Security Leftovers and Windows TCO

posted by Roy Schestowitz on Dec 08, 2023

• TuxCare’s Year-End Survey: Win a Prize by Sharing Your Expertise [Ed: Why so negative? “The Changing Landscape of Enterprise Linux and Open Source.”]

  Calling all professional Linux users, open-source software enthusiasts, and anyone who knows what’s happening in Enterprise Linux! TuxCare invites you to participate in our year-in-review industry survey, “The Changing Landscape of Enterprise Linux and Open Source.”

  This is more than just a survey. It’s an opportunity for you to contribute to a significant research asset that will impact organizations worldwide while winning some amazing prizes.

• LWN ☛ Security updates for Thursday

  Security updates have been issued by Debian (tzdata), Fedora (gmailctl), Oracle (kernel), Red Hat (linux-firmware, postgresql:12, postgresql:13, and squid:4), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, frr, libtorrent-rasterbar, qbittorrent, openssl-3, openvswitch, openvswitch3, and suse-build-key), and Ubuntu (bluez, curl, linux, linux-aws, linux-azure, linux-laptop, linux-lowlatency, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-gcp, open-vm-tools, postgresql-12, postgresql-14, postgresql-15, and python-cryptography).

• LWN ☛ Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack [Ed: Microsoft Garrett was wrong, as usual]

  This ars technica article describes how secure-boot firmware on a huge range of systems can be subverted with a malicious image file

• Confidentiality

  • LWN ☛ A schism in the OpenPGP world

    That obviously leads to the question of interoperability; if there are two different standards, how do email clients (and other software) work with both? Kai Engert, who works on email encryption for Thunderbird, posted some questions about that on the openpgp-email mailing list. He noted the kinds of problems that might surface to users because of different key, encrypted-email, and signature formats and algorithms: [...]

• Windows TCO

  • The Register UK ☛ Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets

    We're told the attacks - which are usable against servers running the default configuration of Microsoft Dynamic Host Configuration Protocol (DHCP) servers - don't require any credentials.

  • The Verge ☛ Linux is getting its own Blue Screen of Death

    Much like how the Blue Screen of Death originated in Windows, Linux’s version will be used as an emergency tool to log errors. If a Linux system fails to boot, it will generate a full-screen message that displays a QR code to get more information on what’s causing the boot issue. This was reportedly added as part of an Outreachy project, a group that provides internships for people to work on open-source tools.

    The systemd-bsod feature is still experimental, and a GitHub changelog notes that it’s still subject to change, but systemd is a core part of most Linux distributions including Ubuntu, Fedora, Debian, and Red Hat. So it’s likely that we’ll see this BSOD feature appear in many Linux distributions throughout 2024.

  • Tom's Hardware ☛ Linux gets its own Blue Screen of Death, and it seems more helpful than the one on Windows

    Version 255 of systemd, a system and service manager for Linux, was released a few hours ago debuting the "systemd-bsod" component. Phononix reports that the stable systemd 255 release has made it just in time for H1 2024 Linux distribution releases. Those on rolling-release Linux distributions will see these BSODs sooner, assuming they encounter an error.

  • Bloomberg ☛ The Untold Story of a Massive Hack at HHS in Covid’s Early Days

    On March 15, 2020, just days after the US declared a national emergency because of the Covid-19 pandemic, the computer network for the US Department of Health and Human Services briefly vanished from the internet. In public remarks the following day, HHS Secretary Alex Azar attributed the 10-minute outage to a cyberattack but downplayed its severity, telling reporters that “there was no data breach or no degradation in terms of our ability to function and serve our important mission here.”

    With an historic crisis sweeping the country, the episode seemed unremarkable and immediately receded from public view. But the department knew at the time that the attack represented a serious and unusual cyberthreat, according to two officials involved in the response: former Chief Information Officer Jose Arrieta and former Chief Information Security Officer Janet Vogel.

  • US Dept Of Health and Human Services ☛ HHS’ Office for Civil Rights Settles First Ever Phishing Cyber-Attack Investigation

    Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Lafourche Medical Group, a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information of approximately 34,862 individuals. Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication, such as email, by impersonating a trustworthy source. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. HIPAA is the federal law that protects the privacy and security of health information.

  • USDOJ ☛ Founder and Majority Owner of Cryptocurrency Exchange Pleads Guilty to Unlicensed Money Transmitting

    Bitzlato Ltd. Processed More Than $700M Worth of Illicit Funds and Was Primary Counterparty of Notorious Drug Bazaar Hydra Market; Advertised Lax Identification Procedures

    The founder and majority owner of Bitzlato Ltd. (Bitzlato), a cryptocurrency exchange that served as a primary conduit for dark market purchasers and sellers, as well as a safe haven for illicit transactions by ransomware criminals, pleaded guilty today to operating a money transmitting business that transmitted illicit funds.

  • Hackers hit Erris water in stance over Israel [Ed: The issue here is Windows, not Iran or Israel]

    Cybercriminals caused upheaval for 180 homeowners on a private group water scheme in the Erris area last week as their equipment was targeted in a politically motivated cyber-attack.

    Residents on the Binghamstown/Drum scheme were without their water supply on Thursday and Friday after the extraordinary incident as crews worked to repair the Eurotronics Israeli-made water pumping system.

    The hackers stated the equipment was targeted due to the fact it originated in Israel.

  • Records reveal new information about Sweetwater Union High School District data breach

    New records reveal how widespread a data breach was at the Sweetwater Union High School District.

    Information given to ABC 10News through a request from the California Public Records Act shows more than 22,000 people were affected by the breach, and the district paid a ransom to the alleged hackers.