Security Leftovers (UPDATED)

posted by Roy Schestowitz on Apr 27, 2023,
updated Apr 27, 2023

• Security updates for Wednesday [LWN.net]

  Security updates have been issued by Fedora (chromium, lilypond, and lilypond-doc), Oracle (java-1.8.0-openjdk), Red Hat (emacs, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, pesign, and virt:rhel, virt-devel:rhel), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), Slackware (git), SUSE (fwupd, git, helm, and runc), and Ubuntu (firefox, golang-1.18, linux-hwe-5.15, and openssl, openssl1.0).

• TOTP authentication with free software

  One-time passwords (OTPs) are increasingly used as a defense against phishing and other password-stealing attacks, usually as a part of a two-factor authentication process. Perhaps the most commonly used technique is sending a numeric code to a phone via SMS, but SMS OTPs have security problems of their own. An alternative is to use time-based one-time passwords (TOTPs). The normal TOTP situation is to have all of the data locked into a proprietary phone app, but it need not be that way.

  The TOTP approach is simple enough; it starts with a secret shared between the client and server sides. The algorithm used to generate an OTP starts by looking at the current time, usually quantized to a 30-second interval. That time is combined with the secret, hashed, and used to generate a six-digit code that is used as the password. Both the client and server sides will generate a code at authentication time; if the client can provide the same code that the server calculates, then authentication succeeds. The code can only be used once and, in any case, is only valid for a short period.

• Nunn announces bipartisan plan to prevent school cyberattacks

  Third District Congressman Zach Nunn is supporting federal legislation aimed at preventing school cyberattacks like the one that canceled classes for Des Moines students for two days earlier this year.

  The measure would make federal officials available to advise school districts on ways to improve network security and respond to hacking attempts. Nunn described it as a 911 call center for school cyberattacks. The bill would also create a voluntary registry to gather information about attacks happening nationwide.

• Jackson school gives update on November cyberattack

  The November ransomware attack forced Jackson and Hillsdale schools to shut down for days.

  At the time details were limited, but now officials say the ones behind the attacks were international, adding it was a Jackson technician that first discovered something wasn’t right. […]

  With the investigation now complete officials believe the international group known as the ‘Hive’ found a window into the network and looked for personal information to sell on the dark web.

• NIST to Finalize Special Publication (SP) 800-66 Revision 2 and Collaborate on Resources for Small, Regulated Entities

UPDATE

Some more stories:

• How to fix You can’t access this shared folder because your organization’s security policies block unauthenticated guest access error on Windows 11 [Ed: Microsoft Windows is a joke of a system]

• Sen. Warner: AI firms should put security at the center of their work

  The top Democrat on the Senate Intelligence Committee wants answers to questions ranging from supply chain security to privacy.

• Microsoft removes LSA Protection from Windows settings to fix bug [Ed: Microsoft itself is a bug and Windows is bugging its users for Microsoft]

  Microsoft has fixed a known issue triggering Windows Security warnings that Local Security Authority (LSA) Protection is off by removing the feature's UI from settings.

• Event Wrap: PITA Working Group Meeting on Cybersecurity and Protection Initiatives

  Adli Wahid shares ways the Internet community can collaborate on cybersecurity at the PITA Working Group Meeting on Cybersecurity and Protection Initiatives, held online on 6 April 2023.