Security Leftovers
-
LWN ☛ Security updates for Friday
Security updates have been issued by Mageia (bind), Red Hat (.NET 8.0 and kpatch-patch), SUSE (golang-github-prometheus-alertmanager, java-1_8_0-openj9, kernel, libaom, openssl-3, postgresql15, salt, SUSE Manager Client Tools, SUSE Manager Server 4.3, and webkit2gtk3), and Ubuntu (shadow).
-
Electropages ☛ Bluetooth Vulnerability: Privacy Risks on Linux & macOS
Vulnerabilities in computer systems are found on a daily basis, and while most of these get minimal attention, some can hit the news. Recently, a new Bluetooth vulnerability has been discovered, which allows hackers to pair HID devices to Linux and macOS machines without any user interaction. What exactly is the new vulnerability, how does it pose a threat, and what can we learn from this?
-
US Dept Of State ☛ Reward for Information: ALPHV/Blackcat Ransomware as a Service
The U.S. Department of State is offering a reward of up to $10,000,000 for information leading to the identification or location of any individual(s) who hold a key leadership position in the Transnational Organized Crime group behind the ALPHV/Blackcat ransomware variant. In addition, a reward offer of up to $5,000,000 is offered for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware activities.
-
‘I am deeply troubled’: Data breach impacts clients at Lanark County family services organization
Family and Children’s Services of Lanark, Leeds and Grenville (FCSLLG) once again finds itself dealing with a privacy breach.
At least four people have been contacted by FCSLLG, informing them that they or a child in their care may have been impacted by a “data security incident.”
CTV News has obtained a copy of one such letter, which was sent out on Jan. 26.
“Personal information relating to [redacted] may have been available to the unauthorized third party: full name, case type, kinship service(s), dates of kinship service(s) and Child Protection Identification Number (CPIN),” reads a portion of the notice.
-
Data Breaches ☛ Update on INTEGRIS Health data breach: incident response criticized by patients
On January 26, INTEGRIS Health notified HHS that 2,385,646 patients were affected by this incident. That number is significantly less than what appeared on the dark web site that both this site and Bleeping Computer looked at, but the TA informed DataBreaches that records on that site were not just from INTEGRIS. Some also came from at least one other health system. According to the TA, they acquired about 2.3 million records from INTEGRIS patients with Social Security numbers and dates of birth. Other patient records did not have those data types.
-
Health NZ notifying around 12k people impacted by data breach
Health New Zealand Te Whatu Ora has begun the process of notifying around 12,000 individuals who were impacted by the alleged unauthorised data release by a former staff member.
Barry Young, 56, has denied accessing a computer system for dishonest purposes.
Health NZ chief executive Margie Apa said the first group being contacted is a large number of Covid-19 vaccinators who had their personal information made available in a downloadable file on a US-based blog.
“As soon as we found out about this, we asked for the information to be removed. It was later taken down.”
-
CBS ☛ Washington County pays $350,000 ransom after cyberattack
The Washington County Board of Commissioners formally voted on Thursday on handling the recent cyberattack.
Some have questioned the transparency of the process. The questions about transparency have been because of secret and emergency meetings. According to the solicitor, some of that was because of the deadlines set up by the cybercriminals.
Thursday’s 2-1 vote by the board of commissioners to use up to $400,000 to address the almost $350,000 ransom payment and about $20,000 cost to pay a company to handle the payment. January’s cyberattack against the county shut down several county services.
-
The Register UK ☛ Quest Diagnostics pays $5M after mixing patient medical data with hazardous waste
Quest Diagnostics has agreed to pay almost $5 million to settle allegations it illegally dumped protected health information – and hazardous waste – at its facilities across California.
This sum won’t hurt at all for the corporation, one of the largest clinical medical lab networks in the US. In all, Quest is being charged slightly less than two days of its $994 million annual profit in 2023 – hardly a serious disincentive.
Under the settlement [PDF], Quest will pay $3,999,500 to ten California counties (Alameda, Los Angeles, Monterey, Orange, Sacramento, San Bernardino, San Joaquin, San Mateo, Ventura, and Yolo), plus give $300,000 to environmental projects and an additional $700,000 to foot attorneys’ fees and other costs. In exchange, it admits no guilt over the matter.