Tag: Disclosure | SpinSafe

Vehere Takes the Lead With Tracking Its First-ever Zero-day Vulnerability and Subsequent Responsible Disclosure

May 30, 2023/in Internet Security

SAN FRANCISCO, May 30, 2023–(BUSINESS WIRE)–Vehere’s research wing, Dawn Treader, has announced its recent discovery of a zero-day vulnerability, marking a significant achievement for the cyber network intelligence organization. This is the first time Vehere has made such a discovery, showcasing the efficiency and capability of the research team. The identification of this vulnerability is a major milestone for the organization, and demonstrates their commitment to staying at the forefront of the ever-evolving cybersecurity landscape.

The vulnerability, identified through fuzzing, was a heap buffer overflow in MagickCore/quantum-import.c and affects ImageMagick versions 7.1.1-6. It allows attackers to exploit a crafted file and trigger an out-of-bound read error, resulting in an application crash and denial-of-service. The vulnerability was responsibly disclosed to ImageMagick, which promptly released a patch addressing the issue by ensuring proper memory allocation. RedHat has released an advisory to warn users about this vulnerability, assigning it a CVSS score of 5.5 and a CVE ID of CVE-2023-2157.

Read Dawn Treader’s exclusive blog post and discover further details about this zero-day vulnerability:
https://vehere.com/threat-severity-high/breaking-down-the-imagemagick-cve-2023-2157-vulnerability-dawn-treaders-findings/

Speaking on this impactful discovery, Vehere’s co-founder Praveen Jaiswal said, “Vehere’s successful identification and ethical disclosure of the vulnerability highlight our commitment to proactively identify and address potential threats. We are extremely proud that we are one of the few Indian companies to identify a zero-day vulnerability, and it serves as a testament to the expertise and dedication of our research team, Dawn Treader.”

Vehere is a revolutionary cybersecurity company that is boldly merging the realms of national security and enterprise security through a single, powerful platform. With a strong global presence and unparalleled expertise in cyber network intelligence, Vehere is radically changing the way organizations and governments protect themselves from cyber threats. Established in 2006, Vehere is a global corporation with offices in San…

Source…

The LastPass disclosure of leaked password vaults is being torn apart by security experts

December 30, 2022/in Computer Security

Last week, just before Christmas, LastPass dropped a bombshell announcement: as the result of a breach in August, which led to another breach in November, hackers had gotten their hands on users’ password vaults. While the company insists that your login information is still secure, some cybersecurity experts are heavily criticizing its post, saying that it could make people feel more secure than they actually are and pointing out that this is just the latest in a series of incidents that make it hard to trust the password manager.

LastPass’ December 22nd statement was “full of omissions, half-truths and outright lies,” reads a blog post from Wladimir Palant, a security researcher known for helping originally develop AdBlock Pro, among other things. Some of his criticisms deal with how the company has framed the incident and how transparent it’s being; he accuses the company of trying to portray the August incident where LastPass says “some source code and technical information were stolen” as a separate breach when he says that in reality the company “failed to contain” the breach.

“LastPass’s claim of ‘zero knowledge’ is a bald-faced lie.”

He also highlights LastPass’ admission that the leaked data included “the IP addresses from which customers were accessing the LastPass service,” saying that could let the threat actor “create a complete movement profile” of customers if LastPass was logging every IP address you used with its service.

Another security researcher, Jeremi Gosney, wrote a long post on Mastodon explaining his recommendation to move to another password manager. “LastPass’s claim of ‘zero knowledge’ is a bald-faced lie,” he says, alleging that the company has “about as much knowledge as a password manager can possibly get away with.”

LastPass claims its “zero knowledge” architecture keeps users safe because the company never has access to your master password, which is the thing that hackers would need to unlock the stolen vaults. While Gosney doesn’t dispute that particular point, he does say that the phrase is misleading. “I think most people envision their vault as a sort of encrypted database where the…

Source…

Rethinking Responsible Disclosure for Cryptocurrency Security

September 8, 2022/in Computer Security

The Biden administration has pointed, with alarm, to the national security implications of both cybersecurity and cryptocurrency. It’s just a matter of time before the government begins worrying about their intersection—cryptocurrency security. All of the United States’ international adversaries are in the business of exploiting bad cybersecurity, and many of them monetize their exploits using cryptocurrency. There’s nothing more natural for North Korean state hackers, Russian organized crime, or partially privatized cyberspies in China and Iran than to steal cryptocurrency to finance their national security operations. They’ll find an open door; because, as bad as overall cybersecurity is, the security of cryptocurrency is worse.

You only have to follow cryptocurrency news casually to be struck by the size and frequency of cryptocurrency security failures. That’s not your imagination, or press bias. Cryptocurrency really does have worse security than other digital technologies, and there’s a good chance it always will.

Here’s why: In other parts of the digital economy, companies quickly patch security flaws, many of which have been found and responsibly disclosed by outside researchers. But as I’ll explain below, the “disclose-and-patch” cycle doesn’t work for cryptocurrency systems. There are ways to make disclose-and-patch work better for cryptocurrencies, but they will require compromises, institutional innovation, and maybe even new laws. That’s a tall order, but until it happens, cryptocurrency security will never match even the low security standard set by other digital technologies.

How Responsible Disclosure Works

Software security flaws like these are ubiquitous in digital products. Like writers who can’t see their own typos, most coders have trouble seeing how their software can be misused. The security flaws in their work are usually found by others, often years later. Indeed, security researchers are still finding serious holes in Windows today—30 years after it became the world’s dominant operating system.

Companies like Microsoft have improved their products’ security by making peace with those researchers. There was a time when…

Source…

Concerns emerge over proposed SEC cyber incident disclosure changes

September 5, 2022/in Internet Security

Gary Gensler, chair of the U.S. Securities and Exchange Commission, testifies during ta Senate Banking, Housing, and Urban Affairs Committee hearing on Sept. 14, 2021, in Washington. (Photo by Bill Clark-Pool/Getty Images)

Facing increased breaches on its systems and among its members, the Securities and Exchange Commission (SEC) is considering how it will better handle cyber threats.

The SEC proposed new amendments in March to govern how investment firms and public companies under its purview should improve upon their IT security management and incident reporting.

“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” said SEC Chair Gary Gensler in a March release.

“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks,” Gensler said. “A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”

SEC gets tough on identity programs and incident reporting

In July, the SEC slammed JP Morgan Chase & Co, UBS and online stock-trader TradeStation with having deficient customer identity programs, each having violated the Identity Theft Red Flags Rule, or Regulation S-ID between January 2017 and October 2019. Regulation S-ID seeks to protect investors from the risk of identity theft. All three financial institutions agreed to cease and desist from future violations, to be censured, and to pay fines of $1.2 million, $925,000, and $425,000, respectively.

Among other commitments, the SEC’s proposed amendments would require that financial institutions offer current reporting about “material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.

In March, the SEC issued that a “proposed rule defines a cybersecurity incident as an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information…

Source…

Tag Archive for: Disclosure

SEC gets tough on identity programs and incident reporting