Weekly in Security 202303

2023-01-16 to 2023-01-23

2 min read - 379 words

Introduction

Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2023-01-16 to 2023-01-23.

Vulnerabilities

Source Code Audit on Git

Git project released a new version. During a source code audit X41 discovered multiple vulnerabilities in Git. Two critical severity issues were identified, which may result in arbitrary code execution.

CVE-2023-22809 - Sudoedit

Sudoedit can edit arbitrary files. Synacktiv discovered a sudoers policy bypass when using sudoedit. This vulnerability allows a user authorized to edit a file using sudoedit to edit other files as the configured RunAs user.

Interesting Reads

DensePose From WiFi

Only utilizing WiFi signals researchers managed to estimate the denose pose of multiple subjects with the help of an AI model. The output was comparable to a conventional image-based approach. The study seems to have happened in a lab environment with the subjects in between multiple specifically placed antennas.

Combining this research with the ToF localization approach as proposed by Wi-Peep might even provider more insights.

VALL-E

With just a three-second sample of any voice, the transformer-based TTS model VALL-E can produce speech in every voice. This allows for impersonating a specific speaker with only a minimal recording.

Lastbreach follow up

Following up with the LastPass debacle around end of December. Wladimir Palant provides a good analysis of the official press release. Overall, they seem to not have followed best-pratice recommendations. As such, switching to another provide and cycling all passwords might be recommended.

The near crash of Air Transat flight 236 in 2001

This article has a great summary of the Air Transat flight 236 that glided 121 kilometers before emergency landing on a Azorean island. The chain leading up to the total fuel loss included different incompatible components, missing QA, framing bias. In aviation these post-mortem analysis are a shared and provide a benefit for the whole industry as well as the passenger. For software and information technology, such transparency and plain technical analysis would presumably also be of great benefit.

The Verica Open Incident Database (VOID) could an early example.

Updates Best Practices for Mapping to MITRE ATT&CK

CISA updated the Best Practices for MITRE ATT&CK Mapping.

Tools

KeyDecoder

KeyDecoder app lets you use your smartphone or tablet to decode your mechanical keys in seconds.