Security Leftovers

posted by Roy Schestowitz on Nov 21, 2023

• Security updates for Monday

  Security updates have been issued by Debian (freerdp2, lwip, netty, and wireshark), Fedora (dotnet6.0, dotnet7.0, golang, gst-devtools, gstreamer1, gstreamer1-doc, gstreamer1-plugin-libav, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, gstreamer1-plugins-ugly-free, gstreamer1-rtsp-server, gstreamer1-vaapi, podman-tui, prometheus-podman-exporter, python-gstreamer1, syncthing, and tigervnc), Mageia (chromium-browser-stable, haproxy, and tigervnc), Oracle (curl, ghostscript, microcode_ctl, nghttp2, open-vm-tools, samba, and squid), SUSE (gcc13, postgresql14, and yt-dlp), and Ubuntu (iniparser).

• CISA Releases Cybersecurity Guidance for Healthcare, Public Health Organizations

  New CISA guidance details cyber threats and risks to healthcare and public health organizations and recommends mitigations.

• Morgan Stanley Fined $6.5 Million for Exposing Customer Information

  Morgan Stanley agrees to pay $6.5 million for exposing personal information through negligent data-security practices.

• Johnson Controls Patches Critical Vulnerability in Industrial Refrigeration Products

  Johnson Controls has patched a critical vulnerability that can be exploited to take complete control of Frick industrial refrigeration products. 

• Illuminate Education Defeats Data Breach Lawsuit for Second Time

  Illuminate Education Inc. defeated for the second time a proposed class action alleging it failed to protect the personal information of more than 3 million elementary and high school students, which was exposed in a December 2021 data breach.

  The plaintiffs failed to show that they had suffered concrete harm from the breach or were at immediate risk of future harm, a threshold requirement for standing to sue, Judge James V. Selna of the US District Court for the Central District of California said.

• A cyberattack on a U.K. accounting firm wound up leaking U.S. patient data. Now what?

  Conducting a google search for some individuals’ names +Mississippi, DataBreaches found listings in WhitePages that matched the names and cities in Mississippi. Attempting to validate a sample of SSNs in one of the files that did not contain date of birth returned results that they were all valid SSNs, although the state in which the SSNs were issued often did not match the patient being in Mississippi (but of course, people may have moved over their lifespan and many of these patients were elderly). Based on the sampling results, then, these appeared to be real patients’ data.

• Logs missing in 42% cyberattacks; small business most vulnerable: Report

  Telemetry logs, which hold collection, transmission, and measurement of data, were found missing in 42 per cent of analysed cyberattacks, according to Sophos’ Active Adversary Report. Titled ‘The Active Adversary Report for Security Practitioners’, the report delves into incident response (IR) cases scrutinised by global cybersecurity firm Sophos. The report provides insights based on 232 Sophos IR cases across 25 sectors from January 2022 till June 30, 2023.

  Delving into cases of attacks, the report also found that in 82 per cent of these instances, cybercriminals deliberately disabled or eradicated telemetry to conceal their actions. The targeted organisations spanned 34 countries across six continents, with 83 per cent of cases originating from organisations with fewer than 1,000 employees.