Feed aggregator
Apple Releases Security Updates for Multiple Products
Apple released security updates to address vulnerabilities in multiple Apple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review the following advisories and apply necessary updates:
2024 CWE Top 25 Most Dangerous Software Weaknesses
The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by MITRE, has released the 2024 CWE Top 25 Most Dangerous Software Weaknesses. This annual list identifies the most critical software weaknesses that adversaries frequently exploit to compromise systems, steal sensitive data, or disrupt essential services.
Organizations are strongly encouraged to review this list and use it to inform their software security strategies. Prioritizing these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle.
Addressing these weaknesses is integral to CISA’s Secure by Design and Secure by Demand initiatives, which advocate for building and procuring secure technology solutions:
- Secure by Design: Encourages software manufacturers to implement security best practices throughout the design and development phases. By proactively addressing common weaknesses found in the CWE Top 25, manufacturers can deliver inherently secure products that reduce risk to end users. Learn more about Secure by Design here.
- Secure by Demand: Provides guidelines for organizations to drive security improvements when procuring software. Leveraging the CWE Top 25, customers can establish security expectations and ensure that their software vendors are committed to mitigating high-risk weaknesses from the outset. Explore how you can integrate Secure by Demand principles here.
Recommendations for Stakeholders:
- For Developers and Product Teams: Review the 2024 CWE Top 25 to identify high-priority weaknesses and adopt Secure by Design practices in your development processes.
- For Security Teams: Incorporate the CWE Top 25 into your vulnerability management and application security testing practices to assess and mitigate the most critical weaknesses.
- For Procurement and Risk Managers: Use the CWE Top 25 as a benchmark when evaluating vendors, and apply Secure by Demand guidelines to ensure that your organization is investing in secure products.
By following CISA’s initiatives, organizations can reduce vulnerabilities and strengthen application and infrastructure security. Incorporating the 2024 CWE Top 25 into cybersecurity and procurement strategies will enhance overall resilience.
For further details, refer to the full 2024 CWE Top 25 list here.
CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- CVE-2024-38812 VMware vCenter Server Heap-Based Buffer Overflow Vulnerability
- CVE-2024-38813 VMware vCenter Server Privilege Escalation Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
USDA Releases Success Story Detailing the Implementation of Phishing-Resistant Multi-Factor Authentication
Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Agriculture (USDA) released Phishing-Resistant Multi-Factor Authentication (MFA) Success Story: USDA’s FIDO Implementation. This report details how USDA successfully implemented phishing-resistant authentication for its personnel in situations where USDA could not exclusively rely on personal identity verification (PIV) cards.
USDA turned to Fast IDentity Online (FIDO) capabilities, a set of authentication protocols that uses cryptographic keys on user devices, to offer a secure way to authenticate user identities without passwords. USDA’s adoption of FIDO highlights the importance of organizations moving away from password authentication and adopting more secure MFA technologies.
This report offers examples to help organizations strengthen their cybersecurity posture through use cases, recommended actions, and resources. USDA successfully implemented MFA by adopting a centralized model, making incremental improvements, and addressing specific use cases. Organizations facing challenges with phishing-resistant authentication are encouraged to review this report.
For more information about phishing-resistant MFA, visit Phishing-Resistant MFA is Key to Peace of Mind and Implementing Phishing-Resistant MFA.
Turn Your Doorbell Into Thanksgiving Greetings With Vivint Chimes
Mediacom Internet Review: Plans, Pricing, Speed and Availability Compared
I hated Dubai until I learned about it
Article URL: https://sive.rs/dxb
Comments URL: https://news.ycombinator.com/item?id=42193075
Points: 1
# Comments: 0
AT&T Turbo Indicator Showing Up in iPhone Status Bar for Subscribers
Article URL: https://www.macrumors.com/2024/11/20/att-turbo-iphone-carrier-label-ios-update/
Comments URL: https://news.ycombinator.com/item?id=42193058
Points: 1
# Comments: 0
AMD-powered El Capitan is now the fastest supercomputer
Async/Await Is Real and Can Hurt You
Article URL: https://trouble.mataroa.blog/blog/asyncawait-is-real-and-can-hurt-you/
Comments URL: https://news.ycombinator.com/item?id=42193034
Points: 2
# Comments: 0
Wonder-server for Maven and Gradle – com.gitee.whzzone
Article URL: https://mavenlibs.com/maven/pom/com.gitee.whzzone/wonder-server
Comments URL: https://news.ycombinator.com/item?id=42193020
Points: 1
# Comments: 0
Ghosts of Departed Proofs [pdf]
IKEA opening an exhibition about its famous blue bag
Article URL: https://www.ianvisits.co.uk/articles/ikea-opening-an-exhibition-about-its-famous-blue-bag-77185/
Comments URL: https://news.ycombinator.com/item?id=42193008
Points: 1
# Comments: 0
Best Internet Providers in Portland, Oregon
Why Living in Australia Is Impossible [video]
Article URL: https://www.youtube.com/watch?v=_TUVXfM1nqo
Comments URL: https://news.ycombinator.com/item?id=42192981
Points: 1
# Comments: 0
China Could Re-Dollarize the World
Article URL: https://indi.ca/how-china-starts-printing-usd/
Comments URL: https://news.ycombinator.com/item?id=42192979
Points: 1
# Comments: 0
Genesis: AI, Hope and the Human Spirit [video]
Article URL: https://www.youtube.com/watch?v=OT_S4g5G5N4
Comments URL: https://news.ycombinator.com/item?id=42192974
Points: 1
# Comments: 0
Google Spent 15 Years Concealing Its Internal Conversations
Article URL: https://www.nytimes.com/2024/11/20/technology/google-antitrust-employee-messages.html
Comments URL: https://news.ycombinator.com/item?id=42192972
Points: 2
# Comments: 0
WSL Upd Nov 2024 – RedHat distro and install straight to your other hard drives
Article URL: https://devblogs.microsoft.com/commandline/whats-new-in-the-windows-subsystem-for-linux-in-november-2024/
Comments URL: https://news.ycombinator.com/item?id=42192951
Points: 1
# Comments: 1