Security Leftovers

posted by Roy Schestowitz on Apr 06, 2024

• LWN ☛ Security updates for Friday

  Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland).

• The Open Source Community is Building Cybersecurity Processes for CRA Compliance

  In an effort to meet the real challenges of cybersecurity in the open source ecosystem, and to demonstrate full cooperation with, and to support the implementation of, the European Union’s Cyber Resilience Act (CRA), Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation are announcing an initiative to establish common specifications for secure software development based on open source best practices.

  This collaborative effort will be hosted at the Brussels-based Eclipse Foundation AISBL under the auspices of the Eclipse Foundation Specification Process and a new working group. As Europe’s largest open source foundation, which also supports a robust open specification process, the Eclipse Foundation is a natural home for this effort. Other code-hosting open source foundations, SMEs, industry players, and researchers are invited to join in as well. The starting point for this highly technical standardisation effort will be today’s existing security policies and procedures of the respective open source foundations, and similar documents describing best practices. The governance of the working group will follow the Eclipse Foundation’s usual member-led model but will be augmented by explicit representation from the open source community to ensure diversity and balance in decision-making. The deliverables will consist of one or more process specifications made available under a liberal specification copyright licence and a royalty-free patent licence.

• LWN ☛ Eclipse Foundation announces collaboration for CRA compliance

  The Eclipse Foundation, the organization behind the Eclipse IDE and many other software projects, announced a collaboration between several different open-source-software foundations to create a specification describing secure software development best practices. This work is motivated by the European Union's Cyber Resilience Act (CRA).

• Latvia ☛ One fine, two warnings issued over Baltic International Bank breaches

  The Supervision Committee of Latvijas Banka (LB), the country's financial regulator, said April 5 it had decided to impose a fine of 31,731 euros on Viktors Bolbats, former Chair of the Board of Baltic International Bank, which had its operations suspended more than a year ago.

• Security Week ☛ Lens Maker Hoya Scrambling to Restore Systems Following Cyberattack

  Japanese lens maker Hoya says production processes and ordering systems were disrupted by a cyberattack.

• Security Week ☛ Acuity Responds to US Government Data Theft Claims, Says Hackers Obtained Old Info

  Acuity, the tech firm from which hackers claimed to have stolen State Department and other government data, confirms hack, but says stolen info is old.

• Security Week ☛ Magento Vulnerability Exploited to Deploy Persistent Backdoor

  Attackers are exploiting a recent Magento vulnerability to deploy a persistent backdoor on ecommerce websites.

• Techdirt ☛ Restricting Flipper Is A Zero Accountability Approach To Security

  On February 8, François-Philippe Champagne, the Canadian Minister of Innovation, Science and Industry, announced Canada would ban devices used in keyless car theft. The only device mentioned by name was the Flipper Zero—the multitool device that can be used to test, explore, and debug different wireless protocols such as RFID, NFC, infrared, and Bluetooth.

• Security Week ☛ Cisco Warns of Vulnerability in Discontinued Small Business Routers

  Cisco says it will not release patches for a cross-site scripting vulnerability impacting end-of-life small business routers.

• Security Week ☛ In Other News: 100,000 Affected by CISA Breach, Abusive Monopolist Microsoft Hey Hi (AI) Copilot Ban, Nuclear Site Prosecution

  Noteworthy stories that might have slipped under the radar: the CISA hack could impact 100,000 people, Abusive Monopolist Microsoft Hey Hi (AI) Copilot banned by US House, UK nuclear site prosecution. 

• LinuxSecurity ☛ Security Risks of Open-Source Software & Mitigations to Overcome Them

  Open-source software, or OSS , has completely changed the technology sector by enabling developers anywhere to work together and produce creative solutions faster. However, security issues are a significant worry, just like in any digital environment. Therefore, you should take precautions to secure any open-source software you use.

• Federal News Network ☛ CISA’s ‘Cyber Storm’ will help it update National Cyber Incident Response Plan

  CISA's "Cyber Storm" event feature more than 2,000 participants across government and industry working together to respond to a major cyber incident.

• Security Week ☛ NIST Grants $3.6 Million to Boost US Cybersecurity Workforce

  NIST announced $3.6 million in grants for 18 education and community organizations to build the future cybersecurity workforce.