Security Leftovers
-
Git 2.40.1 & Other Updates Address Three High-Impact Security Vulnerabilities
Git 2.40.1 has been released to address three new security vulnerabilities being disclosed, which have been classified as “high-severity” by the National Vulnerability Database (NVD) due to their high confidentiality, integrity and availability impact, and the low attack complexity and lack of privileges required to exploit them. Due to these security fixes, updates for prior stable Git series are also availble with v2.39.3, v2.38.5, v2.37.7, v2.36.6, v2.35.8, v2.34.8, v2.33.8, v2.32.7, v2.31.8, and v2.30.9.
-
Password converted to 64-byte hash
I posted yesterday about fscrypt v2:
https://bkhome.org/news/202304/preliminary-support-for-fscrypt-v2.html
There is a security concern, as the password the user types in at bootup is used to create the encrypted folders. Quoting from here:
https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html
Master keys must be real cryptographic keys, i.e. indistinguishable from random bytestrings of the same length. This implies that users must not directly use a password as a master key, zero-pad a shorter key, or repeat a shorter key. Security cannot be guaranteed if userspace makes any such error, as the cryptographic proofs and analysis would no longer apply.
-
Two ransomware groups list Albany ENT & Allergy Services on their leak sites
BianLian often uses the asterisk system before they actually name the victim and leak data.
-
Stronger cybersecurity, reducing cyber incidents, greater EU ‘strategic autonomy’? Three interesting features of the proposed EU Cyber Solidarity Act
On April 18, 2023, the European Commission published its proposal for an EU Cyber Solidarity Act (“CSA”). It aims to strengthen incident detection, situational awareness, and response capabilities, and to ensure that entities providing services critical for day-to-day life can access expert support to manage their cyber risk and respond to incidents. Specifically, the CSA aims to promote information sharing about cyber incidents and vulnerabilities, to help improve the cyber resilience of critical entities, and to create an EU-wide resource for incident management.
The CSA adds another layer to the increasingly crowded landscape of EU cybersecurity laws. The proposed law would interact with the revised Network and Information Security Directive (“NIS2”) and certifications issued under the Cybersecurity Act. Private companies in specific sectors will also have to consider potential overlap with the forthcoming Cyber Resilience Act and the financial services-focused Digital Operation Resilience Act.
-
WRDSB retirees say they felt left in the dark after data compromised in cyberattack
In the wake of a cyberattack at the Waterloo Region District School Board (WRDSB) this past summer, some of the people impacted are raising questions about how it was handled.
The data accessed by hackers included details about employees dating back to 1970.
But some of those former employees say getting information about what happened, along with their risks, was difficult.
-
Emmanuel College working to recover from attack that claims faculty and student data stolen
Emmanuel College in Boston appears to have become a victim of Avos Locker. The college was added to the threat actor’s leak site yesterday, with a note saying,
-
United HealthCare reports data breach that may have revealed customer's personal information
United HealthCare made customers aware of a data breach on Friday, which temporarily allowed access to personal information for those enrolled in the company's healthcare plans.
According to a statement, "suspicious activity" was noticed on the UHC mobile application "that may have led to the disclosure of member information."
The company says that the breach happened between February 19 and February 25, and it was determined on April 10 that some member information was impacted.
They believe that information including members' first and last names, health insurance member identification numbers, dates of birth, addresses, dates of service, provider names, claim information and group name and number may have been available.
-
Some 'sensitive information' potentially compromised: Diocese of Las Vegas reports cybersecurity breach
The Diocese of Las Vegas on Friday announced a cybersecurity breach that potentially compromised "sensitive information of its volunteers, parishioners, donors and other stakeholders," a news release states.
A spokesperson noted there was "no indication that personal information has been misused," but said the Diocese would notify those who may have been impacted.
-
Amnesty International Australia Suffered a Data Breach in December, but Says Everything is Now Fine
On late Friday, Amnesty International Australia sent an email to supporters informing them their data may be at risk due to “anomalous activity” detected in its IT environment.
While the email went out very late in the day/week, it also went out a very long time after the activity was found. The email, sighted by Gizmodo Australia, says the activity was detected late last year.