15 Year Old Python Bug, LinkedIn Smart Link Phishing, USA Using Augury

15-year-old Python bug causing a problem

In 2007, a researcher submitted a path traversal bug in Python’s tarfile package, allowing an attacker to overwrite arbitrary files. Since then, the bug remains open with a documentation update warning submitted to warn developers of the risk. The bug does not appear to be exploited in the wild, but could impact the software supply chain. A security researcher at Trellix, Charles McFarland, rediscovered the bug. With help from GitHub, he determined that 588,840 unique repositories include an import tar file in their code, spanning a wide range of industries. McFarland estimates that around 60% of them contain the bug. Trellix has released a fix in a forked version of the impacted repository.

(computer beeping)

LinkedIn smart links used for phishing

LinkedIn provides smart links for Sales Navigator and Enterprise users, allowing them to group up to 15 documents into a single trackable link. These provide analytics on how they were viewed and shared. Cofense analysts observed malicious actor campaigns using them for phishing with Slovak users. These allegedly came from the country’s postal service. Using Smart Links allows these emails to pass through regular spam filters and provides useful analytics to see how users interact with the messages. Clicking on results in a phishing page that accepts “payment” and collects additional information about the victim. No word from LinkedIn if it has started investigating the practice.

(computer beeping)

US Army buys Augury network monitoring tool

According to documents seen by Motherboard, several branches of the US military have purchased access to the Augury monitoring tool developed by cybersecurity firm Team Cymru. U.S. Senator Ron Wyden also said a whistleblower contacted his office, alleging the Navy’s civilian law enforcement agency used the tool without a warrant. Augury claims to cover more than 90% of global internet traffic, allowing analysts to track a cyber actor’s activity and attribute attacks to petabytes of packet capture data. The Department of Defense Inspector General’s Office said it was investigating the whistleblower’s report.

(Motherboard)

Meta-tests allow people to make policies

In his Platformer newsletter, Casey Newton reports that Meta hired consulting firm Behavioral Insights Team to integrate Facebook users into its policy-making process, testing climate discourse. This involved finding 250 people broadly representative of Facebook’s user base. Over a two-week period, the group received virtual training. This included learning about climate issues and platform policies. Meta also provided access to Facebook experts and staff. Facebook offered a variety of possible solutions for problematic climate information, which the group voted on. It is unclear what specific policy recommendations the group made. BIT said participants reported high levels of satisfaction with the process and the results. Meta plans to conduct further experiments with this approach.

(Platformer)

Thanks to today’s episode sponsor, 6clicks

Your GRC solution is only as valuable as the reports it can generate. Deliver an exceptional analytics experience to all your GRC stakeholders with the 6clicks report suite. Unlock powerful insights and prove compliance using dashboards and charts, pixel-perfect reports, presentations and data stories via LiveDocs. For more information, visit 6clicks.com/cisoseries.

Google starts rolling out a search results opt-out tool

At Google I/O earlier this year, Google announced that it would introduce a tool for users to request deletions of search results relevant to them. As part of this, Google has started rolling out a new “Results About You” option in the Google Android app in the US and Europe. This provides a page that explains how users can request removal of search results that contain a phone number, home address, or other personally identifiable information. The tool also displays a dashboard to monitor requests being removed from search results once submitted.

(9to5Google)

Windows 11 update adds security features

Microsoft has started rolling out Windows 11 version 22H2, its first major update since the operating system was released in October. This includes a new Smart App Control feature, which uses artificial intelligence and a database of security signals to prevent script attacks. The update now enables Hypervisor Protected Code Integrity and Vulnerable Driver Blocklist by default on new Windows 11 devices. Microsoft Defender SmartScreen will now detect entering passwords into known compromised sites.

(InfoSafety Magazine)

TikTok stops political monetization

Ahead of the US midterm elections, TikTok disabled all advertising and monetization features for politicians and parties on its platform. Over the next few weeks, the platform will ban all campaign fundraising, including banning politicians from directing viewers to websites to donate. TikTok said it would use a combination of human review and automated systems to remove calls for political donations. Accounts of governments, politicians and parties will also need to seek verification. This doesn’t appear to be a temporary change before the election, but a permanent new policy for the platform.

(The edge)

The developer sells “I Don’t Care About Cookies”

Croatian developer Daniel Kladnik sold the popular browser extensions. “I Don’t Care About Cookies” has helped users avoid harassing cookie pop-ups by automatically accepting the minimum cookies necessary for the site to function. He sold it to the antivirus company Avast. This company seems to be about to be acquired by NortonLifeLock, a subsidiary of Broadcom. Kladnik has already released the extension’s code as open source, and Dutch developer Guus van der Meer has created a fork for those interested.

(El Reg)

Harry D. Gonzalez