I am back as the editor this week after a long break. Last week, the world witnessed a horrific terror attack by Hamas on Israel. As a human being who values peace, I condem this horrific violence and stand with the nation of Israel and it's people. May there be peace on earth!
As a regular listerner of DarkNet diaries, I was surprised to see the latest episode bear the name of my homeland Punjab. I have always liked the storytelling aspect of this podcast by Jack Ryhsider and really enjoyed the introduction of this episode. The introduction is unrelated to the main story of the episode and listening to it trasnported me back to my childhood. The main story covers scammers, who are of Punjabi origin, and use social engineering to scams other innocent people of Punjabi origin all over the world. It is sad and also a reminder that Socail Engineering remains, and is likely to forever remain, a huge security and privacy challenge.
Patch Tuesday Highlights:
Top 10 Security Misconfigurations by NSA and CISA:
Microsoft introduced "Patch Tuesday" 20 years ago. Over the years, more companies have adopted this practice. Microsoft October release at a glance:
cURL released version 8.4.0 on October 11th, 2023, to address a heap corruption issue in the SOCKS5 handler in both the CLI application and the
libcurl C library. The vulnerability, CVE-2023-38545, affects libcurl versions from 7.69.0 to 8.3.0. The issue arises when cURL is given a hostname longer than 255 bytes during a SOCKS5 request, leading to memory corruption.
libcurlusing a SOCKS5 proxy configuration.
F5's Response: F5 issued a Security Advisory with detailed reponse that can be seen on my.f5.com.
libcurlshould be audited to determine how they include it as a dependency.
The most immediate and impactful action to take is to update curl and libcurl via system package managers. This will significantly reduce the exposed attack surface. If resources allow, conduct a dependency audit to identify which libraries use
libcurl and their linking methods.
Earlier this year, Google introduced support for passkeys, a more secure and simpler method for signing into online accounts. passkeys allows users to unlock their device using a fingerprint, face scan, or pin to use passkeys. For Cybersecurity Awareness month Google is offering passkey as default passwordless option across personal Google accounts. There are a few other companies that are already supporting passkey. Having switched to a passkey option on Google, Github and Amazon I highly recommend that you make this the default option. Ideally, you should use a hardware key, like Yubikey, as the passkey instead of the device itself. If you are using Safari on Mac, MacOS will try to force you to enable icloud Keychains in order to use passkey. As someone not fond of storing my credentials on a cloud I was a bit annoyed. The good news is that you can use Chrome instead of Safari and the icloud keychain prompt disappears.
The NSA and CISA have released a joint cybersecurity advisory to highlight the most common cybersecurity misconfigurations observed in large organizations. These misconfigurations are often exploited by malicious actors using various tactics, techniques, and procedures (TTPs). The advisory lists the top 10 misconfigurations, emphasizing the systemic weaknesses in many organizations and the need for software manufacturers to adopt secure-by-design principles.
Top 10 Common Network Misconfigurations:
The advisory underscores the importance of addressing these common misconfigurations to enhance cybersecurity resilience. It also stresses the role of software manufacturers in ensuring that security measures are integral to their development practices.