Security Leftovers
-
LWN ☛ Security updates for Tuesday
Security updates have been issued by Debian (trapperkeeper-webserver-jetty9-clojure), Mageia (libsndfile, packages, thunderbird, and x11-server), Oracle (.NET 6.0), SUSE (kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, redis, and squid), and Ubuntu (gsl).
-
Data Breaches ☛ Hackers give Jeffco Public Schools an extension on their deadline to respond; email parents about the breach
On November 2, DataBreaches reported that the same threat actors that had hacked and exfiltrated data from Clark County School District in Las Vegas had also hit Jeffco Public Schools in Colorado. In communications shared with DataBreaches, “SingularityMD” as the hackers call themselves gave the district until today at 5 pm today to pay them $15,000 in Monero cryptocurrency.
-
Data Breaches ☛ FBI: Ransomware Actors Continue to Gain Access through Third Parties and Legitimate System Tools
-
FMT ☛ Marina Bay Sands reveals data breach affecting 665,000 customers
: A luxury resort operator in Singapore said today that the personal data of about 665,000 members of its shopping loyalty programme had been hacked.
The breach of Marina Bay Sands was the latest in a string of major cybersecurity incidents reported in the city-state.
-
LWN ☛ [oss-security] announcing sponsorship; distros list statistics for 2023
Hi,
After 15+ years of being a 100% volunteer effort, Openwall's maintenance of oss-security and (linux-)distros is finally sponsored by the OpenSSF, a project of the Linux Foundation. This sponsorship does not provide the Linux Foundation with the ability to set policies for community resources managed by Openwall. I am grateful for the support, which will help ensure continued operation of these resources on a new level while retaining independence.
As part of the sponsored effort, Openwall (currently me) took responsibility for the "statistics" contributing-back task:
"Keep track of per-report and per-issue handling and disclosure timelines (at least times of notification of (linux-)distros and of public disclosure on oss-security), at regular intervals produce and share statistics (most notably, the average embargo duration) as well as the input data (except on issues that are still under embargo) by posting to oss-security - primary: Openwall, backup: vacant"
At different times, this time-consuming task was handled by Gentoo and later by Amazon (thanks!) but was lately left unhandled. Due to the sponsorship, I've now retroactively produced statistics for 2023 so far:
https://oss-security.openwall.org/wiki/mailing-lists/distros/stats/2023
As expected, this uncovered a few mishandled issues, which I've recently pushed out to oss-security. That's why there are several reports (out of a total of 86) with embargo duration way in excess of the allowed maximum. This inflated the average duration accordingly, but the median stayed sane at 7 days. This is also why we need to, and now will, take care of the statistics task in real time, not only retroactively, so that any mishandling is identified and corrected promptly.
Also for the first time (something I haven't seen Gentoo and Amazon do) included are the source files I manually created based on review of the e-mail threads and external resources referenced from there. These files were processed with the also included (and permissively licensed) Perl script I wrote, so that others can reproduce the calculations or easily process the data differently.
Stay tuned for further updates.
Alexander -
LWN ☛ Sponsorship for the Openwall lists
As part of this arrangement, Peslyak is now producing statistics on vulnerability handling; the first set for 2023 has been posted.