Security Leftovers

posted by Roy Schestowitz on Feb 12, 2023

• Terramaster NAS’s eye-opening CVE

  This is hauntingly similar to how I got into a photocopier/print server in my high school library in the mid-2000s. I couldn't believe the password was delivered to the endpoint for local comparison. It also delightfully dropped every non-alphanumeric character, and translated every letter into lowercase before evaluation, just to remove some more entropy.

  (I disclosed the issues, because I'm a square)!

• Digging into Google’s point of view on confidential computing [Ed: Well, "confidential computing" is a scam designed to lure companies and governments into being spied on, based on false beliefs about "clown computing"]

  Confidential computing is a technology that aims to enhance data privacy and security by providing encrypted computation on sensitive data and isolating data from apps and other host resources in a fenced off enclave during processing.

• Reddit confirms the [breach], says no harm to users

  Reddit has acknowledged a recent cyberattack that resulted in the theft of sensitive company information. The company referred to the breach in a security alert as a "sophisticated and highly-targeted phishing attack". Reddit stated that it does not believe the breach impacted its users. A spokesperson from Reddit said that the company is "actively investigating and closely monitoring the situation."

• Hackers interrupt Iran president's TV speech on anniversary of revolution

  The Islamic Republic marked the 44th anniversary of the Iranian revolution on Saturday with state-organized rallies, as anti-government hackers briefly interrupted a televised speech by President Ebrahim Raisi.

• And two more class action settlements….

  In August 2021, DataBreaches noted reports that Electromed had been hacked, and the incident affected employees and customers. Electromed later reported the incident to HHS as impacting 47,200 patients. According to subsequent disclosures, this was a ransomware incident that Electromed had discovered in June. In September 2021, a potential class action lawsuit was filed against the Minnesota firm.

  Top Class Actions reports that Electromed settled the lawsuit for $825,000 without admitting wrongdoing or liability. The case is Lutz, et al. v. Electromed Inc., Case No. 0:21-cv-02198-KMM-DTS, in the U.S. District Court for the District of Minnesota.

• Cop and telecoms staffer charged in data breach case

  A police sergeant who was suspended from the RCIPS last year and a former employee of a local telecommunications company have both been summoned to appear in court next week in relation to a data breach investigated by the Office of the Ombudsman (OMB), the RCIPS has confirmed. The former telecoms worker is alleged to have unlawfully shared a customer’s phone number with the sergeant, who is accused of using it for personal reasons. The officer has been charged with misconduct in public office and unlawfully obtaining personal data. The telecom worker faces one count of unlawfully disclosing personal data.

• Technion University hacked and locked; previously unknown attackers demand 80 BTC

  A spokesperson for the institution confirmed the attack to Ynet, who reports that despite the cyber attack, exams at the Technion are taking place today as usual. However, the students were asked to disconnect their personal computers from the network and reduce email traffic until further notice. In email to DataBreaches, however, Dasa reports that all exams have since been canceled for the 13th and 14th.