Security Leftovers
-
Linuxiac ☛ OpenSSH Announces Plan to Phase Out DSA Keys
OpenSSH will disable DSA keys by default starting June 2024, with a complete removal slated for 2025.
-
Security Week ☛ In Other News: WEF’s Unsurprising Cybersecurity Findings, KyberSlash Cryptography Flaw
Noteworthy stories that might have slipped under the radar: WEF releases a cybersecurity report with unsurprising findings, and KyberSlash cryptography vulnerabilities.
-
Security Week ☛ Laptop Maker Framework Says Customer Data Stolen in Third-Party Breach
Device maker Framework is notifying users that their personal information was stolen in a data breach at its external accounting partner.
-
Security Week ☛ New Class of CI/CD Attacks Could Have Led to PyTorch Supply Chain Compromise
Researchers detail a CI/CD attack leading to PyTorch releases compromise via Microsoft's proprietary prison GitHub Actions self-hosted runners.
-
Security Week ☛ Apple Patches Keystroke Injection Vulnerability in Magic Keyboard
Apple’s latest Magic Keyboard firmware addresses a recently disclosed Bluetooth keyboard injection vulnerability.
-
Security Week ☛ Malware Used in Ivanti Zero-Day Attacks Shows Hackers Preparing for Patch Rollout
Ivanti zero-day vulnerabilities dubbed ConnectAround could impact thousands of systems and Chinese cyberspies are preparing for patch release.
-
Bruce Schneier ☛ On IoT Devices and Software Liability
New law journal article:
Smart Device Manufacturer Liability and Redress for Third-Party Cyberattack Victims
Abstract: Smart devices are used to facilitate cyberattacks against both their users and third parties. While users are generally able to seek redress following a cyberattack via data protection legislation, there is no equivalent pathway available to third-party victims who suffer harm at the hands of a cyberattacker. Given how these cyberattacks are usually conducted by exploiting a publicly known and yet un-remediated bug in the smart device’s code, this lacuna is unreasonable. This paper scrutinises recent judgments from both the Supreme Court of the United Kingdom and the Supreme Court of the Republic of Ireland to ascertain whether these rulings pave the way for third-party victims to pursue negligence claims against the manufacturers of smart devices. From this analysis, a narrow pathway, which outlines how given a limited set of circumstances, a duty of care can be established between the third-party victim and the manufacturer of the smart device is proposed...
-
Citizen Lab ☛ Mobile security vulnerabilities threaten millions in Latin America: ICFP and Citizen Lab fellow Beau Kujath finds security vulnerabilities in mobile applications in Latin America region.
In a new study, Citizen Lab sheds light on the massive security threats facing Latin Americans. Citizen Lab and Open Technology Fund (OTF) fellow Beau Kujath in collaboration with SocialTIC finds that mobile applications in Latin America puts millions of users at a security and privacy risk.