Security Leftovers
-
Security updates for Wednesday [LWN.net]
Security updates have been issued by Debian (unbound and xorg-server), Fedora (stellarium), Oracle (kernel), SUSE (apache2, oracleasm, python-Werkzeug, rubygem-loofah, sudo, and tomcat), and Ubuntu (git, kernel, and linux-hwe-5.19).
-
Pre-notification dilemmas
In 2011 I started to send "pre-notifications" about pending curl security vulnerabilities to the distros mailing list (back then it was still called linux-distros). For several years we also asked them for CVE IDs for the new vulnerabilities that we were about to publish to the world.
-
Stenberg: Pre-notification dilemmas [LWN.net]
Curl maintainer Daniel Stenberg expresses some frustrations with the vulnerability notification policies maintained by the distros mailing list.
[...]
The kernel project has run into similar issues in the past.
-
ChatGPT Suffers First Data Breach, Exposes Personal Information
The breach came during a March 20 outage and exposed payment-related and other personal information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window, according to a blog post by OpenAI Friday, March 24.
"In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time," OpenAI officials wrote today.
-
Newton schools closed after network security breach
The Newton school district cancelled all classes for Wednesday after a computer network breach on Tuesday.
So far, district officials have not said exactly what happened or what data may have been accessed. The school district says some computers are being kept offline until it can be sure they are safe to use. Newton schools are working with law enforcement as an investigation is ongoing.
An email from the district included some questions that people may have regarding the incident. That information can be found below.
-
Ransomware crooks are exploiting IBM file-exchange bug with a 9.8 severity | Ars Technica
If you haven't patched your Aspera Faspex server, now would be an excellent time.
-
Braintree GP surgery warns of data breach after ‘confidential’ information blows across roads
A GP surgery has admitted to a data breach after "confidential" information was blown into the local area whilst being obtained by waste collectors. Mount Chambers Surgery in Braintree says they have reported themselves to the Information Commissioners Office (ICO) over the breach.
The GP surgery, on Coggeshall Road in Braintree, looks after just over 13,000 patients according to NHS data. Mount Chambers Surgery has not said whether the data breach, which occurred on March 13, involved any information relating directly to patients.
They said the breach happened when high winds meant "some of the confidential waste blew into areas surrounding the surgery". The surgery has asked anyone who might come across any information to return it to the practice so it can be disposed of appropriately.
-
Dutch government sued for compensation over GGD Covid data theft
The ICAM Foundation filed a lawsuit against the Ministry of Public Health, Welfare, and Sport and 34 other agencies over a data breach at the GGD health services during the coronavirus pandemic. The foundation is demanding 500 euros compensation for affected people and 1,500 euros for people who can prove that their data was stolen, NOS reports.
For a period during the pandemic, GGD call center employees had access to the personal data of everyone who had been tested for Covid-19. RTL Nieuws revealed that some GGD workers traded in this sensitive data on a large scale. According to the foundation, up to 6.5 million people may be affected.
-
Cyberattack on debt-buying giant exposes sensitive info on nearly 500,000 people
Nearly half a million people had their sensitive financial information leaked during a cyberattack on NCB Management Services – a company that purchases debt.
The Pennsylvania-based company sent out breach notification letters last week after discovering the attack on February 4.
In documents filed with Maine’s Attorney General, the company said 494,969 people had their names, addresses, phone numbers, email addresses, dates of birth, employment positions, pay amounts, driver's license numbers, Social Security numbers, account numbers, credit card numbers, routing numbers, account balances, and account statuses leaked.
-
Western Cape Health condemns break-in at Ravensmead CDC
The Western Cape Government Health and Wellness has strongly condemns the break-in at the Ravensmead Community Day Centre (CDC) during the weekend.
This comes after perpetrators gained entry to the building through the roof, damaging the roof and ceiling.
Spokesperson Shimoney Regter said three computers used to update folders and update patient information were stolen.