Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Atlassian Bitbucket RCE Vulnerability

Atlassian's developers must be feeling somewhat punch-drunk by now, after so many disclosures. Now security researcher 'The Grand Pew' has disclosed, via Bugcrowd's bug bounty program, a command injection vulnerability affecting all versions between 7.0.0and 8.3.0 of the company's git-based source code repository server, Bitbucket.

Users are advised to upgrade promptly; failing that, they should turn off public repositories. The vulnerability affects multiple API endpoints in Bitbucket.

Haworth, Jessica, Critical command injection vulnerability discovered in Bitbucket Server and Data Center, The Daily Swig, 26 August 2022. Available online at https://portswigger.net/daily-swig/critical-command-injection-vulnerability-discovered-in-bitbucket-server-and-data-center.

Clouds Gather Over LastPass

The popular password safe application, LastPass, has suffered yet another breach, this time affecting the source code to its source code. As in previous breaches, the company can claim - justifiably - that no user data has been compromised, as all its customers' passwords are encrypted under each customer's master password.

However, in this case, the attackers were able to compromise a developer account to gain access to "portions of source code and some proprietary LastPass technical information".This makes the breach a good test of Kerchoff's Second Principle - "security of an encryption system must depend upon the secrecy of a key and not upon secrecy of the system" - because whoever got that source code and technical info is going to be poring over it in search of some kind of implementation weakness or other exploitable vulnerability. LastPass customer data is probably OK, but I'm glad to be using a different product.

Seals, Tara, LastPass Suffers Data Breach, Source Code Stolen, Dark Reading, 27 August 2022. Available online at https://www.darkreading.com/cloud/lastpass-data-breach-source-code-stolen.

Log4J Still a Problem

The Iranian threat actor Static Kitten (a.k.a. MuddyWater, Cobalt Ulster, Mercury and others) is targeting Israeli orgaizations running unpatched versions of Log4j. It might seem incredible that the long-known Log4Shell exploit would still be exploitable, but the fact that Log4j is embedded in so many systems, and that most enterprises do not have a configuration management system capable of reporting whether they have Log4j installed, and if so, where, indicates that this vulnerability is likely to be a thorn in our sides for some time to come.

Lakshamanan, Ravie, Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations, The Hacker News, 27 August 2022. Available online at https://thehackernews.com/2022/08/iranian-hackers-exploiting-unpatched.html.

Return-to-Work and Catch COVID?

While many managers, and some corporations, are struggling with how to manage employees working from home, the idea of a full return to work is deeply unattractive to many. Case in point: Google, which in April demanded employees return to the office for at least three days a week.

The result? Increased outbreaks of COVID-19 - currently, Google's LA offices are recording the most infections of any employer in that city, with 145 cases at their Venice office and 135 in the Playa Vista campus. Employees, fed up with the number of exposure notifications they are receiving, point out that the company has been recording record growth while they worked from home.

Complicating things further, unvaccinated employees are asking the company to drop its vaccination mandate for on-prem workers. Vaccinated staffers who would rather work from home anyway are doubtless really impressed with this.

Elias, Jennifer, Google employees frustrated after office Covid outbreaks, some call to modify vaccine policy, CNBC, 26 August 2022. Available online at https://www.cnbc.com/2022/08/26/google-employees-frustrated-after-office-covid-outbreaks.html.

Disinformation Bad - Meta-Disinformation Worse

An opinion piece by a RAND Corporation information scientist points out that the capabilities of artificial intelligence and the immersive nature of virtual reality will combine to make disinformation campaigns much more influential and effective. Rand Waltzman describes a scenario in which an audience watches a political candidate giving a speech - but unknown to them, each viewer sees a subtly different version of the candidate - one which has been modified to make his facial features slightly more similar to the viewers, a technique which has been shown experimentally to make voters rate the candidate more favourably.

The author also points out that virtual environments are seductive because of two features - presence and embodiment. Presence means that the clues that a computer is mediating communication are no longer present - communication feels very direct - while embodiment is the sensation that the virtual body is the actual body. This makes emotional manipulation of the participant very much more powerful than traditional media and social media - and we should have learned by now just how dangerous those can be.

Waltzman, Rand, Facebook MisInformation is Bad Enough. The Metaverse Will Be Worse, The RAND Blog, 22 August 2022. Available online at https://www.rand.org/blog/2022/08/facebook-misinformation-is-bad-enough-the-metaverse.html.

The next few days' Security News may appear at odd times, as travel interferes with the work cycle.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.