Security Leftovers
-
OpenSSF (Linux Foundation) ☛ CRA Stewards and Manufacturers Workshop: Key Takeaways and Next Steps
Last week the 'Linux' Foundation Europe and OpenSSF teams held a workshop focused on the implications of the recently published Regulation (EU) 2024/2847, commonly known as the Cyber Resilience Act or CRA. The 2024 Stewards and Manufacturers Workshop in Amsterdam was a highly successful event where members from across the 'Linux' Foundation, other upstream open source foundations, community experts, and government officials came together to get a common understanding of the obligations of both Manufacturers and Stewards, and how each group needs to collaborate together as the legislation starts to go into effect over the next three years.
-
Silicon Angle ☛ Fortinet warns of malicious Python packages targeting credentials and user data
A new report out today from Fortinet Inc.’s FortiGuard Labs is warning of two newly discovered malicious Python packages that pose a high risk of credential theft, data exfiltration and unauthorized system access.
-
SANS ☛ Modiloader From Obfuscated Batch File, (Mon, Dec 23rd)
-
Bruce Schneier ☛ Criminal Complaint against LockBit Ransomware Writer
The Justice Department has published the criminal complaint against Dmitry Khoroshev, for building and maintaining the LockBit ransomware.
-
Pen Test Partners ☛ Heels on fire. Hacking smart ski socks
TL;DR A silly-season BLE connectivity story Overheat people’s smart ski socks …but only when in Bluetooth range AND when the owner’s phone is out of range of their feet!
-
LWN ☛ Security updates for Monday
Security updates have been issued by Debian (gst-plugins-base1.0, libxstream-java, php-laravel-framework, python-urllib3, and sqlparse), Fedora (chromium, libcomps, libdnf, mingw-directxmath, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, mingw-orc, ofono, prometheus-podman-exporter, python3-docs, python3.13, and webkitgtk), Mageia (mozjs78, thunderbird, and tomcat, tomcat packages), SUSE (aalto-xml, flatten-maven-plugin, jctools, moditect, netty, netty-tcnative, chromedriver, govulncheck-vulndb, grpc, kernel, python-aiohttp, python-python-sql, and vim), and Ubuntu (linux, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-kvm,
linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle-5.15 and linux-aws, linux-aws-5.4, linux-bluefield, linux-ibm, linux-ibm-5.4,
linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp).
-
ZDNet ☛ 5 biggest Linux and open-source stories of 2024: From AI arguments to security close calls
AI arrived, security troubles were dodged, and after years of development, real-time Linux finally made it into mainstream Linux. Here's what shook up the open-source world this year and what it means for 2025.