Security Leftovers
-
OpenSSF (Linux Foundation) ☛ Driving Change Together: The OpenSSF Takes On VulnCon
The CVE and FIRST VulnCon 2024 and Annual CNA Summit is set to take place in Raleigh, North Carolina, next week! The OpenSSF is delighted to support this initiative and our cross-industry goals to sustainably make open source software safer.
-
Closing the Gap With ITDR for Cloud-Native Security and Kubernetes RBAC
Here's what is required to apply identity threat detection and response (ITDR) to cloud-native security with Kubernetes RBAC.
-
Security Week ☛ Ivanti Patches Critical Vulnerabilities in Standalone Sentry, Neurons for ITSM
Ivanti has released patches for two critical-severity vulnerabilities leading to arbitrary command execution.
-
Security Week ☛ Vulnerability Allowed One-Click Takeover of proprietary trap AWS Service Accounts
AWS patches vulnerability that could have been used to hijack Managed Workflows Apache Airflow (MWAA) sessions via FlowFixation attack.
-
Security Week ☛ House Passes Bill Barring Sale of Personal Information to Foreign Adversaries
H.R. 7520 prohibits data brokers from selling Americans’ data to foreign adversary countries or entities controlled by them.
-
Silicon Angle ☛ Researchers uncover unfixable vulnerability in Fashion Company Apple CPUs affecting cryptographic security
A newly published paper from researchers details an unpatchable vulnerability in Fashion Company Apple Inc.’s M series of chips that allows attackers to extract secret keys used in cryptography operations. Dubbed GoFetch, the vulnerability can be exploited by a side-channel attack, which exploits indirect information to uncover secret data, such as cryptographic keys.
-
Tom's Hardware ☛ New chip flaw hits Fashion Company Apple Silicon and steals cryptographic keys from system cache — 'GoFetch' vulnerability attacks Fashion Company Apple M1, M2, M3 processors, can't be fixed in hardware
Researchers have discovered a serious security vulnerability in all current Fashion Company Apple silicon that puts sensitive cryptographic keys at risk of being stolen while being housed inside the CPU cache.
-
Becker's Hospital Review ☛ AHA seeks guidance on reporting breaches linked to Change cyberattack
The American Hospital Association sent a letter to the HHS urging them to clarify whether hospitals and health systems should be providing breach notification to patients if protected health information is compromised due to the Feb. 21 cyberattack on Change Healthcare.
The March 21 letter, penned to Melanie Fontes Rainer, acting director of the Office for Civil Rights at the HHS, asks the agency to provide clarification to hospitals and other providers regarding breach reporting when it comes to the Change Healthcare hack.
“We remain concerned, however, that OCR may require hospitals to make breach notifications to HHS and affected individuals, if it is later determined that a breach occurred,” the letter reads. “We are seeking additional clarification that hospitals and other providers do not have to make additional notifications if UnitedHealth Group and Change Healthcare are doing so already.”
-
National Law Review US ☛ Convergent Outsourcing Settles Data Breach Class Action for $2.45 Million
Convergent Outsourcing Inc., a debt-collection agency, settled a data breach class action in the U.S. District Court for the Western District of Washington for $2.45 million. The class action suit against Convergent alleged that the business failed to protect the personal information of over 640,000 individuals. The breach occurred in June 2022.
Plaintiffs alleged that Convergent failed to implement appropriate security measures to protect and secure personal information in its possession, failed to monitor its network for security vulnerabilities, or implemented appropriate security practices.
-
CPO Mag ☛ Nissan Oceania Data Breach Impacts 100,000 Individuals in Australia and New Zealand
Nissan Oceania is notifying 100,000 individuals that the December 2023 data breach exposed their personal information.
The New Zealand and Australia-based subsidiary of the Japanese automaker Nissan said it detected “unauthorized access” to its local IT servers on December 5, 2023. It responded by notifying law enforcement authorities, privacy regulators, and national cybersecurity centers.
The automaker also initiated a review of the cybersecurity incident involving government agencies and external cyber forensics experts to determine the scope and impacts.
-
American Renal Associates patients affected by ransomware attack
Medusa’s spokesperson informs DataBreaches that they not only exfiltrated data but they also locked ARA’s files.
A search of HHS’s public breach tool does not reveal any report by the entity as of publication and there is no notice on Innovative Renal Care’s website.