Security Leftovers
-
Serious New IBM i Vulns Exposed by Silent Signal – More On the Way
Two new vulnerabilities in core components of the IBM i operating system were disclosed by IBM last week, including one that impacts Performance Tools and another in Facsimile Support for i. Both vulnerabilities were discovered by Silent Signal, the Hungarian firm that discovered the recent DDM vulnerability, and both are considered high risk flaws that should be patched immediately.
-
Researchers Find ‘Backdoor’ in Encrypted Police and Military Radios
The TETRA standard is used in radios worldwide. Security researchers have found multiple vulnerabilities in the underlying cryptography and its implementation, including issues that allow for the decryption of traffic.
-
Security updates for Monday [LWN.net]
Security updates have been issued by Debian (webkit2gtk), Fedora (curl, dotnet6.0, dotnet7.0, ghostscript, kernel-headers, kernel-tools, libopenmpt, openssh, and samba), Mageia (virtualbox), Red Hat (java-1.8.0-openjdk and java-11-openjdk), and Scientific Linux (java-1.8.0-openjdk and java-11-openjdk).
-
Zenbleed: an AMD Zen 2 speculative vulnerability
Tavis Ormandy reports on a vulnerability that he has found in ""all Zen 2 class processors"" from AMD. (Wayback Machine link as the original site is overloaded.) It can allow local attackers to recover data used in string operations; ""If you remove the first word from the string 'hello world', what should the result be? This is the story of how we discovered that the answer could be your root password!"" The report has lots of details, including an exploit; AMD has released a microcode update to address the problem.
-
Stable kernels to address Zenbleed released
Greg Kroah-Hartman has released six new stable kernels to address the Zenbleed vulnerability for AMD processors: 6.4.6, 6.1.41, 5.15.122, 5.10.187, 5.4.250, and 4.19.289.
-
Company Bought by Experian Needn’t Report Pre-Sale Data Breach
Court Ventures Inc. properly beat a suit alleging it failed to notify victims of a security breach that it became aware of only after its sale to Experian Data Corp., a California appellate court ruled.
Former owners of computerized data containing personal information aren’t required to provide notice of a breach under the California Consumer Records Act, Justice Thomas A. Delaney of the California Court of Appeals said Friday.
-
Law Firm Hack Affects Victims of an Earlier Breach Again
A global law firm is notifying nearly 153,000 individuals of a hacking incident that compromised several client files. The files contained sensitive personal information and affects vision care patients who had been victims of a breach three years ago.
Orrick, Herrington & Sutcliffe on July 20 reported the data breach to several state regulators, including the attorneys general of Maine and California, as well as a HIPAA breach to the U.S. Department of Health and Human Services.
-
Umbreon Unplugged: Unraveling the Sequel to Failures
On June 23, DataBreaches published the first of a series of interviews with Pepijn Van der Stap, aka “Umbreon.” Van der Stap, 21, was arrested in January and remains in detention, awaiting trial on charges that include hacking, data exfiltration, extortion, sale of stolen data, and money laundering.
-
More plastic surgery patients have their nude photos and information leaked
An unknown party or parties who created a leak site with nude photos and medical records of a well-known plastic surgeon’s patients have uploaded more of his patients’ photos and records.
In what was their third update to the leak site since June 5, those responsible wrote that they have changed their strategy. Before publishing any more of Dr. Gary Motykie’s patients’ data, the patients will reportedly be given a chance to pay $2500 to get their data deleted and not made public.
They also note that the price for closing the website and deleting all data is $800 000, which they claim is “4-5 months of Gary’s clinic work.” In an email to DataBreaches, they claim that they did not — and do not — lock target’s systems. The price is for deleting data that they exfiltrated.
-
Pointed to a phishing campaign targeting the healthcare sector, Microsoft leaps into action to … not even investigate?!
Within minutes, we received an email receipt from Microsoft.
Less than 1 minute later, we received an email that the case had been closed because they couldn’t validate it so no action was taken.
Seriously, Microsoft? Did anyone actually READ the report I submitted, or did you just have some AI determination that what I filled in for time of incident or something could not be verified?
Are you seriously interested in stopping abuse, Microsoft? If so, why didn’t you provide a phone number to call or a way to reach back out to make sure that you looked at the report and took action or directed it to the proper recipient?
DataBreaches also sent an email to an FBI agent and someone at HHS who are both involved in cybercrime issues to alert them to the situation. Maybe they’ll have better luck with Microsoft getting the blob taken down and the blob owner confirmed and investigated.
If anyone has a contact at Microsoft, the case number was SIR15482152. MSFT can call me at the phone number provided or the one listed on this website if they need additional details to what I provided in the notes or narrative with the URL.
-
Ministries hit by cyber-attacks
The Norwegian Government Security and Service Organisation (DSS) has detected a cyber-attack on the ICT platform used by 12 ministries. The matter is currently being investigated by the police.
“We are taking this incident very seriously. The Norwegian Government Security and Service Organisation (DSS) is cooperating closely with the National Security Authority (NSM) and the police. They have implemented a number of measures in response to the attack, and we are following the situation very closely,” says Minister of Local Government and Regional Development Sigbjørn Gjelsvik.
The Minister of Local Government and Regional Development will brief the Storting’s Extended Foreign Affairs and Defence Committee (DUUFK) on the matter.