Security Leftovers
-
SANS ☛ Catching CARP: Fishing for Firewall States in PFSync Traffic, (Wed, Jan 22nd)
Legend has it that in the Middle Ages, monchs raised carp to be as "round" as possible. The reason was that during Lent, one could only eat as much as fit on a plate, and the round shape of a carp gave them the most "fish per plate". But we are not here to exchange recipes. I want to talk about CARP and the network failover feature.
-
Ruben Schade ☛ CAPTCHAs are getting creepy
Speaking of CAPTCHAs, what is… this!?
-
Wired ☛ Subaru Security Flaws Exposed Its System for Tracking Millions of Cars | WIRED
Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars’ location histories—and Subaru employees still can.
-
OpenSSF (Linux Foundation) ☛ Accelerating OpenSSF Adoption: Unlocking Scorecard Insights with a Centralized Dashboard
Open source components are consumed by over 90% of modern applications. Their omnipresence stems from their cost-effectiveness, flexibility, and collaborative nature, making them a cornerstone of contemporary software development. However, this widespread use also makes it a critical weak link in software security. Many open source projects are maintained by small teams or individual contributors with limited resources, leaving them exposed to unpatched vulnerabilities, outdated dependencies, and supply chain attacks. Transparency about these challenges, paired with the proactive use of security tools, is essential for regaining trust in open source code/components.
-
Troy Hunt ☛ You Can't Trust Hackers, and Other Data Breach Verification Tales
It's hard to find a good criminal these days. I mean a really trustworthy one you can be confident won't lead you up the garden path with false promises of data breaches.
-
Scoop News Group ☛ ‘Severe’ bug in ChatGPT’s API could be used to DDoS websites
The vulnerability, described by a researcher as “bad programming,” allows an attacker to send unlimited connection requests through ChatGPT’s API.
-
The Register UK ☛ Think Patch Tuesday was bad? Oracle releases 603 fixes • The Register
Oracle has delivered its regular quarterly collection of patches: 603 in total, 318 for its own products, and another 285 for Linux code it ships.
Big Red’s VP of security assurance Eric Maurice singled out one patch as worthy of particular attention: The fix addresses CVE-2025-21556, a CVSS 9.9-out-of-10-rated vulnerability in Oracle’s Agile Product Lifecycle Management (PLM) Framework which allows a low-privileged attacker with network access to compromise that tool, and through it other Oracle products.
Maurice urged action because in November 2024 Oracle published an out-of-band security alert for the Agile PLM Framework. He wrote that the patch delivered on Wednesday “includes patches for this alert as well as additional patches.”
-
Fake Homebrew site leverages Google ads to target macOS, Linux devices [Ed: Social engineering attack]
Bad actors are using a fake Homebrew site on a Google ads page to distribute infostealer malware that’s targeting macOS and Linux devices.
This new Google ads campaign was first discovered by security researcher Ryan Chenkie, who warned security pros about the infostealer on X on Jan. 18.
Another security researcher, JAMESWT, posted on X that the malware dropped in the new Google ads campaign is the Amos infostealer that targets data stored on web browsers, desktop wallets, and cryptocurrency extensions.
-
Financial Post ☛ Rimini Street Announces Rimini Protect™ Advanced Hypervisor Security for VMware, Nutanix and All Other Linux-Based Hypervisors, Powered by Vali Cyber®, to Safeguard Against Ransomware and Other Vulnerabilities [Ed: VMware is a GPL violation (Linux), not "Linux-Based Hypervisors" per se]
-
Devices/Embedded
-
Security Week ☛ Over $380,000 Paid Out on First Day of Pwn2Own Automotive 2025
Trend Micro’s Zero Day Initiative (ZDI) has announced the results from the first day of the Pwn2Own Automotive 2025 hacking contest taking place this week in Tokyo alongside the Automotive World conference.
-