Quick facts
1. The following national information security standards will be implemented on October 1st.
2. GitLab releases emergency security patches to fix high-risk vulnerabilities
. 3. All mainstream graphics cards are affected! GPU.zip side channel attack can leak sensitive data
4. MOVEit vulnerability led to large-scale leakage of student information from 900 colleges and universities in the United States
5. French space and defense supplier Exail was hacked and leaked a large amount of sensitive information
6. The British royal family website was hit by DDoS paralyzed by attack
Policy news of the week
The following national information security standards will be implemented on October 1
"Guidelines for Data Security in the Telecom Field of Information Security Technology"
Implementation date: 2023-10-01
Standard number: GB/T 42447-2023
Overview/Requirements: This document provides the security principles and general security measures for carrying out data processing activities in the telecommunications field, and the implementation of data collection, storage, use and processing Corresponding security measures should be taken during the process of transmission, provision, disclosure, destruction, etc. It is suitable for guiding telecom data processors to carry out data security protection work, and is also suitable for guiding third-party organizations to carry out telecom data security assessment work.
"General Technical Requirements for Network Security Situation Awareness of Information Security Technology"
Implementation date: 2023-10-01
Standard number: GB/T 42453-2023
Overview/Requirements: This document gives the network security situational awareness technical framework and specifies the general technical requirements for the core components in the framework. This document is applicable to network security Planning, design, development, construction and evaluation of situational awareness products, systems or platforms.
"Basic Requirements for Competencies of Information Security Technology Network Security Practitioners"
Implementation date: 2023-10-01
Standard number: GB/T 42446-2023
Overview/Requirements: This document establishes the classification of network security practitioners and stipulates the knowledge and skill requirements for various types of practitioners. It is suitable for the use, training, evaluation and management of network security practitioners by various organizations.
"Information Security Technology Personal Information De-Identification Effect Evaluation Guide"
"Information Security Technology Public Domain Name Service System Security Requirements" "
Information Security Technology Network Security Service Cost Measurement Guide"
"Information Technology Security Technology Entity Identification Part 3: Using Digital Signature Technology Mechanism"
"Information Technology Security Technology Digital Signature with Appendix Part 1: Overview"
"Information Security Technology Information System Security Assurance Assessment Framework Part 1: Introduction and General Model"
"Information Security Technology Public Key Infrastructure PKI System Security Technology Requirements"
"Information Security Technology Public Key Infrastructure PKI System Security Evaluation Method"
"Information Security Technology IPSec VPN Security Access Basic Requirements and Implementation Guide"
Information source: Yue Mi Yue An https://mp.weixin.qq.com/s/6CsEvv9YHqXhJHEjbmtNpA
A quick look at industry news
GitLab releases emergency security patch to fix high-risk vulnerabilities
GitLab released an emergency security patch on Thursday to fix a serious vulnerability that allows attackers to run pipelines as other users.
The vulnerability, numbered CVE-2023-5009 (CVSS score: 9.6), affects all versions of GitLab Enterprise Edition (EE) from 13.12 to 16.2.7 and from 16.3 to 16.3.4. The vulnerability was discovered and reported by security researcher Johan Carlsson (aka joaxcar).
"It is possible for an attacker to run a pipeline as an arbitrary user via a scheduled security scanning policy," GitLab said in an advisory. "The vulnerability is CVE-2023-3932 (which GitLab fixed in early August 2023). Bypassed, and demonstrated additional impact."
By exploiting CVE-2023-5009, an attacker could access sensitive information or exploit the privileges of an impersonated user to modify source code or run arbitrary code on the system, causing serious consequences.
GitLab strongly recommends users to update their installed GitLab to the latest version as soon as possible to prevent potential risks.
Source: Go UpSec https://mp.weixin.qq.com/s/TqEpqeELVwldRHro-TpVow
All mainstream graphics cards are affected! GPU.zip side-channel attack can leak sensitive data
Recently, researchers from four American universities developed a new GPU side-channel attack targeting a vulnerability in mainstream graphics cards. When users visit malicious web pages, the attack can use GPU data compression technology to steal sensitive data from modern graphics cards. Visual data.
Researchers have demonstrated the effectiveness of this "GPU.zip" attack by performing a cross-origin SVG filter pixel stealing attack on the Chrome browser and disclosed the vulnerability to affected graphics card manufacturers in March 2023 .
However, as of September 2023, none of the affected GPU vendors (AMD, Apple, ARM, Nvidia, Qualcomm) or Google (Chrome) has launched a vulnerability patch.
Researchers from the University of Texas at Austin, Carnegie Mellon University, the University of Washington, and the University of Illinois at Urbana-Champaign detailed the vulnerability in a paper that will be presented at the 45th IEEE Security & Privacy Presented at seminar.
Source: GoUpSec https://mp.weixin.qq.com/s/5NfniSDI9QZJ9jj55uaVNA
MOVEit vulnerability led to large-scale leakage of student information from 900 colleges and universities in the United States
The NSC (National Student Clearinghouse), a non-profit education organization in the United States, recently disclosed that its MOVEit server was compromised and the personal information of students from nearly 900 colleges and universities was stolen.
NSC provides educational reporting, data exchange, verification and research services to approximately 3,600 North American colleges and universities and 22,000 high schools.
The National Security Council has submitted a data breach notification letter to the California Attorney General's Office on behalf of the affected schools, disclosing that attackers gained access to NSC's MOVEit Managed File Transfer (MFT) server on May 30, and stole files containing a large amount of personal information.
According to the notification letter, students’ personally identifiable information (PII) contained in the stolen documents included names, dates of birth, contact information, Social Security numbers, student ID numbers, and some school-related records such as enrollment records, degree records, and courses. level data).
The National Security Council also released a list of educational organizations affected by the data breach.
Source: GoUpSec https://mp.weixin.qq.com/s/HiN2aY6ZqgbFvpelV-BYYA
French space and defense supplier Exail was hacked, leaking a large amount of sensitive information
The Cybernews research team discovered that French high-tech industrial group Exail exposed a publicly accessible environment (.env) file with database credentials.
Founded in 2022 following the merger of ECA Group and iXblue, Exail specializes in robotics, maritime, navigation, aerospace and photonics technologies, and its customers include the U.S. Coast Guard. Due to these characteristics, Exail is a particularly interesting target for attackers.
The research team discovered that a publicly accessible .env file hosted on the exail.com website had been exposed on the internet, allowing anyone to access it. Environment files act as a set of instructions for a computer program. Therefore, the complete opening of the file may expose critical data. Once accessed, an attacker can view, modify, or delete sensitive data and perform unauthorized operations, and provide the attacker with A range of attack options.
The research team also discovered that web server versions of Exail and specific operating systems were also compromised. If an attacker knows the operating system and its version running on a network server, they can exploit specific vulnerabilities related to the operating system.
And web servers with known operating system-specific exposures can become targets for automated scanning tools, malware, and botnets. Once an attacker understands the characteristics of an operating system, they can focus on finding and exploiting vulnerabilities related to that operating system. They can use techniques such as scanning, attestation, or using known vulnerabilities to gain access to a server or compromise its security.
Additionally, an attacker could exploit operating system-specific weaknesses to launch a denial-of-service (DoS) attack on an exposed web server, disrupting the server's operation.
After the Cybernews research team provided feedback to Exail, the other party has fixed the problem, but did not disclose more detailed information about the problem.
Source: FreeBuf https://mp.weixin.qq.com/s/WyrHQr7Ni8x-LbQysmpX-g
British royal family website paralyzed due to DDoS attack
According to reports, the official website of the British royal family was offline due to a distributed denial of service (DDoS) attack on Sunday (October 1). According to the Independent, the Royal.uk website was inaccessible for about 90 minutes starting at 10am local time. Although at the time of writing Cloudflare checks were in place to ensure that the IP addresses seeking access to the site were not automated bots, it soon became fully operational again. The notorious Russian hacking group Killnet reportedly boasted on its Telegram channel that it was responsible for the attack, although this has not been confirmed. Oseloka Obiora, chief technology officer at security vendor RiverSafe, believes all organizations should ensure their security posture is fit for purpose. DDoS attacks have become a favorite tool of Russian hacktivists as they look to punish Ukraine's allies and score geopolitical points. Last October, Killnet claimed to have launched severe DDoS attacks on the websites of more than a dozen airports in the United States.
Source: Internet chat plus https://mp.weixin.qq.com/s/3WUpLbvz5qjZqD9Q3aqq-g
Source: The content pushed by this Security Weekly is collected and compiled from the Internet. It is only for sharing. It does not mean that you agree with its views or confirm the authenticity of its content. Some content was pushed without contacting the original author. If copyright is involved, If you have any questions, please contact us and we will delete it as soon as possible. Thank you!