Security Leftovers

posted by Roy Schestowitz on Aug 02, 2023

• Reproducible Builds: Supporter spotlight: Simon Butler on business adoption of Reproducible Builds

  The Reproducible Builds project relies on several projects, supporters and sponsors for financial support, but they are also valued as ambassadors who spread the word about our project and the work that we do.

• Microsoft says no plan to clarify issues around Azure breach

  The three blog posts which the company issued about the breach — the last was on 14 July — have been criticised as being obfuscatory and not levelling with users.

  The email account of US Commerce Secretary Gina Raimondo was among a slew of accounts breached at both the State and Commerce Departments by the attackers, who are claimed to be from China.

  {loadposition sam08}Critics of Microsoft's reaction to the intrusion include Democrat Senator Ron Wyden of Oregon, who last Friday asked the Federal Trade Commission, the Department of Justice and the Cybersecurity and Infrastructure Security Agency to hold Microsoft responsible for its "negligent cyber-security practices, which enabled a successful Chinese espionage campaign against the US Government".

• New SEC Rules around Cybersecurity Incident Disclosures

  The US Securities and Exchange Commission adopted final rules around the disclosure of cybersecurity incidents. There are two basic rules:

  • Public companies must “disclose any cybersecurity incident they determine to be material” within four days, with potential delays if there is a national security risk.
  • Public companies must “describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats” in their annual filings.

    The rules go into effect this December.

    In an email newsletter, Melissa Hathaway wrote:...

• Summary of DNS over HTTPS requests against our honeypots., (Tue, Aug 1st)

• Iran-Run ISP ‘Cloudzy’ Caught Supporting Nation-State APTs, Cybercrime Hacking Groups

  Researchers unmask an Iranian-run company providing command-and-control services to hacking groups, including state-sponsored APT actors.

• Nearly All Modern CPUs Leak Data to New Collide+Power Side-Channel Attack

  A new power side-channel attack named Collide+Power can allow an attacker to obtain sensitive information and it works against nearly any modern CPU.

• bcrypt at 25: A retrospective on password security

  Guest Post: Examining the history of password security and how it's shaping the future.

• Second Ivanti EPMM Zero-Day Vulnerability Exploited in Targeted Attacks

  Ivanti EPMM customers have been warned of CVE-2023-35081, a second zero-day vulnerability that has been exploited in targeted attacks.

• Have you been compromised?

  Imagine the scenario… A nation state recruits an asset / spy at age 18.

• Update for QSB-090: Zenbleed (CVE-2023-20593, XSA-433)

  We have updated Qubes Security Bulletin 090: Zenbleed (CVE-2023-20593, XSA-433). The text of this updated QSB (including a changelog) and its accompanying cryptographic signatures are reproduced below. For an explanation of this announcement and instructions for authenticating this QSB, please see the end of this announcement.

• XSAs released on 2023-08-01

  The Xen Project has released one or more Xen security advisories (XSAs).