Security Leftovers

posted by Roy Schestowitz on Mar 09, 2024

• LWN ☛ Security updates for Thursday

  Security updates have been issued by Debian (chromium and yard), Fedora (cpp-jwt, golang-github-tdewolff-argp, golang-github-tdewolff-minify, golang-github-tdewolff-parse, and suricata), Mageia (wpa_supplicant), Oracle (curl, edk2, golang, haproxy, keylime, mysql, openssh, and rear), Red Hat (kernel and postgresql:12), SUSE (containerd, giflib, go1.21, gstreamer-plugins-bad, java-1_8_0-openjdk, python3, python311, python39, sudo, and vim), and Ubuntu (frr, linux, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-iot, linux-kvm, linux-raspi, and linux, linux-gcp, linux-gcp-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-starfive-6.5).

• OpenSSF (Linux Foundation) ☛ OpenSSF and CISA Join Forces to Secure Open Source Software [Ed: CISA is infested with Microsoft

  In today’s dynamic technological landscape, open source software (OSS) holds a crucial position. An average of 77%–90% of any given piece of modern software is OSS.

• Silicon Angle ☛ Google-backed GUAC cybersecurity tool becomes an OpenSSF project

  The developers of GUAC, a tool for finding vulnerabilities in enterprise software, today announced that they have donated the project to the OpenSSF consortium. GUAC was released in 2022 by Surveillance Giant Google LLC, cybersecurity startup Kusari Inc., Citibank NA and Purdue University.

• SANS ☛ MacOS Patches (and Safari, TVOS, VisionOS, WatchOS), (Fri, Mar 8th)

• Troy Hunt ☛ Welcoming the German Government to Have I Been Pwned

  Today, we're very happy to welcome Germany as the 35th country to use this service, courtesy of their CERTBund department.

• Security Week ☛ Fidelity Investments Life Insurance Company Notifying 28,000 People of Data Breach

  Fidelity says 28,000 individuals were impacted by data breach at third-party services provider Infosys McCamish System.

• Security Week ☛ FBI: Cybercrime Losses Exceeded $12.5 Billion in 2023

  FBI’s IC3 publishes its 2023 Internet Crime Report, which reveals a 10% increase in the number of cybercrime complaints compared to 2022.

• Security Week ☛ Cisco Patches High-Severity Vulnerabilities in VPN Product

  High-severity flaws in Cisco Secure Client could lead to code execution and unauthorized remote access VPN sessions.

• Federal News Network ☛ Researcher takes on ransomware and the products for stopping it [Ed: Windows TCO, not merely "ransomware"]

  Ransomware, one of the most troublesome forms of cyber attacks, is in the crosshairs of a leading cybersecurity research outfit.

• Security Week ☛ Cybercriminals Spoof US Government Organizations in BEC, Phishing Attacks

  Threat actor tracked as TA4903 spoofing US government entities in phishing and fraud campaigns.

• Security Week ☛ Nigerian BEC Scammer Pleads Guilty in US Court

  Henry Echefu admitted in a US courtroom to participating in a $200,000 business email compromise fraud scheme.

• Federal News Network ☛ Don’t forget the ‘I’ in the nation’s premier infrastructure protection agency

  When if comes to the Cybersecurity and Infrastructure Security Agency (CISA), people sometimes forget that "I" word.

• Security Week ☛ Critical TeamCity Vulnerability Exploitation Started Immediately After Disclosure

  Critical TeamCity authentication bypass vulnerability CVE-2024-27198 exploited in the wild after details were disclosed.

• Federal News Network ☛ Navigating the complexities of zero trust in the modern cybersecurity landscape

  The pivotal role of cloud observability is now at the forefront, serving as the key to unlocking the full potential of the zero trust extended framework.

• SANS ☛ Proprietary trap AWS Deployment Risks - Configuration and Credential File Targeting, (Thu, Mar 7th)

• Scoop News Group ☛ White House advisory group says market forces ‘insufficient’ to drive cybersecurity in critical infrastructure

  An industry-led group is calling for the federal government to develop economic incentives for small and medium-sized businesses, simplify cyber regulations and provide clear liability protections around information sharing.

• Silicon Angle ☛ PetSmart alerts customers to credential-stuffing attacks targeting user accounts

  U.S. pet store company PetSmart Inc. is warning customers that an unidentified threat actor is trying to log into user accounts via a credential-stuffing attack.

• OpenSSF (Linux Foundation) ☛ Graph for Understanding Artifact Composition (GUAC): Joins OpenSSF as Incubating Project

  The Graph for Understanding Artifact Composition (GUAC) maintainers are pleased to announce the project has joined the Open Source Security Foundation (OpenSSF) as an Incubating Project. GUAC is an open source supply chain security project that provides dependency management and actionable insights into the security of software supply chains. GUAC was created by Kusari, Google, Purdue University and Citi, and is supported by industry-leading financial services and technology companies, including Yahoo!, Microsoft, Red Hat, Guidewire, and ClearAlpha Technologies.

• APNIC ☛ SMTP smuggling — spoofing emails worldwide

  Guest Post: Introducing a novel technique for email spoofing.