Security Lefovers
-
Security Week ☛ Exploited Vulnerability Could Impact 20k Internet-Exposed VMware ESXi Instances
Shadowserver has observed over 20,000 internet-accessible VMware ESXi instances impacted by an exploited vulnerability.
-
Purism ☛ Hardware Based Security For Government
The TPM is a widely adopted Hardware RoT. It is a dedicated microcontroller that provides cryptographic functions, secure storage, and hardware-based security features.
-
Pen Test Partners ☛ Bootloaders explained
TL;DR Modern computers have a program that starts the operating system, known as a bootloader Bootloaders can be communicated with to access storage (and sometimes RAM) directly
-
Scoop News Group ☛ EPA ‘urgently’ needs to step up cybersecurity assistance for the water sector, GAO says
The watchdog said the agency lacks "cybersecurity-related goals, objectives, activities, and performance measures."
-
CVE-2024-41946: DoS vulnerability in REXML
There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-41946. We strongly recommend upgrading the REXML gem.
When parsing an XML that has many entity expansions with SAX2 or pull parser Hey Hi (AI) REXML gem may take long time.
Please update REXML gem to version 3.3.3 or later.
-
CVE-2024-41123: DoS vulnerabilities in REXML
There are some DoS vulnerabilities in REXML gem. These vulnerabilities have been assigned the CVE identifier CVE-2024-41123. We strongly recommend upgrading the REXML gem.
When parsing an XML document that has many specific characters such as whitespace character,
>]and]>, REXML gem may take long time. -
Security Week ☛ Personal, Health Information Stolen From Pharma Giant Cencora
Pharma giant Cencora has confirmed that personal and health information was stolen in a February 2024 cyberattack.
-
Hackaday ☛ Hackaday Podcast Episode 282: Saildrones, A New Classic Laptop, And SNES Cartridges Are More Than You Think
In this episode, the CrowdStrike fiasco has Hackaday Editors Elliot Williams and Tom Nardi pondering the fragility of our modern infrastructure. From there the discussion moves on to robotic sailboats, the evolving state of bespoke computers, and the unique capabilities of the Super Nintendo cartridge. You’ll also hear about cleaning paintings with lasers, the advantages of electronic word processors, stacking 3D printed parts, and the joys of a nice data visualization. They’ll wrap the episode up by marveling at the techniques required to repair undersea fiber optic cables, and the possibilities (and frustrations) of PCB panelization using multiple designs.
-
Confidentiality
-
Security Week ☛ DigiCert Revoking 83,000 Certificates of 6,800 Customers
DigiCert has started revoking 83,000 certificates impacted by a validation issue, but critical infrastructure customers are asking for more time.
-
IT Wire ☛ Carers ACT goes passwordless with YubiKeys
Non-profit support provider for unpaid family and friend carers in the Australian Capital Territory (ACT) Carers ACT has deployed YubiKeys to its support workers to protect vulnerable Australians’ health information.
-
NYMag ☛ Bloomberg’s Risky, Embargo-Breaking Evan Gershkovich Scoop
According to multiple sources at the Journal and other major outlets, the Bloomberg scoop left journalists and government officials fuming. With a prisoner swap, you don’t know if it’s going to happen until it happens. (As one Journal reporter put it: “We literally had Yaroslav Trofimov on the ground with binoculars waiting to see Evan come off the plane, and we pubbed as soon as that happened.”) Which means that Bloomberg’s story proclaiming Gershkovich was free was inaccurate, given that the Russian plane was still in the air at the time of publication. That plane could have just turned around and gone back to Moscow, which is why the Journal and other publications had agreed to hold off.
-