and attack victims.

Easterly argued that technology vendors are responsible for creating the conditions that allow for cyberattacks. She called for an end to the “glamorization” of crime gangs with fancy names, suggesting instead that they be referred to as “Scrawny Nuisance” or “Evil Ferret.” Easterly also criticized the term “software vulnerabilities,” saying it diffuses responsibility and that they should be called “product defects.”

The CISA director emphasized the need for more secure products, stating that the current focus on cybersecurity is misguided. She argued that the industry needs to address the underlying software quality issues that contribute to the global cybercrime problem. Easterly compared the situation to buying a car or boarding an airplane without knowing its safety record, saying that we do this every day with the software that underpins our critical infrastructure.

To address the issue, Easterly called for organizations to use their purchasing power to pressure software vendors to prioritize security. She suggested that buyers ask suppliers if they have signed CISA’s Secure by Design pledge, which commits vendors to seven secure-software goals. Easterly also highlighted the importance of using CISA’s Secure Demand Guide, which provides guidance for organizations buying software and questions they should ask manufacturers to better understand their security practices.

By demanding more secure software, Easterly believes that organizations can help create a safer digital environment and reduce the risk of cyberattacks.

NIST Proposes Sweeping Changes to Password Policies: Mandatory Resets and Character Rules Out

The National Institute of Standards and Technology (NIST) has proposed a significant overhaul of password policies in its updated Digital Identity Guidelines (SP 800-63-4). These proposed changes aim to simplify password creation and management while strengthening overall security.

One of the most significant changes is the elimination of mandatory password resets. Previously, users were forced to change passwords at regular intervals, often leading to weaker and more easily guessed choices. NIST now acknowledges that strong, randomly generated passwords don’t require frequent resets. In fact, forcing frequent changes can backfire, as users may resort to simpler variations of the same password.

Another proposed change involves scrapping the requirement for specific character combinations (uppercase, lowercase, numbers, special characters). While once considered an improvement, NIST now argues that such rules offer minimal security benefits for long and random passwords. Instead, the updated guidelines call for a minimum password length of eight characters, with a recommendation of 15 characters. Additionally, systems should allow passwords up to 64 characters and accept all printable ASCII characters, including spaces.

Security questions, a once-common verification method, are also on the chopping block. NIST proposes their removal entirely due to their inherent weaknesses.

These proposed changes represent a major shift in password policy recommendations. While not universally binding, the NIST guidelines carry significant weight and are likely to influence password policies across various industries.

The updated guidelines offer a more practical and user-friendly approach to password security, focusing on encouraging strong, unique passwords and eliminating counterproductive practices. This could lead to a significant improvement in overall cybersecurity posture for organizations and individuals alike.

Critical Vulnerability Found in Nvidia Container Toolkit

A severe security flaw has been discovered in Nvidia’s Container Toolkit, a widely used tool for running AI applications in containerized environments. The vulnerability, designated CVE-2024-0132, could allow attackers to escape containers and gain full control of the host system.

Wiz researchers identified a Time-of-check Time-of-Use (TOCTOU) vulnerability that could be exploited to execute code, steal data, or tamper with systems. The flaw impacts Nvidia Container Toolkit version 1.16.1 when used with default settings, leaving cloud environments vulnerable to attacks.

Nvidia has acknowledged the severity of the issue, assigning it a CVSS score of 9/10. The vulnerability poses a significant threat to over 35% of cloud environments using Nvidia GPUs, according to Wiz.

This vulnerability is particularly concerning in orchestrated environments where GPUs are shared among multiple workloads. Malicious actors could introduce a compromised container, break free of it, and leverage the host system’s secrets to infiltrate other services. Cloud service providers and organizations using third-party container images or AI models are especially vulnerable.

Nvidia has released patches to address the vulnerability. Organizations using Nvidia Container Toolkit are advised to update to the latest version as soon as possible.

Remote Code Execution Flaw Found in CUPS Printing System (Limited Impact)

A series of vulnerabilities have been discovered in the CUPS (Common Unix Printing System) open-source printing software that could potentially allow attackers to execute code remotely on vulnerable systems.

These vulnerabilities, however, require specific conditions to be exploited and are unlikely to have a widespread impact.

Here’s a breakdown of the situation:

  • The vulnerabilities: Four vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) can be chained together to achieve remote code execution (RCE).
  • Impact: For the vulnerabilities to be exploited, several things need to happen:
    • The cups-browsed daemon, which is not enabled by default, must be running on the targeted system.
    • An attacker must trick a user on the system to print to a malicious printer that appears on their network.
  • Mitigation: Disabling the cups-browsed service significantly reduces the risk. Red Hat has shared specific commands to stop and disable the service.
  • Severity: Due to the limited exploitability, Red Hat has rated the vulnerabilities as having an “Important” severity impact, not critical.

Security experts advise users and administrators to check if the cups-browsed service is running and disable it if not needed. While patches are still under development, this mitigation measure significantly reduces the risk of exploitation.

It’s important to note that CUPS is a widely used printing system on Linux and Unix-like operating systems. However, the specific configuration required for this exploit to work makes widespread impact unlikely.

Privacy Group Claims Mozilla’s “Privacy-Preserving” Feature Tracks Users

European digital rights group NOYB has filed a complaint against Mozilla with the Austrian data protection authority. The complaint alleges that a new feature in Firefox called Privacy-Preserving Attribution (PPA) actually tracks user browsing behavior despite its name.

PPA, developed in collaboration with Meta (formerly Facebook), was introduced in Firefox version 128 and automatically enabled. NOYB argues that this feature, while potentially less invasive than traditional cookie tracking, violates user privacy by giving Mozilla control over user tracking data.

The complaint highlights that Mozilla did not obtain user consent before enabling PPA. According to NOYB, the feature collects user ad interaction data and shares it with advertisers in a bundled format.

While Mozilla claims PPA protects user privacy by not sharing individual browsing data, NOYB argues that any browser-based tracking interferes with user rights under the EU’s General Data Protection Regulation (GDPR).

“Mozilla essentially turned Firefox into an ad measurement tool,” said Felix Mikolasch, a data protection lawyer at NOYB. “While their intentions might be good, PPA is unlikely to replace existing tracking methods and simply adds another layer of user tracking.”

Mozilla maintains that PPA is a privacy-focused alternative to traditional tracking methods. They emphasize that the feature doesn’t share browsing data with third parties and only provides advertisers with aggregated data on ad effectiveness.

Users can opt out of PPA by disabling the “Allow websites to perform privacy-preserving ad measurement” option in Firefox settings.

In response to the complaint, Mozilla acknowledged a lack of transparency surrounding PPA. “We should have done more to engage with external voices,”.

While the initial code was included in Firefox 128, Mozilla claims PPA hasn’t been activated and no user data has been collected. They maintain that PPA is a limited test currently running only on the Mozilla Developer Network website.

The outcome of the complaint and the future of PPA remain to be seen. However, this incident highlights the ongoing tension between user privacy and online advertising practices.

gps
04 Oct 2024
Comment 0
Categoty: 
  • Cyber Security
  • News

    • Leave a Comment

    Your email address will not be published. Required fields are marked *

    News & Blog

    Related Blog

    Lorem Ipsum is simply dummy text of the printing and typesetting
    industry. Lorem Ipsum has been the industry's

    CyberBakery uplifts your cyber security posture through our cyber security uplift program, advanced professional services and awareness training.
    Our vision is to create a working environment safe from cyberattacks. Our mission is to protect businesses and uplift their cyber security posture and behaviour.

    Services

    Menu

    Useful Links

    Menu

    Contact

     Copyright 2024 CyberBakery Pty Ltd is the trademark owner of CyberBakery™. All rights are reserved.