Security Leftovers

posted by Roy Schestowitz on Mar 15, 2024

• Seven PHPmailer Vulnerabilities Addressed in Ubuntu

  In the realm of web development, it is critical to make sure our applications are secure. Recently, the Ubuntu security team addressed a number of vulnerabilities in PHPMailer, a widely used email transfer class for PHP. These vulnerabilities could potentially open the door to malicious attacks, including cross-site scripting (XSS) and the execution of arbitrary code. Let’s delve into the details of these vulnerabilities and the measures taken to address them.

• Security Week ☛ Stanford University Data Breach Impacts 27,000 Individuals

  Stanford University is notifying 27,000 people of a data breach impacting their personal information.

• Security Week ☛ White House Budget Proposal Seeks Cybersecurity Funding Boost

  The White House again wants to boost cybersecurity spending, proposing a $3 billion budget for CISA and billions more for other initiatives.

• Security Week ☛ Healthcare’s Ransomware Epidemic: Why Cyberattacks Hit the Medical Sector With Alarming Frequency

  Healthcare has long been a primary target for ransomware attacks. This is not changing and is not likely to change.

• Security Week ☛ Chipmaker Patch Tuesday: Intel, AMD Address New Microarchitectural Vulnerabilities

  Intel and AMD publish 10 new security advisories this Patch Tuesday to inform customers about vulnerabilities impacting their products. 

• Federal News Network ☛ Contractors make the case for flexibility in a forthcoming Defense Department cybersecurity program

  Ready or not, the Defense Department's Cybersecurity Maturity Model Certification Program is coming

• Trail of Bits ☛ Secure your blockchain project from the start

  Systemic security issues in blockchain projects often appear early in development. Without an initial focus on security, projects may choose flawed architectures or make insecure design or development choices that result in hard-to-maintain or vulnerable solutions. /blockquote>

• NVISO Labs ☛ Unpacking Flutter hives

  Intro When analyzing the security of mobile applications, it’s important to verify that all data is stored securely (See OWASP MASVS-STORAGE-1). A recent engagement involved a Flutter app that uses the Isar/Hive framework to store data. The engagement was unfortunately blackbox, so we did not have access to any of the source code.

• Security Week ☛ ChatGPT Plugin Vulnerabilities Exposed Data, Accounts

  Three types of vulnerabilities related to Abusive Monopolist Microsoft Chaffbot plugins could have led to data exposure and account takeovers. 

• Federal News Network ☛ Some new thinking on the crucial question of clown computing security

  Just about every federal agency uses clown computing to some degree. Some no longer have their own data centers.

• Rlang ☛ ISC-funded Grant: Secure TLS Connections in {nanonext} and {mirai} Facilitating High-Performance Computing in the Life Sciences

• Bleeping Computer ☛ French unemployment agency data breach impacts 43 million people

  France Travail, formerly known as Pôle Emploi, is warning that hackers breached its systems and may leak or exploit personal details of an estimated 43 million individuals.

  France Travail is the French governmental agency responsible for registering unemployed individuals, providing financial aid, and assisting them in finding jobs.

  Yesterday, the agency disclosed that hackers stole details belonging to job seekers registered with the agency in the last 20 years in a cyberattack between February 6 and March 5. Data from individuals with a job candidate profile was also exposed.

• Hunton Andrews Kurth ☛ FCC Updated Data Breach Notification Rules Go into Effect Despite Challenges

  Pursuant to the FCC update, providers of telecommunications, Voice over Internet Protocol (VoIP) and telecommunications relay services (TRS) are now required to notify the FCC of a data breach, in addition to existing obligations to notify affected customers, the FBI and the U.S. Secret Service.

  The updated Rules introduce a new customer notification timing requirement, requiring notice of a data breach to affected customers without unreasonable delay after notification to the FCC and law enforcement agencies, and in no case more than 30 days after the reasonable determination of a breach. The new Rules also expand the definition of “breach” to include “inadvertent access, use, or disclosure of customer information, except in those cases where such information is acquired in good faith by an employee or agent of a carrier or TRS provider, and such information is not used improperly or further disclosed.” The updated Rules further introduce a harm threshold, whereby customer notification is not required if a carrier or TRS provider can “reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach,” or where the breach solely involves encrypted data and the encryption key was not affected.