Security Leftovers

posted by Roy Schestowitz on Dec 07, 2024,
updated Dec 07, 2024

• LWN ☛ Security updates for Thursday

  Security updates have been issued by Fedora (thunderbird, tuned, and webkitgtk), Mageia (python-aiohttp and qemu), Oracle (container-tools:ol8, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, kernel:4.18.0, krb5, pam, postgresql:16, python-tornado, python3:3.6.8, thunderbird, tigervnc, tuned, and webkit2gtk3), Red Hat (bzip2, postgresql, postgresql:13, postgresql:15, postgresql:16, python-tornado, and ruby:3.1), Slackware (python3), SUSE (postgresql, postgresql16, postgresql17, postgresql13, postgresql14, postgresql15, python-python-multipart, and python3), and Ubuntu (python-django and recutils).

• Federal News Network ☛ Lawmakers push for probe into Pentagon’s telecom security failures after historic cyberattack

  "DoD has failed to use its purchasing power to require cyber defenses and accountability from wireless carriers," said Sens. Eric Schmitt and Ron Wyden.

• Pen Test Partners ☛ Is secure boot on the main application processor enough? [Ed: It is not about security at all]

  TL;DR Secure boot ensures only authentic firmware can run on a device and should form part of a layered defence strategy.

• Reproducible Builds: Reproducible Builds in November 2024

  Welcome to the November 2024 report from the Reproducible Builds project!

  Our monthly reports outline what we’ve been up to over the past month and highlight items of news from elsewhere in the world of software supply-chain security where relevant. As ever, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website.

  /blockquote>

• LWN ☛ Let's Encrypt sets date for ending OCSP support

  In July, Let's Encrypt announced it was ending support "as soon as possible" for the Online Certificate Status Protocol (OCSP) in favor of Certificate Revocation Lists (CRLs) due to privacy concerns.

• Developer Tech ☛ Linux Foundation releases ‘Census III’ open source report [Ed: Biased and ridiculous 'study'. But they get LLMs making bot-written puff pieces about it.]

  Developed in partnership with the Laboratory for Innovation Science at Harvard, the “Census III” report provides invaluable insights into the state of the OSS ecosystem. Leveraging over 12 million data points from production environments across more than 10,000 companies, Census III highlights critical trends and challenges surrounding the use of OSS.

• Mobile Systems/Mobile Applications

  • Scoop News Group ☛ How a Russian man’s harrowing tale shows the physical dangers of spyware

    He exported data from his device and left his phone in Moscow as he escaped with his wife, fearing even at the border that he might be stopped before boarding a plane. He then contacted the Russian exile-led human rights group First Department with the exported information. Collaborating with the University of Toronto’s Citizen Lab, they confirmed his suspicions: His phone had indeed been infected with spyware.

  • Citizen Lab ☛ Something to Remember Us By: Device Confiscated by Russian Authorities Returned with Monokle-Type Spyware Installed - The Citizen Lab

    Our analysis finds that the spyware placed on his device allows the operator to track a target device’s location, record phone calls, keystrokes, and read messages from encrypted messaging apps, among other capabilities.

  • Scoop News Group ☛ Study shows potentially higher prevalence of spyware infections than previously thought

    Devices that the mobile device security firm’s tech scanned found seven Pegasus spyware infections among 2,500 users who volunteered to participate in its investigation with a $0.99 version of its tech as an app.

    “Our investigation detected 2.5 infected devices per 1,000 scans — a rate significantly higher than any previously published reports,” iVerify said in a blog post.

  • The Record ☛ Report: Russian authorities seized phone from detainee, infected it with spyware

    Digital forensic researchers released a report on Thursday revealing that a phone Russian police seized from a citizen accused of sending money to Ukraine had been infected with spyware while he was detained.

    The phone belonging to Kirill Parubets, a Russian programmer who spent more than two weeks in custody, was apparently infected with spyware that the researchers say allowed authorities to track his device location, read encrypted messages and record calls and keystrokes.

  • The Verge ☛ The Google Pixel 6, 7, and Fold will get two extra years of OS updates

    Owners of Pixel 6-series, 7-series and Pixel Fold phones can look forward to a couple extra years of OS upgrades than initially expected, as discovered by Android expert Mishaal Rahman and confirmed by Google on X. When they were introduced, Google originally promised three years of OS upgrades and five years of security patches for each device, starting from the time they went on sale. But a quiet update to a support page confirms that these phones will get two additional OS upgrades, giving them a full five years of OS and security support that “may also include new and upgraded features with Pixel Drops.” That, my friends, rules.

• Web Browsers/Web Servers

  • Google ☛ (QR) Coding My Way Out of Here: C2 in Browser Isolation Environments

    In this blog post, Mandiant demonstrates a novel technique that can be used to circumvent all three current types of browser isolation (remote, on-premises, and local) for the purpose of controlling a malicious implant via C2. Mandiant shows how attackers can use machine-readable QR codes to send commands from an attacker-controlled server to a victim device.