Security and Proprietary Software

posted by Roy Schestowitz on Jan 14, 2023

• Microsoft messes up security upgrade for Japan, China, Korea

• This industry in India was ‘most targeted’ by hackers in 2022 [iophk: Windows TCO]

  Check Point Research (CPR) says that these cyberattacks were driven by smaller, more agile hackers and ransomware gangs. The cybercriminals focused on exploiting collaboration tools used in work-from-home environments and targeted education institutions that shifted to online learning post-Covid-19.

• Global cyberattacks up by 38%, healthcare most targeted in India: Report

  The report said that hackers like to target hospitals because they perceive them as short on cyber security resources with smaller hospitals particularly vulnerable, as they are underfunded and understaffed to handle a sophisticated cyberattack.

• [Old] Chinese [Crackers] Exploit Citrix Vulnerabilities

  U.S. federal authorities and Citrix both are urging users to patch the flaw, tracked as CVE-2022-27518.

  “These vulnerabilities are known to be actively exploited by a Chinese state-sponsored advanced persistent threat,” says the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center in an alert issued Friday.

• Attack of the Chatbots: Screenwriters’ Friend or Foe?

  Is ChatGPT a sign that automation is coming to film and TV writing? As far-fetched as it sounds, the arrival in November 2022 of a free prototype of the AI-powered chatbot — which has jolted observers with the sophisticated, fluid writing it can produce when prompted, even in the form of poems, essays and, yes, short scripts — has set off alarm bells about the disruption that the chatbot could wreak on the work of entertainment scribes. Still, top film and TV writers are skeptical that the technology in its current state imperils their livelihoods in any way, even as they remain cautious about the potential for future advancements.

• Most Cacti Installations Unpatched Against Exploited Vulnerability | SecurityWeek.Com [Ed: It is already patched. So the issue here is not Cacti itself. Focus-shifting.]

  The vast majority of internet-exposed Cacti installations are vulnerable to a critical-severity command injection vulnerability already exploited in attacks.

• Farewell to an Era: Linux Kernel 4.9 Ends Its 6-Year Support Cycle - LinuxWizardry

  The Linux 4.9 kernel series has finally reached its end of life with the release of the 4.9.337 update, which was announced earlier this morning by renowned kernel developer Greg Kroah-Hartman. This marks the end of a six-year journey for Linux kernel 4.9, which was first released on December 11th, 2016.

  The 4.9 kernel series brought with it a plethora of new features and improvements such as support for shared extents and copy-on-write support on the XFS file system, a hardware latency tracer to detect firmware-induced latencies, support for the Greybus bus from Project Ara, a more efficient BPF profiler, a new optional BBR TCP congestion control algorithm, virtually mapped kernel stacks, and more.

  Due to its long-term support (LTS) status, Linux kernel 4.9 was widely used on mass-production devices by big companies that produce hardware powered by a Linux-based operating system. However, with the release of newer kernels that include all the features of Linux kernel 4.9 and more, it is time for users to upgrade their systems.

• Urgent: Patch Ubuntu Linux Vulnerabilities with Latest Kernel Security Updates - LinuxWizardry

  It is imperative that all Ubuntu Linux users take note of the recent kernel security updates that have been made available for all supported releases of the operating system. These updates are aimed at addressing an even greater number of vulnerabilities and security issues to ensure that your machines are as secure as possible.

  The new kernel security updates come just a week after the previous batch, which was a significant release that addressed over 20 vulnerabilities. These updates are available for Ubuntu 22.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 LTS, as well as Ubuntu 16.04 ESM and Ubuntu 14.04 ESM systems.

  One of the main vulnerabilities addressed in these kernel updates are two Bluetooth flaws, specifically CVE-2022-42896 and CVE-2022-45934. The first vulnerability, discovered by Tamás Koczka, includes multiple use-after-free vulnerabilities in the Bluetooth L2CAP handshake implementation. The second vulnerability, an integer overflow vulnerability, was discovered in the Bluetooth subsystem. These vulnerabilities affect all supported Ubuntu releases and could potentially allow a physically proximate attacker to cause a denial of service (system crash) or even execute arbitrary code.

• Shopify encourages employees to say no to meetings

  The successful switch to full-time remote work as a result of the pandemic would not have been possible without virtual meeting technology.

  Technology like Webex, Zoom and Microsoft Teams enabled distributed teams to stay connected and collaborate with each other.

  But meeting tech is far from a silver bullet – over meeting and back to back video calls have become a major issue. It has caused so-called ‘Zoom fatigue’ and distracted employees from focused, productive work.

• Microsoft to offer unlimited time off for US staff

  Microsoft is to allow US staff to take unlimited time off in a policy change that is supposed to give them more flexibility but, unsurprisingly, will also have a cost benefit to Redmond.

  "How, when, and where we do our jobs has dramatically changed," wrote Kathleen Hogan, chief people officer at Microsoft in a memo to staff, reported first by The Verge. "And as we've transformed, modernizing our vacation policy to a more flexible model was a natural next step."

  Starting next week, the Windows giant is saying goodbye to its four-weeks-a-year policy for US-based salaried employees. Workers will be given 10 days of corporate holidays, alongside unlimited leave. They will also be allowed leave for sickness, mental health issues, bereavement and jury services.

  New Microsoft employees will not need to wait to accrue holidays.

  Anyone with unused holiday entitlement will receive a one-time payment for this in April, Microsoft confirmed. Contractors paid by the hour will not be subject to this policy.

  The move isn't unique: it brings Microsoft in line with LinkedIn, which it purchased for $26.6 billion in 2016, and a raft of other big businesses including Oracle, Salesforce, Goldman Sachs, and Netflix.