Security Leftovers
-
Safeguarding Your Data – How to Harden Your Systems [Ed: 'Linux' Foundation as the voice IBM, which does not pursue real security but corporate snake oil peddling; "open" means corporate these days; Free means... trial of some corporate something] ]
In our increasingly digitized world, data reigns supreme. Alongside traditional valuable information like customer records and bank details, data on interactions and activity has become more valuable to companies. As data has become critical, it is also more at risk from theft or attacks like ransomware. According to IBM, the average data breach cost worldwide is now more than US $4.4M.
-
LWN ☛ Security updates for Tuesday
Security updates have been issued by Debian (jetty9, node-browserify-sign, request-tracker4, and request-tracker5), Fedora (golang-github-altree-bigfloat, golang-github-seancfoley-bintree, golang-github-seancfoley-ipaddress, kitty, slurm, and thunderbird), Gentoo (ConnMan, libxslt, and Salt), Mageia (chromium-browser-stable), Red Hat (firefox, libguestfs-winsupport, and thunderbird), SUSE (clamav, gcc13, gstreamer-plugins-bad, icu73_2, java-17-openjdk, nodejs10, poppler, python-Werkzeug, redis, thunderbird, webkit2gtk3, xorg-x11-server, and xwayland), and Ubuntu (kernel, linux-aws, linux-azure, linux-gcp, linux-oracle, linux-raspi, linux-iot, linux-raspi, linux-raspi-5.4, and mysql-8.0).
-
The New Stack ☛ Bjarne Stroustrup’s Plan for Bringing Safety to C++
The 72-year-old creator of C++ gave a forward-looking keynote address last month as the programming language’s annual convention.
As the C++ community gathered for “CppCon” C++ conference in Aurora, Colorado, Bjarne Stroustrup promised his audience a talk that would first identify the specific kinds of safety measures needed in a programming language, and “Then I’m going to show you that we’ve been creeping up on that for a few decades.”
Stroustrup took some time to address critics who say the problem is C++ itself, and the solution is switching to another language. But he also went into more detail on a proposal that adds new safety tooling to address their specific criticisms — finally bringing a new solution to the world’s billions of lines of C++ code.
-
LWN ☛ Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)
The New Stack covers a conference talk by Bjarne Stroustrup on turning C++ into a safer language.
-
Government Technology ☛ Colorado GOP Wants Inquiry into Delayed Notification of Data Breach
Colorado House Republicans want to investigate why the state Department of Higher Education did not disclose a major data breach it discovered on June 14 until Aug. 4, beyond the legally required 30-day window.
-
Data Breaches ☛ Exclusive: Hackers claim they still have access to Clark County School District, and reveal more details about hack and stolen data
When reviews of data breaches in the education sector are written for 2023, they will almost certainly mention the 2022 attack on the Los Angeles Unified School District that wasn’t fully disclosed until 2023 and the Minneapolis Public Schools breach. Both of those incidents involved threat actors leaking sensitive information on students. But any 2023 review will likely also need to include the attack on Clark County School District (CCSD) in Nevada for all of the student and employee data that was stolen and leaked.
In previous coverage, DataBreaches reported that CCSD claimed they discovered the breach on October 5, but had not been giving parents the kinds of information understandably anxious parents were seeking about their children’s information. Even after some parents reported receiving direct contact from the hackers who included copies of their children’s education records, and even after the hackers leaked information on more than 200,000 students, the district has not come out and forthrightly addressed whether the leaked data are real (they appear to be real and parents who received their children’s files from the hackers confirmed the files they received were accurate).
-
The US and Its Allies Are Pledging Never to Pay Hacker Ransoms
Officials from nearly 50 countries will meet in Washington this week to plan the next phase of their war against digital extortion attacks
The Biden administration and dozens of foreign allies will pledge this week never to pay ransoms to hackers who lock up their national governments’ computer systems, hoping to discourage financially motivated cyber criminals from seeing those systems as attractive ransomware targets.
The joint promise will occur as part of the third annual meeting of the International Counter-Ransomware Initiative, which includes 48 countries, the European Union and Interpol, the global police agency. Members are convening Wednesday and Thursday in Washington to approve new activities meant to make ransomware less profitable and therefore less prevalent.
-
Data Breaches ☛ The U.S. And Its Allies Are Pledging Never To Pay Hacker Ransoms
And if this does work, does that just shift the threat actors over even more to softer targets like, say, healthcare and education entities?
-
Data Breaches ☛ OCR Releases Cybersecurity Video: How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks
In recognition of National Cybersecurity Awareness Month, OCR has produced a new video this October for organizations covered under the HIPAA Rules on how the HIPAA Security Rule can help regulated entities defend against cyber-attacks. The video is available in English and Spanish.
-
Bloomberg ☛ Hackers Accessed 632,000 Email Addresses at US Justice, Defense Departments [Ed: Windows TCO]
Russian-speaking hacking group obtained access to the email addresses of about 632,000 US federal employees at the departments of Defense and Justice as part of the sprawling MOVEit hack last summer, according to a report on the wide-ranging attack obtained through a Freedom of Information Act request.
The report, by the US Office of Personnel Management, provides new details about a cyberattack in which hackers exploited flaws in MOVEit, a popular file-transfer tool. Federal cybersecurity officers previously confirmed that government agencies were compromised by the attack but have provided little information on the scope of the attack, nor did they name the agencies affected.
Update
Four more:
-
Cyber workforce demand is outpacing supply, survey finds
A survey of almost 15,000 cybersecurity workers found that the industry is having difficulty finding enough talent to battle threats.
-
SEC Charges SolarWinds and Its CISO With Fraud and Cybersecurity Failures
The SEC filed charges against SolarWinds and its CISO over misleading investors about its cybersecurity practices and known risks.
-
SEC Charges Against SolarWinds CISO Send Shockwaves Through Security Ranks
The legal actions may have a chilling effect on hiring CISOs, who are already in short supply, but may also expose just how budget-constrained most security executives are.
-
In Cyberattacks, Iran Shows Signs of Improved Hacking Capabilities
A monthslong hacking campaign targeted the governments of regional rivals, including Israel, and marked a turn, a new report says, as the attacks were used to collect intelligence, not just disrupt services.