Security Leftovers

posted by Roy Schestowitz on Apr 05, 2024,
updated Apr 05, 2024

• Security Week ☛ CVE and NVD – A Weak and Fractured Source of Vulnerability Truth

  MITRE is unable to compile a list of all new vulnerabilities, and NIST is unable to subsequently, and consequently, provide an enriched database of all vulnerabilities.

• Security Week ☛ Number of Chinese Devices in US Networks Growing Despite Bans

  An analysis by Forescout shows 300,000 Chinese devices in the US, up 40% compared to the previous year, despite bans.

• Federal News Network ☛ Zero trust for weapons systems will be a ‘heavy lift’ for DoD

  Securing weapons systems and other non-traditional systems will be a 'heavy lift' for the DoD as it rushes to hit the targeted zero trust level by 2027.

• Security Week ☛ Google Patches Exploited Pixel Vulnerabilities

  Google patches 28 vulnerabilities in Android and 25 bugs in Pixel devices, including two flaws exploited in the wild.

• Linux Kernel Vulnerabilities Addressed in Ubuntu 18.04

  Recently, several critical vulnerabilities were identified in the Linux kernel. These vulnerabilities could potentially allow attackers to crash systems, steal sensitive information, or even execute arbitrary code. The good news is that the patches have been released to address these issues. In this article, we will explore the fixed vulnerabilities in end-of-life Ubuntu versions (16.04 and 18.04) and offer an alternative solution for users who are not subscribed to Ubuntu Pro.

• IT News AU ☛ Diabetes WA reveals data breach

  Diabetes WA has disclosed a data breach affecting people who engaged with its telehealth service.

  In a breach notice posted Tuesday, the organisation said a “third party” gained “access to the personal information of some … contacts.”

  The personal information possibly exposed in the breach includes name, address, date of birth, email, phone number, marital status, Indigenous status, referring doctor, type of diabetes, and Medicare number.

• Hacked hospitals sending 326K letters to patients in Windsor, elsewhere

  Hundreds of thousands of patients, including many in Windsor-Essex, whose personal information was posted to the dark web following a cyberattack last fall will soon receive letters from impacted hospitals.

• Florida Department of Juvenile Justice computer network hacked

  Hackers broke into the computer network of the Florida Department of Juvenile Justice in Tallahassee, which runs the state’s juvenile detention centers and programs to steer troubled kids away from crime. It led to a continuing shutdown of the digital backbone the agency uses to manage cases statewide.

  The department took offline some of its computer systems as early as March 29 due to what spokeswoman Amanda Slama described as an unspecified security concern, she confirmed in a statement Thursday afternoon, two days after a reporter’s initial inquiries about the matter.

• Medium ☛ The Linux Security Journey — SUID (Saved User ID)

  In this context SUID stands for “Saved User ID” (and it is different from SUID bit — https://medium.com/@boutnaru/linux-security-suid-bit-d4f553e7d99e). It is used when we have a task (process/thread) execuring with high privilege (such as root, but not limited to that) which needs to do something in an unprivileged manner. Due to the fact, we want to work in a “least privilege” principle (https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP), we need to use the high privileges only when it is a must.

• Beta News ☛ Outrageous: Microsoft to charge $61 for Windows 10 updates -- consider switching to Linux!

  Hold on to your hats, folks, because Microsoft is at it again. In a move that’s sure to ruffle some feathers, the tech giant has announced* that starting October 2024, just one year before Windows 10 reaches its end of support, the company will charge a whopping $61 per device for the first year of Extended Security Updates (ESU). And get this – the price will double every consecutive year for a maximum of three years! If you’re late to the party and join in Year Two, you’ll have to cough up the cash for Year One as well since these updates are cumulative. Talk about a slap in the face!

• LWN ☛ KDE6 release: D-Bus and Polkit Galore (SUSE security team blog)

  The SUSE Security Team Blog is carrying a detailed article on SUSE's review of the KDE6 release.

Update

Windows TCO

• Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023

  Today, the U.S. Department of Homeland Security (DHS) released the Cyber Safety Review Board’s (CSRB) findings and recommendations following its independent review of the Summer 2023 Microsoft Exchange Online intrusion. The review detailed operational and strategic decisions that led to the intrusion and recommended specific practices for industry and government to implement to ensure an intrusion of this magnitude does not happen again. Secretary of Homeland Security Alejandro N. Mayorkas received the CSRB report from the Board and delivered it to President Biden. This is the third review completed by the CSRB since the Board was announced in February 2022.

• Threat actors walked away from a $1.8 million offer because the victim talked to the media?! (1)

  A recent listing on LockBit’s leak site about Crinetics Pharmaceuticals seemed unusual. It included a disclaimer: “Those responsible for the exfiltration of data belonging to this victim have no association, indirect or direct, with the Lockbit group.”

  If those who exfiltrated the data had no association with LockBit, why was the listing on LockBit’s site?