Security Leftovers

posted by Roy Schestowitz on Jan 24, 2024

• LWN ☛ Security updates for Tuesday

  Security updates have been issued by Debian (kodi and squid), Fedora (ansible-core, java-latest-openjdk, mingw-python-jinja2, openssh, and pgadmin4), Gentoo (Apache XML-RPC), Red Hat (gnutls and xorg-x11-server), Slackware (postfix), SUSE (bluez and openssl-3), and Ubuntu (gnutls28, libssh, and squid).

• Chris Lamb: Increasing the Integrity of Software Supply Chains awarded IEEE ‘Best Paper’ award

  Although it is possible to increase confidence in Free and Open Source Software (FOSS) by reviewing its source code, trusting code is not the same as trusting its executable counterparts. These are typically built and distributed by third-party vendors with severe security consequences if their supply chains are compromised.

  In this paper, we present reproducible builds, an approach that can determine whether generated binaries correspond with their original source code. We first define the problem and then provide insight into the challenges of making real-world software build in a "reproducible" manner — that is, when every build generates bit-for-bit identical results. Through the experience of the Reproducible Builds project making the Debian GNU/Linux distribution reproducible, we also describe the affinity between reproducibility and quality assurance (QA).

• LinuxSecurity ☛ Linux Mint and Ubuntu's Security Features: Prioritizing System Safety

  Linux Mint and Ubuntu are two popular GNU/Linux distributions that have gained a reputation for prioritizing system safety. It is crucial for GNU/Linux administrators, infosec professionals, and internet security enthusiasts to understand the security measures implemented by these distributions. Let's examine the security features and enhancements available to Ubuntu and GNU/Linux Mint users to help you determine if one of these distros could be a good fit for your priorities and requirements.

• Scoop News Group ☛ North Korean government hackers target individuals of interest, infosec professionals

  The hacking unit is tasked with gathering strategic intelligence.

• Security Week ☛ Owner of Cybercrime Website BreachForums Sentenced to Supervised Release

  Conor Brian Fitzpatrick, the owner of the cybercrime website BreachForums, was sentenced to time served and supervised release.

• Security Week ☛ LoanDepot Breach: 16.6 Million People Impacted

  Lending giant LoanDepot (NYSE: LDI) said that roughly 16.6 million individuals were impacted as a result of a ransomware attack.

• Security Week ☛ Hackers Targeting Critical Atlassian Confluence Vulnerability Days After Disclosure

  The Atlassian Confluence vulnerability CVE-2023-22527 is being exploited in the wild just days after it was disclosed. 

• Federal News Network ☛ Zero trust, top key exploited vulnerabilities part of 5th annual cyber cup challenge

  The 5th annual President’s Cup Cyber Competition is accepting teams and individual competitors in the annual “capture the flag” competition that also includes industrial control systems for the first time.

• Security Week ☛ Apple Ships iOS 17.3, Warns of WebKit Zero-Day Exploitation

  Apple pushes out fresh versions of its iOS and macOS platforms to fix WebKit vulnerabilities being exploited as zero-day in the wild.

• 404 Media ☛ Feds Charge Alleged ‘TLO’ Underground Data Broker

  Authorities charged a man from Baltimore on Monday with allegedly running a so-called TLO data service, a tool that makes it incredibly easy for hackers and other criminals to dox nearly anyone in America quickly and for cheap. Chouby Charleron allegedly sold the personal identifying information (PII), including Social Security numbers, of more than 5,000 victims, according to recently unsealed court records.

  The news shows the continued use of TLO data services in the digital underground, a practice that I first revealed in August. The tools, which are often automated, take their name from the powerful TLOxp data service owned by credit bureau TransUnion which debt collectors, law enforcement, and other sectors are able to access. Although these services don’t always necessarily source their data from TLOxp itself, in this case Charleron’s co-conspirators allegedly used the obtained data to carry out credit card fraud. I’ve also found these services advertised to groups of violent criminals that hack, rob, and steal from one another and outside victims. Targets have included YouTubers, high profile celebrities, politicians, and seemingly ordinary people.

• NBC ☛ Bucks Co. emergency dispatch system down for days due to cyberattack

  Law enforcement officials in Bucks County are working to restore services to its computer-aided dispatch system, or CAD system, after a cyberattack on Sunday crippled the service.

  However, county officials said 9-1-1 services remain operational and first responders are relying on phone and radio communication as the county investigates the incident.

  In an alert sent out by the Bucks County Department of Emergency Communications on Monday night, officials said the CAD system has been down since Sunday afternoon and it currently remains out of service.

• COVID Test Data Breach: 1.3 Million Patient Records Exposed Online

  The publicly exposed database contained an estimated 1.3 million records that included 118,441 certificates, 506,663 appointments, 660,173 testing samples, and a small number of internal application files. The exposed certificates and other documents were all marked with the name and logo of Coronalab.eu. Although the website appears to be offline, Coronalab is owned by Microbe & Lab, an ISO-certified laboratory based in Amsterdam, Netherlands. According to the NL Times, “CoronaLab is one of the two largest commercial test providers in the Netherlands”. I sent multiple responsible disclosure notices and did not receive any reply and several phone calls also yielded no results. The database remained open for nearly 3 weeks before I contacted the cloud hosting provider and it was finally secured from public access. In most cases the organization replies or closes public access immediately after receiving a responsible disclosure notice. Another research-based online publication, Cybernews, claimed to have found a similar leak around the same time of my discovery. I cannot confirm if it’s related or not.

• Covington & Burling LLP ☛ Dutch SA Sanctions Credit Card Company for Failure to Perform Data Protection Impact Assessment

  In December 2023, the Dutch SA fined a credit card company €150,000 for failure to perform a proper data protection impact assessment (“DPIA”) in accordance with Art. 35 GDPR for its “identification and verification process”.

  First, the Dutch SA decided that the company was required to perform a DPIA because the processing met two of the nine conditions set out in the EDPB Guidelines on DPIAs. In particular, the processing was large scale (1.5 million customers) and involved personal data that was sensitive or of a “very personal nature” (name, date of birth, place of birth, e-mail address, telephone number, gender, Netherlands government ID Number, number of the ID document and photo).