Security Leftovers
-
LWN ☛ Security updates for Thursday
Security updates have been issued by Debian (chromium), Fedora (chromium, libxml2, pgadmin4, and python-libgravatar), Mageia (ghostscript), Red Hat (389-ds:1.4, ansible-core, bind and dhcp, container-tools:rhel8, edk2, exempi, fence-agents, freeglut, frr, ghostscript, glibc, gmp, go-toolset:rhel8, grafana, grub2, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd:2.4, idm:DL1, idm:DL1 and idm:client modules, kernel, kernel-rt, krb5, LibRaw, libreoffice, libsndfile, libssh, libtiff, libX11, libxml2, libXpm, linux-firmware, motif, mutt, openssh, osbuild and osbuild-composer, pam, pcp, pcs, perl-Convert-ASN1, perl-CPAN, perl:5.32, pki-core:10.6 and pki-deps:10.6 modules, pmix, poppler, postgresql-jdbc, python-dns, python-jinja2, python-pillow, python27:2.7, python3.11, python3.11-cryptography, python3.11-urllib3, python39:3.9 and python39-devel:3.9 modules, qt5-qtbase, resource-agents, squashfs-tools, sssd, systemd, tigervnc, tomcat, traceroute, varnish:6, virt:rhel and virt-devel:rhel modules, vorbis-tools, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, and zziplib), SUSE (chromium, perl, postgresql14, and python-sqlparse), and Ubuntu (klibc, linux-aws-hwe, openssl, and vlc).
-
Tom's Hardware ☛ Consumer-grade spyware found running on hotel guest PCs contains serious security flaw that lets anyone see recent screenshots [Ed: See how it does what Microsoft plans to do, except with better marketing in Microsoft's case]
Three Wyndham hotels in the US have been found running consumer-grade spyware app "pcTattletale", which has major security flaws allowing the public to view screenshots of sensitive guest information uploaded to the clown.
-
Farhaan Bukhsh: SSL: How It Works and Why It Matters
How did it start?
I have been curious about what an SSL Certificate is and how it works. This is a newbie's log on the path to understanding a thing or two about how it works.
We casually talk about security and how SSL certificates should be used to make your website more secure. In this blog, I am documenting my learnings, and the end goal for me here is to see if I can enable an SSL certificate (sshh... it's called a TLS Certificate since SSL is long deprecated) on a server locally. Why?
-
APNIC ☛ Is regulated BGP security coming?
What impact would regulating BGP routing security have on the global Internet?
-
IT Wire ☛ Tenable finds flaw in HTTP server used in cloud environments
In a statement, the company said it had named the flaw Linguistic Lumberjack and informed the maintainers of the project on 30 April. Fixes had been committed on 15 May and would be available in the next release, 3.0.4. The issue has been assigned CVE-2024-4323.
-
Federal News Network ☛ Agencies accelerate efforts to ‘clean up’ insecure internet routing [Ed: First, remove Windows. It has back doors.]
Harry Coker highlighted federal efforts to better secure basic internet technology, as well as critical infrastructure, during addresses this week.
-
Security Week ☛ 55,000 Impacted by Cyberattack on California School Association
The Association of California School Administrators (ACSA) is informing nearly 55,000 individuals that they have been impacted by a ransomware attack.
-
Security Week ☛ Cybersecurity Labeling for Smart Devices Aims to Help People Choose Items Less Likely to be Hacked [Ed: Those "Smart Devices" probably aren't even needed in the first place; many are utterly worthless gimmicks which barely last a year.]
Under the new U.S. Cyber Trust Mark Initiative, manufacturers can affix the label on their products if they meet federal cybersecurity standards.
-
Security Week ☛ Zero-Day Attacks and Supply Chain Compromises Surge, MFA Remains Underutilized: Rapid7 Report
Attackers are getting more sophisticated, better armed, and faster. Nothing in Rapid7's 2024 Attack Intelligence Report suggests that this will change.
-
Security Week ☛ Newly Detected Chinese Group Targeting Military, Government Entities
Unfading Sea Haze has been targeting military and government entities in South China Sea countries since 2018.
-
Security Week ☛ 400,000 Impacted by CentroMed Data Breach
The personal information of 400,000 individuals was compromised in a data breach at El Centro Del Barrio (CentroMed).
> -
Security Week ☛ NYSE Operator Intercontinental Exchange Gets $10M SEC Fine Over 2021 Hack
Intercontinental Exchange, the company that operates NYSE and other exchanges, has agreed to pay a $10 million fine related to a 2021 hack.
-
Chromium
-
Google ☛ Advancing Our Amazing Bet on Asymmetric Cryptography
Google and many other organizations, such as NIST, IETF, and NSA, believe that migrating to post-quantum cryptography is important due to the large risk posed by a cryptographically-relevant quantum computer (CRQC). In August, we posted about how Chrome Security is working to protect users from the risk of future quantum computers by leveraging a new form of hybrid post-quantum cryptographic key exchange, Kyber (ML-KEM)1. We’re happy to announce that we have enabled the latest Kyber draft specification by default for TLS 1.3 and QUIC on all desktop Chrome platforms as of Chrome 124.2 This rollout revealed a number of previously-existing bugs in several TLS middlebox products. To assist with the deployment of fixes, Chrome is offering a temporary enterprise policy to opt-out.
-