Security Leftovers

posted by Roy Schestowitz on Nov 04, 2023,
updated Nov 04, 2023

• LWN ☛ Security updates for Friday

  Security updates have been issued by Debian (phppgadmin and vlc), Fedora (attract-mode, chromium, and netconsd), Red Hat (.NET 7.0, c-ares, curl, ghostscript, insights-client, python, squid, and squid:4), SUSE (kernel and roundcubemail), and Ubuntu (libsndfile).

• Yahoo News ☛ Linux Foundation, ISC2 and OpenSSF Collaborate to Target Secure Code Development

  Linux Foundation Training & Certification, ISC2, and Open Source Security Foundation (OpenSSF) today announced a new collaboration to empower the open source cybersecurity community through secure software development, knowledge sharing, education, certification and much more. Together, the three organizations will lead the way to secure software development and lifecycle management for open source code.

• Google ☛ First handset with MTE on the market

  It's finally time for me to fulfill a long-standing promise. Since I first heard about ARM's Memory Tagging Extensions, I've said (to far too many people at this point to be able to back out…) that I'd immediately switch to the first available device that supported this feature. It's been a long wait (since late 2017) but with the release of the new Pixel 8 / Pixel 8 Pro handsets, there's finally a production handset that allows you to enable MTE!

• LWN ☛ First handset with MTE on the market (Project Zero)

  The Google Project Zero blog celebrates the launch of the Pixel 8 handset, the first to make use of Arm's Memory Tagging Extension (MTE). Linux has supported MTE since the 5.10 release in 2020, but that support has only now shown up (in experimental form) in an available handset.

  [...]

  Currently, MTE is only available on the Pixel as a developer option, intended for app developers to test their apps using MTE, but we can configure it to default to synchronous mode for all2 apps and native user mode binaries. This can be done on a stock image, without bootloader unlocking or rooting required - just a couple of debugger commands. We'll do that now, but first:

• Data Breaches ☛ United States Recovers $2.4 Million Obtained In Business Email Compromise

  United States Attorney Roger B. Handberg announces that the United States has civilly forfeited $2,462,000 in proceeds obtained from a wire fraud scheme that involved the takeover of a business email account. The forfeited funds are being returned to the fraud victim.

• Data Breaches ☛ Update: Daixin leaks more data from Bluewater Health and other hospitals; databases yet to be leaked

  As some will likely have already noticed, Daixin Team released the second part of the data leak from five hospitals in Ontario that have IT services provided by TransForm SSO. The first leak, containing many patient records, was previously reported by DataBreaches on November 1.

  Skimming the second tranche, DataBreaches noted a lot of internal hospital files such as forms and administrative matters. There were some files with employee information, and in that regard, DataBreaches was pleased to observe that some files that likely had sensitive employee-related information like disciplinary matters were password-protected.

Update

A couple more:

• Scientist Claims Quantum RSA-2048 Encryption Cracking Breakthrough

  The most secure RSA encryption can now be cracked using a smartphone or PC, according to a new highly-contested scientific paper.

• Fingerprint photo led investigators to therapy centre hacking suspect

  Police said their first big break in the case was provided by the suspect's carelessness.