Security Leftovers
-
GitHub patches bug that could allow access to another user’s repo
If a malicious actor created an account using the previous account name of another user, they were able to link the old repository URL to their account, gaining access to code and other content in the process.
In addition, and compounding the problem, the default redirect was disabled, so if an attack was successful then all existing traffic was immediately routed to the attackers malicious GitHub repository.
-
CLDAP Reflectors on the Rise Despite Best Practice [iophk: Windows TCO]
One of the most common UDP services in these multi-vector attacks is the Connectionless Lightweight Directory Access Protocol (CLDAP). With a high Bandwidth Amplification Factor (BAF) of 56 to 70x and common deployment onto systems provisioned with healthy bandwidth, CLDAP reflectors reliably add traffic volume to the DDoS recipe. Hopefully, the internet community can eventually clean up these exposed services. In the meantime, we can analyze and report on the span of open CLDAP reflectors on the internet today, as well as some of our findings related to the strategy and tactics behind their use in DDoS attacks.
-
iTWire - Vic polls reason for licence issue as Optus kicks can down the road
The state of Victoria will go to the polls on 26 November. Given that, it is easy to understand why the state's transport authority, VicRoads, has jumped ahead of the pack in saying it will new licences to those whose documents were compromised in the disastrous Singtel Optus data breach.
This argument is bolstered by the fact that Optus, in a manner that even Ebenezer Scrooge would struggle to emulate, has made no statement about when and how it will pay for credentials which have been compromised due to the company's errors.
A VicRoads statement says the state government will seek reimbursement from Optus. Good luck with that!
The degree of care that Optus has shown towards victims of this breach can be gauged by the fact that its last statement about the disaster was on 17 October. Two weeks on, the company is keeping its head low, in the hope that it can kick the can down the road in the best Google style.
-
iTWire - VicRoads says issuing new licences for Optus data breach victims
Victorian transport authority VicRoads says it will issue new driving licences to 342,000 people in the state who were affected by the massive data breach at telco Singtel Optus.
However, it does not appear that Optus has yet given a formal guarantee to pay for these licences. The company has also not paid a single cent towards replacement of passports that were compromised in the attack.
VicRoads said in a statement "The Victorian Government will continue to seek reimbursement of costs from Optus for the replacement of more than one million licences of Victorians impacted by the largest data breach in Australian history."
The statement said 942,000 Victorian licence holders had their details compromised due to the breach.
-
OpenSSL Warns of New Critical Security Vulnerability - Cyber Kendra
On October 25 The OpenSSL Project Team announced the forthcoming release of OpenSSL version 3.0.7. The team hasn't shared many details but does mention that the update comes on November 1 and will include a patch for a new critical CVE.
This is one of the important and critical updates as the OpenSSL Project announced a “critical” vulnerability in versions 3.0 and above of the vastly-popular cryptographic library for encrypting communications on the Internet.
-
Chrome issues urgent zero-day fix - update now! - Naked Security
Google pushed out a bunch of security fixes for the Chrome and Chromium browser code earlier this week…
…only to receive a vulnerability report from researchers at cybersecurity company Avast on the very same day.