Security Leftovers and Windows TCO

posted by Roy Schestowitz on Nov 29, 2023,
updated Nov 29, 2023

• OpenSSF (Linux Foundation) ☛ OpenSSF introduces guide to becoming a CVE Numbering Authority as an Open Source project

  The Open Source Security Foundation (OpenSSF) is excited to announce a new guide for Open Source projects that are interested in issuing and managing their own CVE IDs through the CVE Numbering Authority (CNA) program. The guide is available on Microsoft's proprietary prison GitHub and will be kept up-to-date with changes to CNA program requirements. Pull requests are also welcome as always.

• SANS ☛ Scans for ownCloud Vulnerability (CVE-2023-49103), (Mon, Nov 27th)

  Last week, ownCloud released an advisory disclosing a new vulnerability, CVE-2023-49103. The vulnerability will allow attackers to gain access to admin passwords. To exploit the vulnerability, the attacker will use the "graphapi" app to access the output of "phpinfo". If the ownCloud install runs in a container, it will allow access to admin passwords, mail server credentials, and license keys.

• Windows TCO

  • Hackaday ☛ Easily Bypass Laptop Fingerprint Sensors And Windows Hello

    The fun part of security audits is that everybody knows that they’re a good thing, and also that they’re rarely performed prior to another range of products being shoved into the market. This would definitely seem to be the case with fingerprint sensors as found on a range of laptops that are advertised as being compatible with Windows Hello. It all began when Microsoft’s Offensive Research and Security Engineering (MORSE) asked the friendly people over at Blackwing Intelligence to take a poke at a few of these laptops, only for them to subsequently blow gaping holes in the security of the three laptops they examined.

  • The Record ☛ Pennsylvania water authority hit with cyberattack allegedly tied to pro-Iran group

    A water authority in Pennsylvania reportedly suffered a cyberattack, prompting officials to reassure people in the area that drinking water has not been affected by the incident.

  • CBS ☛ Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group - CBS Pittsburgh

    The Municipal Water Authority of Aliquippa said on Saturday that one of their booster stations had been hacked by an Iranian-backed cyber group.

Update

A couple more:

• Australia’s new cybersecurity strategy tackles the tough issues [Ed: Except deleting Windows?]

  The cybersecurity strategy released last week by the Albanese government is about collaboration and communication, not about conjuring our worst national-security nightmares. It’s focused on industry and consumers.

• Alleged GE hack raises concerns about US national security [Ed: GE still uses Windows Vista in its network. The company is hugely incompetence when it comes to tech, never mind security.]

  General Electric Co. has allegedly been hacked, and the hacker is offering stolen data, including Defense Advanced Research Projects Agency documents for sale on a hacking forum, raising national security concerns.