Security Leftovers
-
Hackaday ☛ This Week In Security: Three Billion SS Numbers, IPv6 RCE, And Ring -2
You may have heard about a very large data breach, exposing the Social Security numbers of three billion individuals. Now hang on. Social Security numbers are a particularly American data point, and last time we checked there were quite a few Americans shy of even a half of a billion’s worth. As [Troy Hunt] points out, there are several things about this story that seem just a bit odd.
-
Diffoscope ☛ Reproducible Builds (diffoscope): diffoscope 275 released
The diffoscope maintainers are pleased to announce the release of diffoscope version
275. This version includes the following changes:* Update the test_zip.py text fixtures and definitions to support new changes to IO::Compress. (Closes: #1078050) * Do not call marshal.loads(...) of precompiled Python bytecode as it is inherently unsafe. Replace, at least for now, with a brief summary of the code section of .pyc files. (Re: reproducible-builds/diffoscope#371) * Don't bother to check the Python version number in test_python.py: the fixture for this test is deterministic/fixed.
-
LWN ☛ Security updates for Friday
Security updates have been issued by Fedora (389-ds-base, dotnet8.0, python3.13, roundcubemail, thunderbird, and tor), Mageia (roundcubemail), Oracle (.NET 8.0, bind and bind-dyndb-ldap, bind9.16, container-tools:ol8, edk2, firefox, gnome-shell, grafana, httpd:2.4, jose, kernel, krb5, mod_auth_openidc:2.3, orc, poppler, python-urllib3, python3.11-setuptools, thunderbird, and wget), Red Hat (kernel), SUSE (apptainer, curl, kernel, kernel-firmware, libqt5-qtbase, python-aiosmtpd, and ucode-intel), and Ubuntu (bind9, gnome-shell, libreoffice, and orc).
-
Security Week ☛ Cloud Misconfigurations Expose 110,000 Domains to Extortion in Widespread Campaign
Security researchers at Palo Alto Networks discover a threat actor extorting organizations after compromising their cloud environments using inadvertently exposed environment variables.
-
Scoop News Group ☛ House lawmakers push Commerce Department to probe Chinese Wi-Fi router company
The top representatives from the chamber’s U.S.-China competition committee want an investigation into TP-Link Technologies and an assessment of its national security risks.
-
Pen Test Partners ☛ Insights and highlights from DEF CON 32
TL; DR Event Dates: August 8-11, 2024, in Las Vegas. PTP Presentations: backdoored Windows Hello: Our Ceri Coburn (with Outsider Security’s Dirk-Jan Mollema) revealed vulnerabilities in biometric authentication.
-
Federal News Network ☛ Moving past security hurdles to interagency collaboration
The success or failure of a team is often judged by its ability to create solutions or make decisions efficiently.
-
Security Week ☛ In Other News: 400 CNAs, Crash Reports, Schlatter Cyberattack
Noteworthy stories that might have slipped under the radar: there are 400 CVE Numbering Authorities, crash reports can be a valuable source of information, and Schlatter was hit by a cyberattack.
-
Security Week ☛ SolarWinds Web Help Desk Vulnerability Possibly Exploited as Zero-Day
The US cybersecurity agency CISA warns that a recent SolarWinds Web Help Desk vulnerability has been exploited in the wild.