September 24, 2019

Jira development and ticketing software hit by critical flaws

By John E Dunn

Admins looking after Atlassian’s Jira development and ticketing tools have a spot of patching work on their hands after the company released updates addressing two critical flaws.

Two product families are affected by the advisory:

  • Jira Service Desk Server and Jira Service Desk Data Center (CVE-2019-14994), and
  • Jira Server and Jira Data Center (CVE-2019-15001).

According to Atlassian’s alert, customers and employees should only be able to use Jira Service Desk to “raise requests and view issues,” such as IT tickets.

However, by exploiting the critical URL path traversal flaw in CVE-2019-14994, an attacker with access to the portal could bypass these restrictions, viewing issues and making requests relating to Jira Service, Desk projects, Jira Core projects, and Jira Software projects.

Although Atlassian has seen no evidence of exploitation, independent research by security company Tenable has found 25,000 portals that are vulnerable to this issue:

belonging to organizations in healthcare, government, education and manufacturing in the United States, Canada, Europe and Australia.

The researcher who discovered the flaw, Sam Curry, tweeted on 18 September that he plans to reveal more details of the vulnerability using a proof of concept exploit.

Read more at https://nakedsecurity.sophos.com/2019/09/24/jira-development-and-ticketing-software-hit-by-critical-flaws/

Instagram phish poses as copyright infringement warning – don’t click!

By Paul Ducklin

Last month, we wrote about an Instagram scam that presented you with what looked like a two-factor authentication (2FA) code.

This time, the crooks are tapping into a concern that many of us have – falling foul of copyright law.

Lots of us innocently post and repost photos, GIFs, video clips and screenshots that we find amusing, informative, scary, and so forth…

…but even if we’re only ever posting photos that we took ourselves, we may occasionally find ourselves asked either to demonstrate our entitlement to use them, or to risk getting shut out of our account.

No one wants to get locked out of their social media account, even temporarily, over an unresolved argument about an image.

As a result, the temptation to click the link on the email is high – especially if you know that the ‘dispute’ is bogus or easily resolved, perhaps because you think you can quickly prove that you took the photos yourself.

Of course, in this case, clicking through immediately puts you in harm’s way.

Read more at https://nakedsecurity.sophos.com/2019/09/24/instagram-phish-poses-as-copyright-infringement-warning-dont-click/

Investors accuse FedEx of lying, stock dumping after NotPetya attack

By Lisa Vaas

Shareholders are suing FedEx execs for allegedly dumping stocks and lying about the extent of damage caused by the attack of NotPetya encrypting ransomware.

The complaint, filed last week in the US state of Delaware, accuses the shipping giant and its head honchos of giving “materially false and misleading statements” about the damage inflicted by the infection on FedEx’s European subsidiary TNT Express in June 2017.

At the time, we gave a detailed teardown of the malware, plus an analysis of its devastating worm-ransomware and disk-disabling behavior.

Besides FedEx/TNT Express, other large companies hobbled by NotPetya included British consumer products company Reckitt Benckiser, chocolate maker Mondelez, advertising group WPP, shipping giant Maersk, and Nuance Communications.

This isn’t the first NotPetya-spawned lawsuit. FedEx was hit with a similar lawsuit in July 2019, when shareholders accused the package giant of making “false and misleading” statements about minimal impacts on TNT; about recovery being on track; about the anticipated costs and timeframe it would take to integrate and restore the TNT network; and for allegedly failing to disclose important details of TNT’s deteriorating business, including slowed down overall package volume growth, an increased shift in product mix from higher-margin parcel services to lower-margin freight services, and more.

According to the lawsuit filed in July, as a result of the true extent of the damage becoming public, FedEx stock dropped over 12%.

Read more at https://nakedsecurity.sophos.com/2019/09/23/investors-accuse-fedex-of-lying-stock-dumping-after-notpetya-attack/

ACS

Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880
863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.


Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation