Security Leftovers
-
Device OAuth Flow is Phishable
Device Authorization enables a second device to bestow access with a user's active consent. In short, the device can present a one-time passcode (OTP) to the user, and they can transcribe that into an authorization web page or app on their phone or computer. After authorizing the device, it then appears logged in and can perform its functions with the user's preferences.
One problem: transcribing device codes is phishable, and it trains users to think this is a safe activity. Device auth codes effectively bypass unphishable two-factor security
-
LibreSSL 3.7.0 Released
A new development release of LibreSSL is out, and should be arriving on a mirror near you shortly.
-
Security updates for Tuesday [LWN.net]
Security updates have been issued by Debian (node-tar and pngcheck), SUSE (colord, containerd, and tiff), and Ubuntu (containerd, linux-azure, linux-azure, linux-azure-5.4, linux-oem-5.17, and vim).
-
IL: Knox College president addresses ransomware incident as notorious group claims credit [iophk: Windows TCO]
Hive Ransomware Group, a FBI-identified criminal organization, has appeared to claim credit for ongoing “disruptions” to Knox College’s computer systems.
-
Knox College president addresses ransomware incident as notorious group claims credit [iophk: Windows TCO]
Hive Ransomware Group, a FBI-identified criminal organization, has claimed credit for ongoing "disruptions" to Knox College’s computer systems.
In an email sent to a number of Knox students on Wednesday, a group claiming to be Hive says it has encrypted “critical infrastructure and data,” compromised the college’s backup servers and mined sensitive personal information like medical records and social security numbers.