Security Leftovers

posted by Roy Schestowitz on Jun 28, 2023

• APRA takes action against Medibank over October ransomware attack

  “Since launching the 2020-2024 Cyber Security Strategy, APRA has repeatedly stressed the importance of an uplift in cyber security and continued vigilance to identify and address cyber exposures.

  "Unfortunately, not all entities are heeding these messages as we continue to identify poor cyber security practices and inadequate oversight from boards and management,” Smith said.

  In response, Medibank said in a note sent to the ASX that it had sufficient capital to meet the increase.

  It said after application of this requirement the company would remain well capitalised with unallocated capital remaining at 30 June 2022 levels: $148 million. Given this, the company said it would not reduce its target health insurance required capital ratio.

  Medibank chief executive David Koczkar said: "Safeguarding customer data is a responsibility Medibank takes very seriously.

  “Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve. We will continue to work to enhance our systems and processes even further. Our company remains strong and well capitalised.

  “We continue to support our customers through the Medibank Cyber Response Support Program, which includes mental health and well-being support, identity protection and financial hardship measures.”

• The Importance of Malware Triage, (Tue, Jun 27th)

  When dealing with malware analysis, you like to get "fresh meat". Just for hunting purposes or when investigating incidents in your organization, it's essential to have a triage process to reduce the noise and focus on really interesting files. For example, if you detect a new sample of Agent Tesla, you don't need to take time to investigate it deeply. Just extract IOCs to share with your colleagues. From a business point of view, you don't have time to analyze all samples!

• Security updates for Tuesday [LWN.net]

  Security updates have been issued by Debian (c-ares and libx11), Fedora (chromium and kubernetes), Red Hat (python3 and python38:3.8, python38-devel:3.8), and SUSE (amazon-ssm-agent, kernel, kubernetes1.24, libvirt, nodejs16, openssl-1_1, and webkit2gtk3).

• LetMeSpy, a phone tracking app spying on thousands, says it was hacked

  A hacker has stolen the messages, call logs and locations intercepted by a widely used phone monitoring app called LetMeSpy, according to the company that makes the spyware.

  The phone monitoring app, which is used to spy on thousands of people using Android phones around the world, said in a notice on its login page that on June 21, “a security incident occurred involving obtaining unauthorized access to the data of website users​​.”

• American and Southwest Airlines pilot data breached in hack of third-party provider

  Pilot data relating to American Airlines Group Inc. and Southwest Airlines Co. has been breached following the hack of a third-party provider of pilot applications and recruitment. The breach involved the compromise of a company called Pilot Credentials between April 30 and May 1, with the airlines informed on May 3.

• Excel Data Forensics

  In this detailed article about academic plagiarism are some interesting details about how to do data forensics on Excel files. It really needs the graphics to understand, so see the description at the link.

  (And, yes, an author of a paper on dishonesty is being accused of dishonesty. There's more evidence.)

• Warning: JavaScript registry npm vulnerable to 'manifest confusion' abuse

  "The issue at hand is that the version metadata (a.k.a. 'manifest data') is submitted independent from the attached tarball which houses the package's package.json," he explains. "These two pieces of information are never validated against one another and [this] calls into question which one should be the canonical source of truth for data such as dependencies, scripts, license, and more."

• What if your Pods need to trust self-signed certificates?

  Why? Because whilst the data may be encrypted using a TLS certificate, there is no verification - so you could be using a TLS certificate that is compromised or that was injected into the data path by an attacker.

  So the usual answer for this on a Linux system is to: download the trust bundle for the certificate, add it to a set folder, and to run a command to install it.

• Whose certificate is it anyway?

  This is the third blog post on the topic of the centralization of the Internet. The first post discussed the diversity of authoritative name servers, and the second post discussed the diversity of MX records.

• Two major energy corporations added to growing MOVEit victim list

  Since the Russian-speaking CL0P began publicizing its victims, state and local governments appear to have been heavily affected by the campaign as at least seven have been hit, including the nation’s largest public-employee pension fund the California Public Employees’ Retirement System. Over the weekend, around 45,000 New York City public school students had their personal data stolen which included information like Social Security numbers, StateScoop reported.