Information Technology

If you’re interested in protecting your home with a wireless security system, Ring and Simplisafe are two options worth comparing. They’re both designed to be easy DIY projects when you’d like to install them on your own without hiring a professional.This review took several factors into account. We examined each company’s features, including the type of monitoring available, Simplisafe and Ring home security reviews from customers, costs, fees and if any time commitments are required to help you decide which home security system works best for you.SimpliSafe vs. Ring overviewSimpliSafeRingCost for the basic plan$15 per month$10 per monthMonitoringDIY or ProfessionalDIY or ProfessionalFeesLate feeInsufficient funds feeTermsNo contractNo contractStandout features60-day trial30-day trial*Data as of 06/15/2020SimpliSafe
Shutterstock
Best for a customizable system Simplisafe has been revolutionizing home security since it was founded in 2006. It’s best known for its state-of-the-art systems that are easy to install and set up, as well as expanding integration with a wide variety of home automation features.Pros:Self-monitored security available60-day free trialNo contractsCons:Monthly monitoring feeLimited camera optionsHigh upfront costRing
Ring

Best for a DIY or pro monitoring systemRing is Amazon’s low-cost wireless home security solution. There are no contract commitments or monthly monitoring required to monitor your home on your own. If monitoring is a feature you are interested in, there is a monthly monitoring service available for additional peace of mind.ProsWide selection of camerasLow-costSelf-monitoring availableConsLimited sensor stylesNo-frills with limited featuresMonitoringWhen comparing SimpliSafe vs. Ring, both provide self-monitoring and professional service. If you choose professional monitoring, Ring’s entry-level monitoring plan is less expensive at $10 per month than SimpliSafe’s $15 per month. If you’d prefer to save on the monthly monitoring fee and keep an eye on your home yourself, both systems have security cameras that can send you notifications if triggered. Ring beats SimpliSafe when it comes to cameras, with a wider selection that makes it possible to monitor the interior and exterior of your home easily.  Smart home capabilitiesWhen evaluating Ring and Simplisafe, you’ll find that both integrate with Google Assistant and Amazon Alexa. You’d think Ring would have a range of smart home accessories since Amazon owns it, but there are no home automation accessories available at this time. Simplisafe only provides home automation of door locks to control your doors from the app or control pad.CompatibilityYou can expand the limited Ring system with a variety of compatible devices, such as:GE and Leviton smart home dimmers, plugs and wall switchesDome sirenEcoLink tilt sensorsFirst Alert’s smoke and carbon monoxide alarmAs for Simplisafe, the only device compatible with its alarm systems is August Lock to lock and unlock your doors remotely. Which security system is right for me?If you…Then you should go with:Here’s why:Have Google Home devicesEitherBoth systems are compatible with Google AssistantHave Amazon home devicesRingAmazon owns Ring.Want affordable equipmentRingRing’s packages, equipment and monthly monitoring costs are cheaper than SimpliSafe’s.Want professional installationSimplisafeThe company provides pro installation from a network of approved installers for $79.How to compare home security companiesInstallationMost wireless home security systems are designed to be simple to install. But some homeowners may need a more elaborate system or prefer to let a professional handle the setup. When deciding on which system to buy, check and see if professional installation is available the cost, and any alternatives, such as access to phone support.CompatibilityBuying a home security system is an investment. To get the most out of one, choose a system that’s compatible with a variety of companies and devices. You may only need a basic system now but may move into a new home or larger apartment in the future. It would be beneficial to expand its functionality with other accessories, such as environmental sensors, garage door openers or home automation.PriceThere is more to a security system’s cost than the upfront package price. Do your research, read the fine print and inquire about additional costs. Some of the most common to look for are late fees, activation charges, mandatory monthly monitoring, the professional monitoring price, and any early cancellation or moving penalties.The bottom lineIf you consider Ring or Simplisafe as your home security solution, both systems are more similar than different. If you’re looking for an entry-level home security solution that’s no-frills and low cost but can expand in the future to include more home automation equipment, choose Ring. For a more professional equipment package that’s more like what you’d expect from a security company, Simplisafe is the better choice.You can always try out Simplisafe for 60 days for free, which is double Ring’s free trial length. If you’d like to outsource your home’s monitoring, Ring’s monthly monitoring service is less expensive at $10 instead of Simplisafe’s $15 per month. You can’t go wrong with either — both provide a quality product at an affordable price.

How do you prevent false alarms?

Make sure you install sensors properly. Door and window sensor magnets should be less than two inches apart. And if you have pets in the home, choose pet-friendly sensors or hang your motion sensors higher in the room.

Do I need professional monitoring?

Professional monitoring is good to have if you travel often and would like the peace of mind of knowing a qualified professional is watching over your home. If the service detects anything unusual, they could send help quickly.

Can I take my home security system when I move?

Wireless home security systems are easy to install — and just as simple to take down and move. You can take yours with you and, in many cases, transfer the home monitoring service to your new address at no additional charge.

How secure is my security system?

Your home security system is only as secure as your habits. It’s important you and all household members are consistent about activating the security system each time you leave home. Take alarm triggers and alerts seriously to make sure your home is safe.

Why is system compatibility important?

Most home security systems come with a limited amount of equipment. Your needs over time may change. You may move and require more sensors or additional equipment. A system that’s compatible with other devices and companies can prolong its usefulness in the future.

How are wireless home security systems powered?

Your wireless security system’s devices use batteries. The equipment’s battery life varies, but most sensors and items’ batteries last three to five years. The keypad may have the shortest battery life in your system, but the batteries should last roughly one year.

  More

ADT is synonymous with home security. Drive through any neighborhood and you’ll probably spot more ADT signs — those telltale blue octagons — than those of any other home security provider. ADT claims the lion’s share of the home security market partly because of its longevity (over 100 years and counting), and partly because of its agile responses to new technologies and new competitors. Through recent mergers, ADT, Protection 1, and DIY home security provider LifeShield are all under the same roof, but not all respond to consumer expectations for flexibility and automation. LifeShield is the lo-fi outlier.Comparing ADT and Protection 1 is an apples-to-apples proposition. In a home security era marked by home automation, DIY installation, and self-monitoring via app, ADT and Protection 1 maintain a number of traditional features of home security. Both offer professionally installed and monitored systems with three-year contracts. If you’re looking for a traditional security system and feel comfortable committing for the long haul, both providers offer reliable protection and decent tech.ADT vs. Protection 1 overviewADTProtection 1Basic monthly plan price$37$35InstallationProfessional; $99-$199Professional; $99States serviced4551Theft protection✓✗Terms36 months36 monthsShopping experienceBoth ADT and Protection 1 conduct business over the phone, meaning you’ll need to talk to an agent to get detailed pricing information or device details. The upside of the 1-800 model is that you will receive a custom plan and a custom quote, based on the devices and level of service that you want, rather than having to choose from a few one-size-fits-most options. You can potentially save money going this route — not only because of the custom package, but also because agents have more flexibility to work with your budget. On the flip side, calling for a quote feels woefully out of date. If you’re a smart home technophile, not being able to compare prices and features online could feel like a bad omen of user unfriendliness ahead.Monitoring plansADT operates its own monitoring stations while Protection 1 outsources monitoring to another company. Both offer professional monitoring exclusively — DIYers need not apply. With ADT, choose from three plans: Traditional, Control, and Video. With Protection 1, choose from four: Secure, Secure +, Smart Control, and Video. With Protection 1’s Secure+ plan, you can level up to a wireless system that supports two-way audio through security devices before jumping up to Smart Control’s remote capabilities. With ADT, you have to pay for all the home automation perks with their Control tier in order to get two-way audio.Remote control and home automationADT and Protection 1 offer remote control of smart home security systems via app: ADT Pulse or Protection 1 eSecure, respectively. The latest versions of both apps boast more than decent app store ratings, but users note glitches: repeated demands for password changes, or more worrisome errors like reporting the front door is unlocked, and then not being able to lock it on command. As for the devices themselves, ADT has a smart home product lineup that could go head-to-head with any of the industry’s techie front-runners, with sleek video doorbells and smart thermostats. Protection 1, on the other hand, offers clunky, low-tech versions of most automation devices. The smart doorbell is just a doorbell; the thermostat has an outdated digital screen like an alarm clock. Still, both ADT and Protection 1 communicate on the Z-Wave network, so you don’t have to rely on in-house products to make use of their security monitoring.So which is right for me?If you…Then you should go with:Here’s why:Are willing to pay for reputation and assuranceADTADT backs up your confidence in their protection in two ways: First by offering an instantly recognizable sign that deters burglars, second by giving you a six month warranty. Protection 1 is lesser known and makes no guarantees.Value customer experienceProtection 1Perhaps due to sheer size, ADT has a hard time keeping customers happy. Complaints of pushy salespeople and unclear contracts plague ADT more than its smaller sibling.Want to build a smart homeADTThe companies are broadly similar, but not when it comes to smart home tech. Protection 1’s devices lag far behind the times; ADT gives industry disruptors like Ring and Vivint a run for their money.Want to save a few bucks on basic monitoringProtection 1The systems are similar enough that if you want a traditional home security system, but want to go with the cheaper option, Protection 1 is a good alternative to ADT. It could also be the cheaper option for professional installation.How to compare home security providersSmart home featuresThe home security share a number of common features: a full range of security capabilities (protecting you from both intrusion and environmental hazards), smart home integration, and great customer experiences — from ordering your system to living with it.Turns out these last two features — smart home features and customer experience — are linked. J.D. Power ranks home security companies based on customer satisfaction every year. In the press release for 2018’s rankings, J.D. Power called out smart home features as the most important contributor to customer satisfaction.

When deciding between home security systems, your wants and expectations for home automation should factor in. If you want a cohesive, one-brand system, both ADT and Protection 1 offer a range of branded home automation devices that can be integrated with their home security services. Interested in building a custom smart home from third-party devices? Both offer Z-Wave compatibility.DIY vs professionalWhile home security companies are jumping to offer everything their competitors offer, there’s a strong, lasting line in the sand between DIY and professional home security systems. DIY is the newest iteration on home security and allows you to save money by installing the devices you want, and potentially monitoring them yourself, too. Professional installation and monitoring are the name of the game at both ADT and Protection 1, for very similar rates.Contract termsLook up the Better Business Bureau profile of any home security company. Or, for that matter, any insurance company, warranty company, or telecom provider. Odds are, that profile is flooded with comments from irate customers who feel ill-used by the terms of their contract — they didn’t know what they were signing up for, for how much, or for how long. Before settling on a home security system, make sure you understand the price over time of your system, how long you are locked in to service, and what the fees would be to cancel service before the end of your term. Both ADT and Protection 1 require 3-year contracts, which is a great guarantee of price if you can make the commitment.ADT vs. Protection 1 FAQ

What’s the difference between ADT monitoring and Protection 1 monitoring?

Both ADT and Protection 1 offer only professional monitoring for their home security systems. This was once an industry norm, but industry disruptors like SimpliSafe have slashed prices by letting users monitor their own devices via app. The fact that ADT and Protection 1 adhere to the old, professional model is one of the most traditionalist aspects of the two security systems. They are largely the same in that they both monitor for environmental and intrusion alerts, dispatching help if they can’t reach you first. The biggest difference is that ADT has its own monitoring stations (six spread across North America) while Protection 1 outsources its monitoring to a third-party company. While professional monitoring makes for a steeper monthly fee, that could be offset by a break on your homeowners insurance premiums — many insurance companies offer a discount if you can furnish proof of a professionally monitored home security system.

Do both ADT and Protection 1 offer smart home integration?

Yes. While the two companies are among the most old-fashioned options on the market given the required professional monitoring and long contracts, they’ve kept pace with the shift from pure home security to home security with a side of smart home capabilities. The smart home devices sold by Protection 1 are much less sophisticated than those sold by ADT, which are in turn iterations of devices from industry innovators like Ring and Vivint. But both ADT and Protection 1 are Z-Wave-compatible systems that allow you to add on third-party devices and control the lot by app.

Can I move with ADT and Protection 1 home security systems?

Yes, but both ADT and Protection 1 require you to sign a new contract to go along with your new address. ADT suggests you leave you old equipment behind and purchase a completely new system. Protection 1 is currently offering a $150 credit to customers who take their system with them when they move. Keep in mind that both companies charge installation fees. More

Phishing emails can claim to be from the post office and ask the user to re-schedule a fake delivery, or from the bank requiring some sort of update or confirmation.  
Image: picture alliance / Contributor / Getty Images
All the time spent ticking boxes in cyber-security training sessions seems to be paying off after all: according to a new report, about a third of emails reported by employees really are malicious or highly suspect, demonstrating the effectiveness of the well-established maxim “Think before you click”. IT security company F-Secure analyzed over 200,000 emails that were flagged by employees from organizations across the globe in the first half of 2021, and found that 33% of the reports could be classified as phishing.  Phishing is a common technique used by cyber criminals to lure victims into doing what the hacker wants, whether that is providing personal information or downloading malware. It typically occurs via email, thanks to messages designed to look genuine, and which usually require the recipient to take some form of action. For example, phishing emails can claim to be from the post office and ask the user to re-schedule a fake delivery, or from the bank requiring some sort of update or confirmation; they sometimes look like they come from corporate departments. What they all have in common is that they try to convince the recipient to take action by clicking a link, providing some sensitive information or downloading an attachment, giving the hacker a way into carrying out an attack. 

While phishing can occur through various means, including social media and even the phone, email is the most common method, which accounted for over half of infection attempts in 2020.  Targeting corporate emails, therefore, is an easy way for criminals to use employees as a bridge to hack a company, which is why businesses spend countless time and money on educating their staff so that they don’t fall for the trick. According to F-Secure’s analysis, users submitted an average 2.14 emails each during the period of the research. On average, organizations with 1,000 seats report 116 emails per month.

The most common reason users gave for reporting emails was a suspicious link, which was cited in almost 60% of the cases, and closely followed by spotting incorrect or unexpected senders. Participants also mentioned suspicious attachments and suspected spams as reasons to flag.  F-Secure’s analysis shows that some words and phrases are associated with a high risk of phishing. They include “Warning”, “Your funds has” or “Message is for a trusted”. This points to a common denominator in phishing emails: they are often made to play with the victim’s emotions, and designed so that clicking on a bad link is the most intuitive and easiest thing to do. Despite regular cyber-security trainings and reminders that they should be careful, therefore, there is always a risk that employees will be deceived. Researchers have previously found that the average response rate to phishing attacks among employees stands at around 20%, with higher click-rates found for phishing simulations that contain authority or urgency clues. But F-Secure’s new study seems to show that employees still have a good eye for a phishing email. “You often hear that people are security’s weak link. That’s very cynical and doesn’t consider the benefits of using a company’s workforce as a first line of defense,” said F-Secure director of consulting Riaan Naude. “Employees can catch a significant number of threats hitting their inbox if they can follow a painless reporting process that produces tangible results.” Naude, however, also pointed out that employee-led efforts in the field of cyber-security can also create huge amounts of additional work for cyber-security teams that are already swamped. And the number of emails reported by employees is only increasing. Over the past 18 months, cyber-security teams have effectively had to adapt to the rise of remote working, which has hugely expanded the attack surface that hackers can target. As new working practices were deployed in a hurry, malicious hackers were able to exploit the reduced level of monitoring activity to target corporations even more aggressively.  The UK’s National Cyber Security Centre’s (NCSC) removed about 1.4 million URLs responsible for 700,000 online scams last year – that is, more content in 12 months than was taken down in the previous three years combined.  More

Dell has announced a set of new enterprise-level data protection solutions in a bid to beef up data security in the cloud as cyber attacks continue to grow. First, the company unveiled the Dell EMC PowerProtect Data Manager with Transparent Snapshots, which Dell Technologies APJ data protection solutions general manager Lucas Salter touted as a solution designed specifically to protect VMware virtual machines at scale, without disruption or latency issues. “Over the years, several approaches have attempted to overcome the issue of latency and business disruption during virtual machine backups, but all of them require compromises around latency, cost scale, performance, and complexity,” he told media during a briefing. “Transparent Snapshots from Dell Technologies simplifies and automates virtual machine image level protection, and enables backups, without the need to pause the virtual machine during the backup process.” He claimed that Transparent Snapshots will deliver up to five times faster performance and reduction in latency, plus up to 50% network bandwidth reduction, without requiring the need of a backup proxy infrastructure. In addition, Dell has added PowerProtect appliances with Smart Scale to its enterprise security product portfolio to enable organisations to keep data secure while trying to manage and project data capacity, and scale the business. “Smart Scale will deliver the next generation of scale, mobility, and insights for PowerProtect appliances. Smart Scale will allow the configuration of multiple Dell EMC PowerProtect appliances as a single pool under a single namespace. It means you can pull up to 32 PowerProtect appliances to manage over 3 exabytes of logical capacity,” Salter said.

“You’ll also be able to optimise your protection storage with non-disruptive data mobility to guide placement of workloads, perform migrations with automatic client reduction, and gain valuable insights to project capacity utilisation.” Dell also announced its Managed Services for Cyber Recovery solution to enable Dell to support businesses in recovery activities, following the event of a cyberattack. It builds on Dell’s existing portfolio of cyber recovery consulting deployment and support services. MORE NEWS FROM DELL More

Fortinet has warned that 87,000 sets of credentials for FortiGate SSL VPN devices have been published online. 

The California-based cybersecurity firm said on Wednesday that it is aware of the disclosure, and after investigating the incident, has come to the conclusion that the credentials have been obtained by exploiting CVE-2018-13379. CVE-2018-13379 is a known security flaw impacting the FortiOS SSL VPN web tunnel software’s portal. The bug was patched and a fix was released in 2019, including two-factor authentication mitigation. However, close to two years on, the vulnerability has now come back to the fore with the release of stolen credentials online.  Fortinet says that the stolen information was “obtained from systems that remained unpatched” at the time an attacker performed a web scan for vulnerable devices. If passwords for FortiOS SSL VPN builds have not been changed since this scan, Fortinet says they remain vulnerable to compromise. Furthermore, as FortiOS SSL VPN is popular with enterprise users, this could become an avenue for network attacks.  “Please note that a password reset following upgrade is critical to protecting against this vulnerability, in case credentials have already been compromised,” the company says.CVE-2018-13379 was reported by Meh Chang and Orange Tsai from DEVCORE. Described as a path traversal flaw, the bug permits unauthenticated attackers to download system files through special crafted HTTP resource requests. The critical vulnerability was awarded a CVSS score of 9.8.

FortiOS 6.0 – 6.0.0 to 6.0.4, FortiOS 5.6 – 5.6.3 to 5.6.7, and FortiOS 5.4 – 5.4.6 to 5.4.12 are impacted by the bug and are vulnerable when the SSL VPN service has been enabled.  As noted by AdvIntel, that the dump was posted by the Groove ransomware group on their leak site. The threat actors said, ‘everything checked as valid,’ (Russian, translated) but this has not been verified. 
via Kela
The company has previously warned customers that this vulnerability is being weaponized by hacking groups in the wild (1,2). In June, the FBI issued an advisory (.PDF) stating that CVE-2018-13379 had been successfully used to infiltrate a webserver hosting a US municipal government domain.”Since these vulnerabilities were first discovered, Fortinet has taken exhaustive steps to notify and educate customers, urging them repeatedly to upgrade their affected systems to the latest patch release,” the company said in June. “It’s a scenario software and firmware developers know all too well. Fortinet and organizations like the NCSC, FBI, and CISA have issued 15 separate notifications and advisories to Fortinet customers over the past two years, warning them of the risks of failing to update affected systems and providing links to critical patches.”If users suspect they may have been involved in the breach due to a failure to refresh their credentials, the tech giant recommends that VPN services are temporarily disabled while organizations perform password resets.  Fortinet is also urging customers to upgrade to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above, which contain the necessary security fixes.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new survey suggests that the majority of IT staff have felt pressured to ignore security concerns in favor of business operations.

The coronavirus pandemic has caused enormous economic damage, and as the virus continues to sweep across the globe, many businesses have suffered. In order to keep operations ticking over — or to facilitate the changes needed in order to survive — employers turned to virtual meetings and remote working.  While working from home may once have appeared to be just a temporary measure, remote and hybrid work is now firmly entrenched in some sectors — and there may be serious ramifications for cybersecurity.On Thursday, HP Wolf Security published a new study, the Security Rebellions & Rejections report, which combines data from an online YouGov survey targeting office workers that adopted WFH and global research conducted with IT decision-makers.  In total, 91% of those surveyed said that they have felt “pressured” to compromise security due to the need for business continuity during the COVID-19 pandemic. 76% of respondents said that security had taken a backseat, and furthermore, 83% believe that working from home has created a “ticking time bomb” for corporate security incidents.  IT teams, their workloads, and the need to compromise are not the only issues — it also appears there are general feelings of apathy and frustration when it comes to managing cybersecurity in a remote workplace.  According to the survey, younger workers, in particular, are more likely to circumvent existing security controls in order to manage their workloads, with 48% of this group saying that security tools, such as website restrictions or VPN requirements, are a hindrance — and 31% have at least attempted to bypass them. 

Overall, 48% of office workers said that security measures waste time and 54% in the 18 – 24-year-old bracket were more concerned with meeting deadlines than potential security breaches. In addition, 39% of this group were unsure or unaware of their employer’s security policies.Other points of note include: 37% of office workers believe security policies are often too restrictive 80% of IT teams experienced backlash from home users because of security policies 83% of IT teams said the blurred lines between home and work life made enforcement “impossible.”
HP Wolf
“CISOs are dealing with increasing volume, velocity, and severity of attacks,” commented Joanna Burkey, HP CISO. “Their teams are having to work around the clock to keep the business safe while facilitating mass digital transformation with reduced visibility. Cybersecurity teams should no longer be burdened with the weight of securing the business solely on their shoulders; cybersecurity is an end-to-end discipline in which everyone needs to engage.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

GitHub has resolved numerous vulnerabilities in Node.js packages tar and @npmcli/arborist, with the worst allowing file overwrites and arbitrary code execution. 

On Wednesday, GitHub said the company received reports from Robert Chen and Philip Papurt, between July 21 and August 13, of security flaws impacting the packages via one of GitHub’s bug bounty programs, which give researchers credit and financial rewards for responsibly disclosing vulnerabilities to the vendor.  GitHub’s Chief Security Officer Mike Hanley says that these reports prompted GitHub to conduct its own review of tar and @npmcli/arborist, leading to the discovery of additional security issues.  The tar Node.js package is used to mimic the tar archive system on Unix, whereas @npmcli/arborist has been developed to manage node_modules trees. Tar is a core npm dependency for npm package extraction, and @npmcli/arborist is a core dependency for npm CLI. Node-tar has accounted for 22,390,735 weekly downloads, at the time of writing, whereas @npmcli/arborist has been downloaded 405,551 times over the past week.  In total, seven vulnerabilities have been verified through the bug bounty reports and the security team at GitHub’s findings: Tar: CVE-2021-32803, high impact: Arbitrary File Creation/Overwrite via insufficient symlink protection. A malicious tar archive could create/overwrite arbitrary files with the privileges of the process using tar. CVE-2021-32804, high impact: Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization. Malicious npm packages could create/overwrite files with the privileges of the user running the install, leading to code execution. CVE-2021-37701, high impact: A path separator issue in file names could lead to malicious tar archives creating/overwriting arbitrary files with the privilege levels of the process running tar. CVE-2021-37712, high impact: Unicode conversions and Windows 8.3 file name semantics could cause directory cache poisoning and symlink check bypasses, leading to arbitrary file creation and overwrite. CVE-2021-37713, high impact: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization. Malicious npm packages could create and overwrite files outside of their installation root, with user privileges. 

@npmcli/arborist: CVE-2021-39134, medium impact: An issue in how symbolic links within the node_modules tree are handled. Exploitation could result in malicious packages overwriting files outside of an installation root with user privileges. CVE-2021-39135, medium impact: This vulnerability also impacts symbolic link handling, specifically when untrusted packages are installed on case insensitive file systems.”CVE-2021-32804, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 specifically have a security impact on the npm CLI when processing a malicious or untrusted npm package install,” GitHub says. “Some of these issues may result in arbitrary code execution, even if you are using –ignore-scripts to prevent the processing of package lifecycle scripts.” To make developers aware of these bugs, GitHub created 16.7 million Dependabot alerts and released 1.8 million notifications.  GitHub has requested project managers that use npm CLI and download it directly to upgrade to v6.14.15, v7.21.0, or newer. If Node.js is in use, the organization recommends an upgrade to the latest releases of Node 12, 14, or 16, all of which contain patches to resolve the security flaws. Tar users are now able to upgrade to versions 4.4.19, 5.0.11, and 6.1.10. The latest version of @npmcli/arborist available is 2.8.3. Chen and Papurt have been awarded a combined bounty of $14,500 for their reports.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has revealed that it has fixed a bug in its Azure Container Instances (ACI) service that may have allowed a user to access other customers’ information in the ACI.    ACI lets customers run applications in containers on Azure using virtual machines that are managed by Microsoft rather than managing their own.   

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

Researchers from Palo Alto Networks reported the security bug to Microsoft, which recently addressed the issue.  SEE: The CIO’s new challenge: Making the case for the next big thingMicrosoft said in a blogpost there was no indication any customer information was accessed due to the vulnerability — both in the cluster the researchers were using or in other clusters. “Microsoft recently mitigated a vulnerability reported by a security researcher in the Azure Container Instances (ACI) that could potentially allow a user to access other customers’ information in the ACI service. Our investigation surfaced no unauthorized access to customer data,” it said.Nonetheless, it has told customers who received a notification from it via the Azure Portal to revoke any privileged credentials that were deployed to the platform before August 31, 2021. 

Ariel Zelivansky, researcher at Palo Alto, told Reuters his team used a known vulnerability to escape Azure’s system for containers. Since it was not yet patched in Azure, this allowed them to gain full control of a cluster. Palo Alto reported the container escape to Microsoft in July.  Even without vulnerabilities, containerized applications, which are often hosted on cloud infrastructure, can be difficult to shield from attackers. The NSA and CISA recently issued guidance for organizations to harden containerized applications because their underlying infrastructure can be incredibly complex. SEE: Open source matters, and it’s about more than just free softwareMicrosoft noted that among other things admins should revoke privileged credentials on a regular basis.Microsoft disclosed a separate Azure vulnerability two weeks ago affecting customers running NoSQL databases on Azure, which provides the Cosmos DB managed NoSQL DB service. A critical flaw, dubbed ChaosDB, allowed an attacker to read, modify or delete databases.   More