Security Leftovers

posted by Roy Schestowitz on Sep 29, 2022

• iTWire - Optus breach: Labor pledge to update laws covering security

  Federal Attorney-General Mark Dreyfus says the laws governing security have not kept pace with technology, adding that the government would work to update legislation to make it fit for purpose.

  He told Channel 7's Sunrise program on Thursday: "We need everybody who has Australians' data to take care of it.

  "We need to make sure that when there is a hack or data breach, that they immediately notify people that have been affected and notify financial institutions and banks and government so that we can take action and that banks and financial institutions can take action to keep people safe from the effects of the hack.

  "So the laws haven't kept pace. The prime minister talked about this yesterday in the Parliament. We're going to make sure that our laws are brought up to date and work to protect Australians."

  {loadposition sam08}Optus revealed on 22 September it had suffered a massive data breach. The data that has been stolen includes Medicare details, drivers' licence data and also passport data. The government is insisting that the telco pay for replacement of these forms of ID where it is needed.

  Regarding the Medicare data, the company said in a statement on Wednesday: "Of the 9.8 million customer records exposed, we have identified 14,900 valid Medicare ID numbers that have not expired.

• Security updates for Thursday [LWN.net]

  Security updates have been issued by Debian (chromium, lighttpd, and webkit2gtk), Fedora (firefox, gajim, libofx, and python-nbxmpp), Gentoo (bluez, chromium, expat, firefox, go, graphicsmagick, kitty, php, poppler, redis, thunderbird, and zutty), Oracle (firefox and thunderbird), Red Hat (kernel), Slackware (xorg), SUSE (expat, libostree, lighttpd, python3-lxml, rust1.62, slurm, slurm_18_08, and vsftpd), and Ubuntu (libxi, linux-gcp, postgresql-9.5, and sqlite3).

• Geneva Declaration: international community unites to end spyware abuse - Access Now

  It’s time to make a collective commitment to human rights, and stop the dangerous, unchecked, and proliferating use of spyware technology. Access Now, the Government of Catalonia, the private sector, and civil society from across the globe are demanding concerted global change to this uncontrolled industry through the Geneva Declaration on Targeted Surveillance and Human Rights.

  “Digital technologies have the power to advance human rights. Surveillance technology does the opposite — it robs people and communities of privacy, agency, and freedom,” said Laura O’Brien, Senior UN Advocacy Officer at Access Now. “We must put an end to the deployment of these treacherous tools, and demand the immediate moratorium on the export, sale, transfer, servicing of, and use of digital surveillance tech. Collectively, we must uphold the Geneva Declaration on Targeted Surveillance and Human Rights.”

  Members of the international community are calling for an end to the proliferation of surveillance technologies used to target individuals and communities engaging in protected activities, such as exercising their right to protest. They are also pressuring governments, in coordination with civil society and the private sector, to implement a moratorium on the export, sale, transfer, servicing, and use of targeted digital surveillance technologies, until rigorous human rights safeguards are put in place to regulate such practices.

• Statement on the fatal flaws found in a defunct CIA covert communications system - The Citizen Lab

  In 2018, Jenna McLaughlin and Zach Dorfman of Yahoo News reported that a system used by the CIA to covertly communicate with its assets around the world had been compromised by Iran and China around 2011. The compromise reportedly led to the death of “more than two dozen sources” in China in 2011 and 2012, and also reportedly led Iran to execute some CIA assets and imprison others.

  Because the network was used by CIA assets around the world, the compromise also reportedly enabled Iran and China to track espionage activities outside of their borders, related to other countries.

  While relevant oversight bodies reportedly performed an investigation into the as-yet-unreported compromise in 2013, Yahoo News reported that those responsible for the intelligence failures were never held accountable: “One of the central concerns among those familiar with the scope of the breakdown is the institutions responsible for it were never held accountable.”

• New malware backdoors VMware ESXi servers to hijack virtual machines

  A modified level of trust is not enough for the ESXi system to accept it by default but the attacker also used the '--force' flag to install the malicious VIBs.

• Differences in App Security/Privacy Based on Country - Schneier on Security

  Depending on where you are when you download your Android apps, it might collect more or less data about you.

• The same app can pose a bigger security and privacy threat depending on the country where you download it, study finds

  Google and Apple have removed hundreds of apps from their app stores at the request of governments around the world, creating regional disparities in access to mobile apps at a time when many economies are becoming increasingly dependent on them.

  The mobile phone giants have removed over 200 Chinese apps, including widely downloaded apps like TikTok, at the Indian government’s request in recent years. Similarly, the companies removed LinkedIn, an essential app for professional networking, from Russian app stores at the Russian government’s request.

• Rust is eating into our systems, and it's a good thing • The Register

  C++ first appeared in commercial form in 1985, the year the Nintendo Entertainment System hit the US. A generation of systems programmers have gone from hip young codeslingers to senior management, and they can say truthfully that the fundamental underpinning of IT has been successfully built in the older way. Everything Rust can do, the current C++ can do too; it's even insulting to suggest that programmers need the extra help.

• CISA Publishes User Guide to Prepare for Nov. 1 Move to TLP 2.0

  Managed by the Forum of Incident Response and Security Teams (FIRST), TLP is a system of markings that communicates information sharing permissions. According to FIRST, the purpose of TLP is "to facilitate greater sharing of potentially sensitive information and more effective collaboration." Note: Unlike formal classification systems, TLP is not legally binding.

• CISA Releases Six Industrial Control Systems Advisories | CISA

  CISA has released six (6) Industrial Control Systems (ICS) advisories on September 29, 2022. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• New Chaos Malware Targets Windows and Linux Devices | Decipher

  A threat actor possibly based in China is deploying a new multiplatform piece of malware named Chaos that is infecting SOHO routers, brute-forcing SSH password, ising known vulnerabilities to propagate, and launching DDoS attacks against a variety of targets.

• Chaos Malware Targets Home Routers with DDoS Attacks

  Additionally, he notes, the recent shift to remote work has made home routers and other devices outside corporate networks particularly attractive targets for attackers.