Security Leftovers
-
EU’s Proposed Cyber Resilience Act Raises Concerns for Open Source and Cybersecurity
EFF welcomes the intention of the legislation, but the proposed law will penalize open source developers who receive any amount of monetary compensation for their work. It will also require manufacturers to report actively exploited, unpatched vulnerabilities to regulators. This requirement risks exposing the knowledge and exploitation of those vulnerabilities to a larger audience, furthering the harms this legislation is intended to mitigate.
Open source software serves as the backbone of the modern internet. Contributions from developers working on open source projects such as Linux and Apache, to name just two, are freely used and incorporated into products distributed to billions of people worldwide. This is only possible through revenue streams which reward developers for their work, including individual donations, foundation grants, and sponsorships. This ecosystem of development and funding is an integral part of the functioning and securing of today’s software-driven world.
The CRA imposes liabilities for commercial activity which bring vulnerable products to market. Though recital 10 of the proposed law exempts not-for-profit open source contributors from what is considered “commercial activity” and thus liability, the exemption defines commercial activity much too broadly. Any open source developer soliciting donations or charging for support services for their software is not exempted and thus liable for damages if their product inadvertently contains a vulnerability which is then incorporated into a product, even if they themselves did not produce that product. Typically, open source contributors and developers write software and make it available as an act of good-will and gratitude to others who have done the same. This would pose a risk to such developers if they receive even a tip for their work. Smaller organizations which produce open source code to the public benefit may have their entire operation legally challenged simply for lacking funds to cover their risks. This will push developers and organizations to abandon these projects altogether, damaging open source as a whole.
-
Personal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack
The data breach, which occurred between February 26 and March 7, impacted both current and former members of certain state Medicaid and Children’s Health Insurance Programs, the company says in the notification letter, a copy of which was submitted to the Maine Attorney General’s Office.
During the incident, an unauthorized party accessed multiple systems within MCNA’s network, infected them with malware, and stole personal information stored on them.
-
Worst cyberattack in Greece disrupts high school exams, causes political spat
It said the distributed denial of service, or DDoS, attacks aimed at overwhelming the platform occurred for a second consecutive day Tuesday. The attack involved computers from 114 countries, causing outages and delays in high school exams but failing to incapacitate the system, the ministry said.
-
Brute-Forcing a Fingerprint Reader
Depending on the model, the attack takes between 40 minutes and 14 hours.
-
Discord Admins Hacked by Malicious Bookmarks
A number of Discord communities focused on cryptocurrency have been hacked this past month after their administrators were tricked into running malicious Javascript code disguised as a Web browser bookmark.