Uncategorized Archives - Page 62 of 159

How to spot malicious spam – Week in security with Tony Anscombe

As the risk of receiving a malware-laden email increases, take a moment to consider how to spot attacks involving malicious spam

The post How to spot malicious spam – Week in security with Tony Anscombe appeared first on WeLiveSecurity

June 17, 2022/by Advantage Computer Inc.

Uncategorized

How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security

Emotet malware is back with ferocious vigor, according to ESET telemetry in the first four months of 2022. Will it survive the ever-tightening controls on macro-enabled documents?

The post How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security appeared first on WeLiveSecurity

June 16, 2022/by Advantage Computer Inc.

Uncategorized

SBOM in Action: finding vulnerabilities with a Software Bill of Materials

Posted by Brandon Lum and Oliver Chang, Google Open Source Security Team

The past year has seen an industry-wide effort to embrace Software Bills of Materials (SBOMs)—a list of all the components, libraries, and modules that are required to build a piece of software. In the wake of the 2021 Executive Order on Cybersecurity, these ingredient labels for software became popular as a way to understand what’s in the software we all consume. The guiding idea is that it’s impossible to judge the risks of particular software without knowing all of its components—including those produced by others. This increased interest in SBOMs saw another boost after the National Institute of Standards and Technology (NIST) released its Secure Software Development Framework, which requires SBOM information to be available for software. But now that the industry is making progress on methods to generate and share SBOMs, what do we do with them?

Generating an SBOM is only one half of the story. Once an SBOM is available for a given piece of software, it needs to be mapped onto a list of known vulnerabilities to know which components could pose a threat. By connecting these two sources of information, consumers will know not just what’s in their software, but also its risks and whether they need to remediate any issues.

In this blog post, we demonstrate the process of taking an SBOM from a large and critical project—Kubernetes—and using an open source tool to identify the vulnerabilities it contains. Our example’s success shows that we don’t need to wait for SBOM generation to reach full maturity before we begin mapping SBOMs to common vulnerability databases. With just a few updates from SBOM creators to address current limitations in connecting the two sources of data, this process is poised to become easily within reach of the average software consumer.

OSV: Connecting SBOMs to vulnerabilities

The following example uses Kubernetes, a major project that makes its SBOM available using the Software Package Data Exchange (SPDX) format—an international open standard (ISO) for communicating SBOM information. The same idea should apply to any project that makes its SBOM available, and for projects that don’t, you can generate your own SBOM using the same bom tool Kubernetes created.

We have chosen to map the SBOM to the Open Source Vulnerabilities (OSV) database, which describes vulnerabilities in a format that was specifically designed to map to open source package versions or commit hashes. The OSV database excels here as it provides a standardized format and aggregates information across multiple ecosystems (e.g., Python, Golang, Rust) and databases (e.g., Github Advisory Database (GHSA), Global Security Database (GSD)).

To connect the SBOM to the database, we’ll use the SPDX spdx-to-osv tool. This open source tool takes in an SPDX SBOM document, queries the OSV database of vulnerabilities, and returns an enumeration of vulnerabilities present in the software’s declared components.
Example: Kubernetes’ SBOM

The first step is to download Kubernetes’ SBOM, which is publicly available and contains information on the project, dependencies, versions, and licenses. Anyone can download it with a simple curl command:

# Download the Kubernetes SPDX source document

$ curl -L https://sbom.k8s.io/v1.21.3/source > k8s-1.21.3-source.spdx

The next step is to use the SPDX spdx-to-osv tool to connect the Kubernetes’ SBOM to the OSV database:

# Run the spdx-to-osv tool, taking the information from the SPDX SBOM and mapping it to OSV vulnerabilities

$ java -jar ./target/spdx-to-osv-0.0.4-SNAPSHOT-jar-with-dependencies.jar -I k8s-1.21.3-source.spdx -O out-k8s.1.21.3.json

# Show the output OSV vulnerabilities of the spdx-to-osv tool

$ cat out-k8s.1.21.3.json

…

{

“id”: “GHSA-w73w-5m7g-f7qc”,

“published”: “2021-05-18T21:08:21Z”,

“modified”: “2021-06-28T21:32:34Z”,

“aliases”: [

“CVE-2020-26160”

“summary”: “Authorization bypass in github.com/dgrijalva/jwt-go”,

“details”: “jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m[\”aud\”] (which is allowed by the specification). Because the type assertion fails, \”\” is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to [golang-jwt](https://github.com/golang-jwt/jwt) at version 3.2.1″,

“affected”: [

{

“package”: {

“name”: “github.com/dgrijalva/jwt-go”,

“ecosystem”: “Go”,

“purl”: “pkg:golang/github.com/dgrijalva/jwt-go”

…

The output of the tool shows that v1.21.3 of Kubernetes contains the CVE-2020-26160 vulnerability. This information can be helpful to determine if any additional action is required to manage the risk of operating this software. For example, if an organization is using v1.21.3 of Kubernetes, measures can be taken to trigger company policy to update the deployment, which will protect the organization against attacks exploiting this vulnerability.

Suggestions for SBOM tooling improvements

To get the spdx-to-osv tool to work we had to make some minor changes to disambiguate the information provided in the SBOM:

In the current implementation of the bom tool, the version was included as part of the package name (gopkg.in/square/go-jose.v2@v2.2.2). We needed to trim the suffix to match the SPDX format, which has a different field for version number.

The SBOM created by the bom tool does not specify an ecosystem. Without an ecosystem, it’s impossible to reliably disambiguate which library or package is affected in an automated way. Vulnerability scanners could return false positives if one ecosystem was affected but not others. It would be more helpful if the SBOM differentiated between different library and package versions.

These are relatively minor hurdles, though, and we were able to successfully run the tool with only small manual adjustments. To make the process easier in the future, we have the following recommendation for improving SBOM generation tooling:

SBOM tooling creators should add a reference using an identification scheme such as Purl for all packages included in the software. This type of identification scheme both specifies the ecosystem and also makes package identification easier, since the scheme is more resilient to small deviations in package descriptors like the suffix example above. SPDX supports this via external references to Purl and other package identification schemas.

SBOM in the future

It’s clear that we’re getting very close to achieving the original goal of SBOMs: using them to help manage the risk of vulnerabilities in software. Our example queried the OSV database, but we will soon see the same success in mapping SBOM data to other vulnerability databases and even using them with new standards like VEX, which provides additional context around whether vulnerabilities in software have been mitigated.

Continuing on this path of widespread SBOM adoption and tooling refinement, we will hopefully soon be able to not only request and download SBOMs for every piece of software, but also use them to understand the vulnerabilities affecting any software we consume. This example is a peek into a possible future of what SBOMs can offer when we bridge the gap to connect them with vulnerability databases: a new normal of worrying less about the risks in the software we use.

A special thanks to Gary O’Neall of Source Auditor for creating the spdx-to-osv tool and contributing to this blog post.

June 14, 2022/by Advantage Computer Inc.

Uncategorized

Industroyer: A cyber‑weapon that brought down a power grid

Five years ago, ESET researchers released their analysis of the first ever malware that was designed specifically to attack power grids

The post Industroyer: A cyber‑weapon that brought down a power grid appeared first on WeLiveSecurity

June 13, 2022/by Advantage Computer Inc.

Uncategorized

3 takeaways from RSA Conference 2022 – Week in security with Tony Anscombe

Here are three themes that stood out at the world’s largest gathering of cybersecurity professionals

The post 3 takeaways from RSA Conference 2022 – Week in security with Tony Anscombe appeared first on WeLiveSecurity

June 10, 2022/by Advantage Computer Inc.

Uncategorized

RSA – APIs, your organization’s dedicated backdoors

API-based data transfer is so rapid, there’s but little time to stop very bad things happening quickly

The post RSA – APIs, your organization’s dedicated backdoors appeared first on WeLiveSecurity

June 10, 2022/by Advantage Computer Inc.

Uncategorized

RSA – Creepy real‑world edition

Digital fiddling somehow got mixed up in a real war

The post RSA – Creepy real‑world edition appeared first on WeLiveSecurity

June 9, 2022/by Advantage Computer Inc.

Uncategorized

RSA – Digital healthcare meets security, but does it really want to?

Technology is understandably viewed as a nuisance to be managed in pursuit of the health organizations’ primary mission

The post RSA – Digital healthcare meets security, but does it really want to? appeared first on WeLiveSecurity

June 8, 2022/by Advantage Computer Inc.

Uncategorized

RSA – Spot the real fake

How erring on the side of privacy might ultimately save you from chasing down a virtual rendition of you doing the bidding of a scammer

The post RSA – Spot the real fake appeared first on WeLiveSecurity

June 7, 2022/by Advantage Computer Inc.

Uncategorized

Cybersecurity awareness training: What is it and what works best?

Give employees the knowledge needed to spot the warning signs of a cyberattack and to understand when they may be putting sensitive data at risk

The post Cybersecurity awareness training: What is it and what works best? appeared first on WeLiveSecurity

June 7, 2022/by Advantage Computer Inc.

Testimonials

Zack is amazing! I have gone to him with computer issues for the past few years now and he always finds a way to fix things and at a reasonable price. This time I went to Advantage Computer Solutions to find a new laptop. I needed help because like most of us I had no… Read more “Amazing!”

Amanda Tolve

Cannot say enough good things about Zack Rahhal and his team. Professional, smart, sensitive to small biz budgets and a helluva good guy. Could not operate my small biz without them!

Karen Schloss

stars indeed. So reliable and helpful and kind and smart. We call Al and he is “on it” immediately and such a FABULOUS teacher, patient and terrific. So happy with Advantage Computer Solutions and Al and his AMAZINGLY WONDERFUL STAFF.

Nancy Alberga

I’ve been a customer of the staff at Advantage for many years now. They have never let me down! Whatever my need, however big or small my problem, they have been unfailingly helpful, friendly and professional. Services are performed promptly and effectively, and they are very fair with pricing, too. I am lucky to have… Read more “Whatever my need, unfailingly helpful”

Michael Lesher

I’ve known the Advantage Team for years. They are the absolute best techs in the field, bar none. I couldn’t tell you how many tens thousands of dollars they saved us over the years; they can be trusted to never scam anyone even though they would do so very easily. The turnaround time is also… Read more “Best Kept Secret”

Carlos Santos

I had an excellent experience with Advantage. Aside from being extremely professional and pleasant generally, Zack was incredibly responsive and helpful, even before and after my appointment, and really resolved IT issues in my home office that had been plaguing me for years. I am so relieved to not have to think about this anymore!… Read more “Excellent Experience”

Sonya G

Simply The Best! Our company has been working with Advantage Computer Solutions for a few years, Zack and his Team are AWESOME! They are super reliable – whether it’s everyday maintenance or emergencies that may arise, The Advantage Team take care of us! Our team is grateful for their knowledgeable and professional services – a… Read more “Simply The Best!”

Kara Steible

Advanced Technology Search

The engineering team at Advantage Computers is the best in the business. They are nothing short of technical wizards.

Susannah Rubenstein

Al, Nasser and Zack have been keeping our operations going for over a decade, taking care of our regular upgrades and our emergency system problems. When we have an emergency, they make it their emergency. Its like having a cousin in the business.

lenny steinbach

Lucille Laundry - Monroe St Passaic NJ

In many cases, exceptional people do not receive recognition for their hard work and superior customer service. We do not want this to be one of those times. Zack Rahhal has been our hardware and technical consultant for our servers, Pc’s and other technical equipment since April 2004 and has provided valuable input and courteous service to… Read more “Exceptional People”

John Belly

Cambridge Paving Stones and Wall Systems, Inc

I became a customer about 6-7 months and I can say nothing but great things about this business. Zack takes care of me. I am an attorney and operate my own small firm. I have limited knowledge of computers. Zack is very patient in explaining things. He has offered practical and economical solutions to multiple… Read more “Highly Recommended”

Nick T.

West New York, NJ

THANK GOD for this local computer repair business who saved me hundreds, my hard drive was messed up, i called the company with warranty they said it would be $600, I went in they did a quick diagnostic, and based on his observations he gave me a step by step of the possible problems and… Read more “Life Savers”

Desirée A.

East Rutherford, NJ

I don’t have enough words to express my appreciation for Nassar and Paul, and the other members of Advantage Computer Solutions. I live in Bergen County and travel to Passaic County because of the trust I have in the competence and honesty of Advantage Computers. What a blessing to have such seasoned and caring professionals… Read more “I don’t have enough words to express my appreciation”

Amy Neustein

Advantage Computer Solutions is absolutely great. They show up, do what they say they are going to, complete the job without issues (my other computer companies had to keep coming back to fix things they “forgot” to do….) and are fairly priced. Zack is awesome, reliable, dependable, knowledgeable….everything you want in a computer solutions vendor.

Holly Kaplansky

Minuteman Press Newark

Knowledgeable, Reliable, Reasonable Working with Advantage Computers since 1997 for both personal and business tech support has been a rewarding and enjoyable experience. Rewarding, in that the staff is very knowledgeable, approaching needs and issues in a very straightforward, common sense manner, resulting in timely solutions and resolutions. Enjoyable, these guys are really friendly (not… Read more “Knowledgeable, Reliable, Reasonable”

Ben Rowner

MR Capital Group, Inc

Excellent service! I am the administrator for a busy medical office which relies heavily on our computer system. We have used Advantage Computer Solutions for installation, set-up and for service. The response time is immediate and the staff is often able to provide help remotely. Very affordable and honest…. A++!!! Essex Surgical relies on Advantage… Read more “Excellent service!”

Trudy Holt

Essex Surgical

Advantage offers great advice and service I bought parts for my gaming pc online and they put it together in a day for a great price. They are very professional. I was very satisfied with their service. I am a newbie in terms of PC gaming so they gave me great advice on this new piece… Read more “Great Advice and Service”

Jose

Clifton NJ

Our company has been using the services of Advantage Computers since 2006. It was important to find a reliable company to provide us with the technical support both onsite and offsite. It was through a recommendation that we contacted Advantage to have them provide us with a quote to install a new server and update our… Read more “Great Service, Support and Sales”

John Mezzina

Synatech, Inc.

Our company has been working with Advantage since the 1990’s and have been a loyal client ever since. Advantage does not make it very difficult to be loyal as they offer services from the most intricate and personalized to the global scale. Our company has grown beyond its doors of a local office to National… Read more “Extremely Professional and Passionate”

Cherie Avinger

RCL Agencies, Inc. Clifton, NJ

Advantage Computer Solutions has handled all of our computer and IT needs for the past 2 years. The staff is always professional and the service is always prompt. When your computers are down or not working properly is affects all aspects of your business, it is wonderful to have such a reliable team on our… Read more “Handles all our Office IT”

Jennifer Raspanti

Optimum Orthopedics

Since 1996 the Housing Authority of the City of Passaic has been a client of Advantage Computer Solutions. Our Agency has utilized their outstanding services and expertise to solve our technologic problems and growth over the past eighteen years. We would like to personally thank them for proposing cost effective solutions while reducing labor-intense tasks… Read more “Passaic Housing Authority”

Michael S. O’Hara

Passaic Housing Authority

“When the computer I use to run my photography business started acting erratically and kept shutting down, I was in a panic. I depend on that computer to deliver final products to my clients. Fortunately, I brought my HP into Advantage for repair and in one day I had my computer back. Not only did… Read more “They made sure EVERYTHING was working”

Phil Cantor

Phil Cantor Photography

How to spot malicious spam – Week in security with Tony Anscombe

How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security

SBOM in Action: finding vulnerabilities with a Software Bill of Materials

Industroyer: A cyber‑weapon that brought down a power grid

3 takeaways from RSA Conference 2022 – Week in security with Tony Anscombe

RSA – APIs, your organization’s dedicated backdoors

RSA – Creepy real‑world edition

RSA – Digital healthcare meets security, but does it really want to?

RSA – Spot the real fake

Cybersecurity awareness training: What is it and what works best?

Easy Contact

Company

Services

Testimonials