Nov 20, 2024Ravie LakshmananLinux / VulnerabilityMultiple decade-old security vulnerabilities have been disclosed in the needrestart package installed by default in Ubuntu Server (since version 21.04) that could allow a local attacker to gain root privileges without requiring user interaction.The Qualys Threat Research Unit (TRU), which identified and reported the flaws early last month, said they are trivial to exploit, necessitating that users move quickly to apply the fixes. The vulnerabilities are believed to have existed since the introduction of interpreter support in needrestart 0.8, which was released on April 27, 2014."These needrestart exploits allow Local Privilege Escalation (LPE) which means that a local attacker is able to gain root privileges," Ubuntu said in an advisory, noting they have been addressed in version 3.8. "The vulnerabilities affect Debian, Ubuntu, and other Linux distributions."Needrestart is a utility that scans a system to determine the services that need to be restarted after applying shared library updates in a manner that avoids a complete system reboot.The five flaws are listed below -CVE-2024-48990 (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variableCVE-2024-48991 (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreterCVE-2024-48992 (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter with an attacker-controlled RUBYLIB environment variableCVE-2024-11003 (CVSS score: 7.8) and CVE-2024-10224 (CVSS score: 5.3) - Two vulnerabilities that allows a local attacker to execute arbitrary shell commands as root by taking advantage of an issue in the libmodule-scandeps-perl package (before version 1.36)Successful exploitation of the aforementioned shortcomings could allow a local attacker to set specially crafted environment variables for PYTHONPATH or RUBYLIB that could result in the execution of arbitrary code pointing to the threat actor's environment when needrestart is run."In CVE-2024-10224, [...] attacker-controlled input could cause the Module::ScanDeps Perl module to run arbitrary shell commands by open()ing a 'pesky pipe' (such as by passing 'commands|' as a filename) or by passing arbitrary strings to eval()," Ubuntu noted."On its own, this is not enough for local privilege escalation. However, in CVE-2024-11003 needrestart passes attacker-controlled input (filenames) to Module::ScanDeps and triggers CVE-2024-10224 with root privilege. The fix for CVE-2024-11003 removes needrestart's dependency on Module::ScanDeps."While it's highly advised to download the latest patches, Ubuntu said users can disable interpreter scanners in needrestart the configuration file as a temporary mitigation and ensure that the changes are reverted after the updates are applied."These vulnerabilities in the needrestart utility allow local users to escalate their privileges by executing arbitrary code during package installations or upgrades, where needrestart is often run as the root user," Saeed Abbasi, product manager of TRU at Qualys, said."An attacker exploiting these vulnerabilities could gain root access, compromising system integrity and security."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 20, 2024Ravie LakshmananCyber Espionage / Telecom SecurityA new China-linked cyber espionage group has been attributed as behind a series of targeted cyber attacks targeting telecommunications entities in South Asia and Africa since at least 2020 with the goal of enabling intelligence collection.Cybersecurity company CrowdStrike is tracking the adversary under the name Liminal Panda, describing it as possessing deep knowledge about telecommunications networks, the protocols that undergird telecommunications, and the various interconnections between providers.The threat actor's malware portfolio includes bespoke tools that facilitate clandestine access, command-and-control (C2), and data exfiltration."Liminal Panda has used compromised telecom servers to initiate intrusions into further providers in other geographic regions," the company's Counter Adversary Operations team said in a Tuesday analysis."The adversary conducts elements of their intrusion activity using protocols that support mobile telecommunications, such as emulating global system for mobile communications (GSM) protocols to enable C2, and developing tooling to retrieve mobile subscriber information, call metadata, and text messages (SMS)."It's worth noting that some aspects of the intrusion activity were documented by the cybersecurity company back in October 2021, attributing it then to a different threat cluster dubbed LightBasin (aka UNC1945), which also has a track record of targeting telecom entities since at least 2016.CrowdStrike noted that its extensive review of the campaign revealed the presence of an entirely new threat actor, and that the misattribution three years ago was the result of multiple hacking crews conducting their malicious activities on what it said was a "highly contested compromised network."Some of the custom tools in its arsenal are SIGTRANslator, CordScan, and PingPong, which come with the following capabilities -SIGTRANslator, a Linux ELF binary designed to send and receive data using SIGTRAN protocolsCordScan, a network-scanning and packet-capture utility containing built-in logic to fingerprint and retrieve data relating to common telecommunication protocols from infrastructure such as the Serving GPRS Support Node (SGSN)PingPong, a backdoor that listens for incoming magic ICMP echo requests and sets up a TCP reverse shell connection to an IP address and port specified within the packetLiminal Panda attacks have been observed infiltrating external DNS (eDNS) servers using password spraying extremely weak and third-party-focused passwords, with the hacking crew using TinyShell in conjunction with a publicly available SGSN emulator called sgsnemu for C2 communications."TinyShell is an open-source Unix backdoor used by multiple adversaries," CrowdStrike said. "SGSNs are essentially GPRS network access points, and the emulation software allows the adversary to tunnel traffic via this telecommunications network."The end goal of these attacks is to collect network telemetry and subscriber information or to breach other telecommunications entities by taking advantage of the industry's interoperation connection requirements."Liminal Panda's known intrusion activity has typically abused trust relationships between telecommunications providers and gaps in security policies, allowing the adversary to access core infrastructure from external hosts," the company said.The disclosure comes as U.S. telecom providers like AT&T, Verizon, T-Mobile, and Lumen Technologies have become the target of another China-nexus hacking group dubbed Salt Typhoon. If anything, these incidents serve to highlight how telecommunications and other critical infrastructure providers are vulnerable to compromise by state-sponsored attackers.French cybersecurity company Sekoia has characterized the Chinese offensive cyber ecosystem as a joint enterprise that includes government-backed units such as the Ministry of State Security (MSS) and the Ministry of Public Security (MPS), civilian actors, and private entities to whom the work of vulnerability research and toolset development is outsourced."China-nexus APTs are likely to be a mix of private and state actors cooperating to conduct operations, rather than strictly being associated with single units," it said, pointing out the challenges in attribution."It ranges from the conduct of operations, the sale of stolen information or initial access to compromised devices to providing services and tools to launch attacks. The relationships between these military, institutional and civilian players are complementary and strengthened by the proximity of the individuals part of these different players and the CCP's policy."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Time zones: SBT (UTC +11), GMT (UTC +0), CET (UTC +1), EET (UTC +2), MSK (UTC +3)Were looking for a highly motivated Senior Product Marketing Manager to join the Toggl Work team, our newest product aimed at revolutionising People Operations. This is your chance to shape the future of a product designed to save our users time, money, and sanity.The ideal candidate will have experience crafting and executing user acquisition strategies in a SaaS environment, with a strong emphasis on customer onboarding, user engagement, experimentation, data-driven decision-making, and process creation. If youre someone who thrives in building from scratch and can take ownership of growth strategy while navigating the challenges of a new product launch, this could be the perfect role for you.The salary for this position is 60,000 annually.You can work from anywhere in Europe.About the TeamWe are a global team of 130+ awesome people working from over 40 countries around the globe. We hire globally, you work locallyin the heart of London, a beach outside of Ro de Janeiro, or a quiet village near Florence, the choice is yours. Every few months we travel to meet up somewhere in the world and spend some quality time together. We place a huge amount of trust in our people, and we measure the outcomes rather than the work itself. Our values fuel our results.The RoleToggl Work is our latest addition to the Toggl suite of products, focusing on expense management, invoicing, budgeting, reporting, and workforce operations.As our Senior Product Marketing Manager, youll play a critical role in defining and executing our Go-to-Market (GTM) strategies, focussed on acquisition, onboarding, engagement, and retention.You will play a pivotal role in identifying target audiences, crafting compelling messaging, and executing strategic initiatives that position Toggl Work as the go-to solution.This role will have you owning key KPIs, collaborating cross-functionally, and continuously optimizing the customer journey to ensure measurable success. Experience with people operations tools is a strong plus.Your main responsibilities will be:Drive Go-to-Market strategies, owning KPI for acquisition, and co-owning the KPIs of onboarding, retention, and engagement with the Product Manager.Identify, target, and onboard high-value audiences to maximize user growth and engagement.Develop and refine onboarding processes and customer journeys to ensure seamless experiences.Collaborate with cross-functional teams (Product, Marketing, Sales) to co-own user retention and engagement metrics.Conduct market research, competitive analysis, and experimentation to optimize growth strategies.About YouWed love to hear from you if:You are a self-starter with the ability to take ownership of complex projects and drive them to completion.You have experience in customer success or user acquisition roles, particularly in a SaaS environment.You have experience in the people operations software industry or familiarity with people operations tools, which is a huge plus.You have a proven track record of creating and implementing successful GTM strategies that emphasize customer acquisition and retention.You are data-driven and comfortable creating and analysing KPIs to inform decision-making.You thrive in an environment where you can build processes from scratch and iterate on them quickly.You are excited about the challenge of launching a new product and have a strong understanding of the SaaS landscape.You are a generalist who can adapt to the evolving needs of an early-stage startup and do whatever it takes to reach the goal.BenefitsFreedom to choose when and how much you work - we only measure results24 days of paid time off a year, plus your local holidaysIn-person meetups for team-building (expenses covered)4-6 weeks paid sabbatical (depending on the tenure)Laptop budget up to 2,500 and it renews every 3 years2,000 budget to set up your home office, and additional 300 every year after 3 years of tenure3000 per year for co-working space membership and/or internet service at home4,000 per year contribution to use for training, workshops, and conferences2,000 per year contribution for any equipment or services to improve and/or maintain your physical and mental healthSupport for buying tools you need for doing your best work (even eyeglasses if you need a new pair) Related Jobs See more All Other Remote jobs

Time zones: ART (UTC -3), UTC -4, UTC -3, UTC -2, GMT (UTC +0), MSK (UTC +3), CEST (UTC +2), BST (UTC +1), GST (UTC +4)We are looking for experienced Senior Backend Engineers who bring unique skills to our team and help us shape the future of the time tracking industry.The salary for this position is 80,000 annually.You can work from anywhere in the world as long as your main location is between UTC-4 and UTC+4.About the TeamWe are a global team of 100+ awesome people working from over 40 countries around the globe. We hire globally, you work locallyin the heart of London, a beach outside of So Paulo, or a quiet village near Florence, the choice is yours. Every few months we travel to meet up somewhere in the world and spend some quality time together. We place a huge amount of trust in our people, and we measure the outcomes rather than the work itself. Our values fuel our results.The RoleAs a Senior Backend Engineer, you will be taking ownership of one or more domains of our product and will work closely with other Backend and Frontend engineers using cutting-edge open source frameworks to develop highly-available RESTful services and back-end systems.The main technologies you will be working with are Go, PostgreSQL and Google Cloud Infrastructure.Our team meetings are scheduled between 11:00 and 16:00 UTC. Your availability and commitment to participate in these sessions are essential for effective collaboration and team alignment.Your main responsibilities will be:developing, scaling and maintaining some of our backend services including the API, reports and other infrastructure services that manage our product and logistics worldwideworking with multiple teams day to day to bring more value to Toggls users, covering customer-facing web and native applications and public APIsdesigning, breaking down, and completing projects of a medium to large scope with high-level productivitylooking for technical problems of existing system/product without guidance and offering solutionsleading projects with a small group of people, such as hosting weekly meetings, communicating with other partners and stakeholdersAbout youWe would love to hear from you if you strive to solve technical problems of high scope and complexity and have long-standing experience programming in Go.In particular, we are looking for:Strong backend engineering experience in GoSignificant professional experience with distributed systems, PostgreSQL, and Google Cloud InfrastructureExperience with software engineering best practices (e.g. unit testing, code reviews, design documentation)Experience with performance and optimisation problems, particularly at large scale, and a demonstrated ability to both diagnose and prevent these problemsAbility to work cross-teams and improve cross-functional relationships which will facilitate ongoing projectsEffective communication skills, ensuring regular consensus with peers and clear status updates.Strong collaboration skills across the company to define, design, build, and improve the product.Experience with data warehouse, analytics systems, Kubernetes at scale, and system architecture at scale.Eagerness to contribute to the engineering team's growth, including interviewing and mentoring junior engineers, and providing precise, actionable feedback to peers.Proficiency in the English language, both written and verbal, is required for success in a remote and largely asynchronous work environmentBenefitsFreedom to choose when and how much you work - we only measure results24 days of paid time off a year, plus your local holidaysIn-person meetups for team-building (expenses covered)4-6 weeks paid sabbatical (depending on the tenure)Laptop budget up to 2,500 and it renews every 3 years2,000 budget to set up your home office, and additional 300 every year after 3 years of tenure250 per month for co-working space membership and/or internet service at home4,000 per year contribution to use for training, workshops, and conferences2,000 per year contribution for any equipment or services to improve and/or maintain your physical and mental healthSupport for buying tools you need for doing your best work (even eyeglasses if you need a new pair)

Want to work at Apple?

Project GROT Procedural Flesh | Overview

Project GROT Procedural Flesh | 03 | Polishing Visuals

More than 1,000 units already built at site on outskirts of cityCambridge University is looking at building 6,000 homes on the outskirts of the city double the 3,000 it had originally planned.In 2013, the university received planning permission to build up to 3,000 homes in Eddington, with half designated as keyworker homes for university staff and the remainder sold on the open market.Around 1,100 of the 1,800 homes planned as part of the first phase of the development have now been built along with a primary school.The university is hoping to double the amount of homes at the site in Eddington under a fresh masterplan drawn up by Hawkins BrownAt the councils joint development control committee meeting last week, Matt Johnson, head of development at the university, said it was nearing the 10-year expiry date for the original consent of the reserved matters planning application.As a result, the university must renew its previous planning consent and submit a new application.Architect Hawkins Brown has drawn up an updated masterplan for additional density on the site with the university saying it has capacity for more homes during the first phase of construction.Johnson also said that the university wants to make best use of land that is being released from the green belt.Asked why the university was considering doubling its development target for the site, Johnson said it was driven by the citys housing shortage and increased demand from staff for key worker housing.Developers Hill Group, Durkan and Latimer have all built homes as part of the first phase of the development.

Source: Hufton+CrowSource: Hufton+CrowSource: Hufton+CrowSource: Hufton+Crow1/4show captionHassell has completed the final phase of the Adam Smith Business School for the University of Glasgow, delivering a 11,500m2 facility that integrates teaching, research, and professional services.The Adam Smith Business School is named after the renowned economist and university alumnus. The new building provides a hub for postgraduate research and teaching, supporting the universitys goal of fostering interdisciplinary collaboration.Located within the Gilmorehill campus, the six-storey building is part of a broader redevelopment of the universitys West End location, andis the fourth major project in the universitys 1 billion campus redevelopment.Designed with a masonry faade that is intended to harmonise with its historic surroundings, Hassell has sought to balance modern interiors with a civic architectural presence. Its layout includes a central atrium that connects three distinct zones dedicated to research, teaching, and collaborative activities.John OMara, principal at Hassell, said: Embracing Adam Smiths legacy, the new school fosters industry-academic collaborations and propels research and innovation, amplifying the universitys role as a leading global business hub.Source: Hufton+CrowThe building is positioned as a gateway to the university and features two main entrances: one facing the city and the other the central campus. Internally, the buildings design prioritises interaction and accessibility, with light-filled, flexible spaces aimed at promoting informal engagement.The schools central Hothouse space facilitates industry events and student-led initiatives such as workshops and entrepreneurial activities.Professor Eleanor Shaw, head of the Adam Smith Business School, described the facility as a beautiful, light open space that offers many opportunities for delivering excellent learning experiences for our students and collaborative, welcoming offices, meeting rooms, and spaces for our staff and external partners.Project DataStart: October 2017Completion: December 2023Location: GlasgowScale: 12,500m2 GFA, 11,500m2 GIAClient: University of GlasgowServices provided by Hassell: Architecture and interior design

The Architects JournalQueen Elizabeth memorial competition to launch in coming weeksA competition to design a memorial to Queen Elizabeth II in St Jamess Park, central London, is due to launch in the coming weeksThe post Queen Elizabeth memorial competition to launch in coming weeks appeared first on The Architects JournalMerlin Fulcher