Security Leftovers
-
Flipping pages, from userland to godmode
On X, Lau (@notselwyn) (https://twitter.com/notselwyn/) released a blogpost on 26 March at https://pwning.tech/nftables/ describing an elaborate attack on the Linux kernel that allows privilege escalation by exploiting a vulnerability in nf_tables. The POC, published on Github, starting with a double free() leads the kernel to execute arbitrary code with root privileges.
[...]
The kernel is the first layer of software that ’embraces’ and protects the hardware. In modern operating systems, one of its most important tasks is to keep processes in separate and protected ‘islands’. In some cases, a process needs access to ‘privileged’ resources, in which case it can politely ask the kernel to execute the request with its ‘superpowers’ and then respond to the calling process with the result, without the need to run the entire process with elevated privileges.
-
HIPAA ☛ Contract Class Certified in CareFirst Data Breach Lawsuit 9 Years After Legal Action was Initiated
A lawsuit against CareFirst BlueCross BlueShield that was filed in response to a 2014 data breach has had a contract class certified by a federal judge, 9 years after legal action was initiated. The lawsuit can now proceed and more than 1 million plan members are a step closer to obtaining damages. In June 2014, hackers gained access to CareFirst systems, which contained the data of around 1.1 million plan members; however, the intrusion was not detected for several months. In response to major data breaches at Anthem Inc., Premera, Excellus, and Community Health Systems, CareFirst conducted a review of its systems which reviewed there had been unauthorized access to one of its databases.
CareFirst announced the data breach in May 2015 and explained that a single database was compromised that stored data that members and other individuals enter to access CareFirst’s websites and online services. The compromised data included names, birth dates, email addresses, and subscriber ID numbers, but no highly sensitive information such as Social Security numbers, financial information, or health information.
-
The Telegraph UK ☛ Hacker fakes his own death to avoid paying $100,000 in child maintenance
A computer hacker faked his own death to avoid paying over $100,000 in outstanding child support to his ex-wife, according to court documents.
Jesse E. Kipf, 39, pleaded guilty to one count of aggravated identity theft and one count of computer fraud at a Kentucky court on March 29.
-
Update: American Renal Associates Data Breach Exposes Over 37,700 Individuals: Medusa Exfiltrates 5TB+ Data
In a previous article, we reported on the theft of PHI and PII data from the servers of American Renal Associates by the Medusa ransomware group, which occurred on March 2nd. However, further investigations conducted recently have revealed a more serious situation than initially described.