Security and Windows TCO Leftvers

posted by Roy Schestowitz on Mar 21, 2025

• Confidentiality

  • Tor ☛ Stable release 0.4.8.15 - Tor Release Announcement

    Today, we are releasing the minor version 0.4.8.15 which fixes some minor, but annoying, bugs related to bandwidth authority sandbox and a Conflux control port issue. We also have a minor fix for clients about how they use relay flags for path selection.

• Integrity/Availability/Authenticity

  • The Record ☛ Former Michigan football coach indicted in [breaches] of athlete databases of more than 100 colleges

    Acting U.S. Attorney Julie Beck announced the charges, accusing Weiss of gaining unauthorized access from 2015 to January 2023 to student athlete databases of more than 100 colleges and universities that were maintained by third-party vendor Keffer Development Services. Michigan hired Weiss in 2021 and fired him in January 2023.

    Weiss allegedly downloaded the personal information and medical data of more than 150,000 athletes. In addition to obtaining health information of students, he also [broke] into the “social media, email, and/or cloud storage accounts of more than 2,000 target athletes,” as well as another 1,300 students and alumni from universities across the country, prosecutors said.

  • Sagi Kedmi ☛ The National Security Case for Email Plus Addressing

    In this deep dive, we explore how password reset and single sign-on mechanisms have become an intelligence goldmine for attackers. We’ll see how OSINT companies exploit password recovery flows to infer account existence and grab partial personal identifiers (like phone number fragments and credit card digits). We’ll examine the role of Single Sign-On (SSO) services (like “Sign in with Google”) in inadvertently standardizing our identities across the web, making it easier to track targets. We’ll also uncover some sneaky side-channel leaks that give away even more information to prying eyes. Most importantly, we’ll explain why all of this matters for national security – how hostile nation-states or organized cybercriminals could weaponize this data for phishing, identity theft, social engineering, or large-scale intelligence gathering. Finally, we’ll discuss mitigation strategies: from simple tricks like email “plus addressing” (e.g. [email protected]) to more advanced solutions like masked email services and policy changes that can help harden our authentication systems.

  • Society for Scholarly Publishing ☛ Tackling Science’s ‘Nasty Photoshop Problem’

    So it’s not surprising that concerns about image integrity have gained a lot of attention recently. In 2004, Mike Rossner (Managing Editor) and Kenneth Yamada (Editor) of the Journal of Cell Biology wrote what is now considered a seminal article on how editors should safeguard image integrity. They noted that, at the time, many journals said little or nothing about image alterations in their author guidelines. In some cases, guidelines stated that the relationship between the original image and the published image must be maintained, and that the specific nature of any enhancements or manipulations must be disclosed, often in the figure legends.

• Windows TCO / Windows Bot Nets

  • Hong Kong Free Press ☛ HK passes cybersecurity law covering 'critical infrastructure'

    Hong Kong has passed a law meant to enhance safeguards for the city’s key infrastructure systems against cyberattacks, imposing fines of up to HK$5 million for cybersecurity lapses.

  • Tripwire ☛ BlackLock Ransomware: What You Need To Know

    BlackLock is a relatively new ransomware group. First seen in March 2024, the ransomware operation initially operated under the name El Dorado, before rebranding as BlackLock late last year.

    BlackLock follows a RaaS (ransomware-as-a-service) business model, leasing its tools and infrastructure to affiliates who launch attacks, sharing a proportion of the proceeds with BlackLock.

  • Security Week ☛ 500,000 Impacted by Pennsylvania Teachers Union Data Breach

    In a data breach notice on its website, the teachers’ union has revealed that the security incident occurred around July 6 and impacted its network environment, and that the attackers stole certain data from its systems.

  • Scoop News Group ☛ Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day

    State-sponsored groups have been exploiting the zero-day since 2017, largely targeting governments, but also think tanks and organizations in the finance, cryptocurrency, telecom, military and energy sectors, according to researchers. Trend Micro discovered and reported the defect to Microsoft in September.

  • Entrapment (Microsoft GitHub)

    • Bruce Schneier ☛ Critical GitHub Attack

      Given that the utility is used by more than 23,000 GitHub repositories, the scale of potential impact has raised significant alarm throughout the developer community.

    • InfoWorld ☛ GitHub suffers a cascading supply chain attack compromising CI/CD secrets

      The initial compromise of tj-actions/changed-files, designated as CVE-2025-30066, was discovered last week when researchers found malicious code injected into the tool. The Cybersecurity and Infrastructure Security Agency (CISA) has officially acknowledged the issue, noting that “This supply chain compromise allows for information disclosure of secrets including, but not limited to, valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys.”