A list of the most dangerous software weaknesses is updated, a warning to Kubernetes administrators, and more.
Welcome to Cyber Security Today. It’s Wednesday, June 29th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
The latest version of the top 25 most dangerous software weaknesses has been released. Formally known as the Common Weaknesses Enumeration, or CWE, it’s a valuable guide for application developers, testers and project managers on the coding vulnerabilities they need to watch out for that are being exploited by threat actors. The number one weakness, which hasn’t changed since last year, is an out-of-bounds write. That’s where software is allowed to write data past the end, or before the beginning, of the intended buffer. This can result in corruption of data, a crash, or unapproved code execution. Number two on the list — also unchanged since last year — is commonly known as cross-site scripting. That’s where malicious scripts can be injected into a website. Third on the list is SQL injection, a common web hacking tactic where malicious SQL statements are inserted into a database’s entry field. There’s a link to the full list in the text version of this podcast at ITWorldCanada.com.
Another source of valuable information for information security professionals is the Known Exploited Vulnerabilities Catalog maintained by the U.S. Cybersecurity and Infrastructure Security Agency. This is a list of the latest vulnerabilities that are being exploited by attackers. U.S. federal departments have to address these holes fast, but companies should pay attention to the list as well. It was recently updated to add eight more issues, including the Mitel VoIP phone problem I told you about on Monday.
Here’s more for developers: Many users of Kubernetes containers for deploying applications aren’t properly securing the clusters. That’s according to researchers at a company called Cyble, which said it recently found over 900,000 Kubernetes instances exposed on the internet. It suggests many containers are misconfigured. What kind of damage could happen? The report notes hackers infiltrated the Kubernetes console of car maker Tesla because it wasn’t password protected. They could have found login usernames and passwords to Tesla’s Amazon Web services environment. Among other things IT and application administrators have to make sure any instances of Kubernetes in their environments have the latest versions installed. They must also control employees’ IT access to the Kubernetes API as well as follow Kubernetes configuration best practices.
Big companies aren’t the only targets of hackers. According to a report this week from researchers at a security firm called Lumen, crooks are going after small businesses and individuals through their small or home office routers. Targets of this ongoing campaign are in the U.S., Canada and Europe. The researchers think compromised devices include models made by Asus, Cisco Systems, DrayTek and Netgear. The report doesn’t say exactly how the devices were compromised. But it leads to the copying of internet traffic and then to the compromise of a Windows desktop or server. Small office and home users should remember to regularly reboot their routers to clear malware, and watch for security updates not only from their software creators but also from router manufacturers.
It’s important management do a thorough cybersecurity review of every company being considered for a merger or acquisition. That’s the conclusion of an analyst at the SANS Institute for cybersecurity training after the release last week of penalties imposed by the U.S. Federal Trade Commission on the former and current owners of a company called CafePress. It was hacked in 2019. CafePress lets consumers customize things like T-shirts and mugs. The commission alleged CafePress didn’t scramble some customers’ Social Security numbers or password reset answers. As a result they were available to the hackers. It also allegedly failed to apply readily available protections against well-known cyber threats. And it allegedly failed to tell victims about the data breach, only to reset their passwords.
The current owner bought CafePress after the data breach. The commission’s order requires the company’s current owner to bolster CafePress’s data security. And the order and requires its current and former owner to pay US$500,000 to compensate victims. Some of their stolen data is being peddled on the dark web.
Finally, there’s a new version of the Firefox browser available for those of you who use it.
That’s it for this edition. Friday is Canada Day, our national holiday. However, there will still be a Friday morning news podcast and the Week in Review podcast in the afternoon.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.