Security Leftovers
-
CISA Calls Urgent Attention to UEFI Attack Surfaces - SecurityWeek
The US government's cybersecurity agency describes UEFI as "critical attack surface" that requires urgent security attention.
[...]
“UEFI is a critical attack surface. Attackers have a clear value proposition for targeting UEFI software,” the agency said in a call-to-action penned by CISA technical advisor Jonathan Spring and vulnerability management director Sandra Radesky.
Noting that UEFI code represents a compilation of several components (security and platform initializers, drivers, bootloaders, power management interface, etc.), the agency warned that security defects expose computer systems to stealthy attacks that maintain persistence.
-
A Call to Action: Bolster UEFI Cybersecurity Now
Attackers have a clear value proposition for targeting UEFI software. UEFI is a compilation of several components (security and platform initializers, drivers, bootloaders, power management interface, etc.) so what attackers achieve depends on which phase and what element of UEFI they are able to subvert. But every attack involves some kind of persistence.
-
[Old] New vulnerabilities mean it’s time to review server BMC interfaces
BMCs are specialized microcontrollers that have their own firmware and operating system, dedicated memory, power, and network ports. They are used for out-of-band management of servers when their primary operating systems are shut down. BMCs are essentially smaller computers that run inside servers and allow administrators to perform maintenance tasks remotely like reinstalling operating systems, restarting servers when they are no longer unresponsive, deploying firmware updates, and so on. This is also sometimes referred to as lights out management.
Security researchers have warned about security issues in BMC implementations and the Intelligent Platform Management Interface (IPMI) specification they used for at least a decade. Vulnerabilities included hardcoded credentials and users, misconfigurations, weak or absent encryption, as well as code bugs like buffer overflows. Even though these management interfaces should operate on isolated network segments, hundreds of thousands have been found exposed to the internet over the years.
-
How Malicious Android Apps Slip Into Disguise
-
Security updates for Thursday [LWN.net]
Security updates have been issued by Debian (linux-5.10), Red Hat (.NET 6.0 and iperf3), Slackware (openssl), SUSE (kernel, mariadb, poppler, and python-Django), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, maradns, openjdk-20, and vim).
-
Parents, students are baffled by letters confirming Crown Point school network breach months ago
Megan Hickey reports that there is finally a notification letter, of sorts, to parents about a network breach in November. In April, Indiana media had been reporting that the parents and community still had not been told what had happened.
-
Proposed Second Amendment to NYDFS Cybersecurity Regulations: Comments Due August 14
Following up on the recent release by the New York Department of Financial Services (“NYDFS”) of an updated proposed second amendment to its “first-in-the-nation” Cybersecurity Regulation, 23 NYCRR Part 500 (proposed second amendment released June 28, 2023), it is not too late for companies to submit comments on the most recent version of the proposed changes from NYDFS. Comments are due by 5:00 p.m. ET on August 14.
-
ECHN hospitals slowly recovering, other facilities closed due to suspected cyberattack
A cyberattack is suspected to have caused a systemwide IT problem that is forcing the Eastern Connecticut Health Network (ECHN) to divert patients from its hospital emergency rooms, according to ECHN.
[...]
The issue is affecting the ERs at both Manchester Memorial Hospital and Rockville General Hospital.
-
Husband and Wife Plead Guilty to Money Laundering Conspiracy Involving the Hack and Theft of Billions in Cryptocurrency
There’s an update to the case involving the arrest of a married couple charged with laundering $4.5 billion in cryptocurrency stolen from Bitifinex in 2016.
Ilya Lichtenstein, 35, and Heather Morgan, 33, from New York City pleaded guilty today to money laundering conspiracies arising from the hack and theft of approximately 120,000 bitcoin from Bitfinex, a global cryptocurrency exchange.