Security Leftovers (UPDATED)
-
Microsoft worker accidentally exposes 38TB of sensitive data in GitHub blunder [Ed: But the mainstream media will still have the audacity to present Microsoft as security authority and champion]
A Microsoft employee accidentally exposed 38 terabytes of private data while publishing a bucket of open-source AI training data on GitHub, according to Wiz security researchers who spotted the leaky account and reported it to the Windows giant.
-
Protecting Your Privacy and Security on Android
With Android being one of the top mobile operating systems, it's often targeted by cybercriminals. You can fight back against vulnerabilities and exploits by focusing on Android security and digital privacy.
-
Fundamental rights impact assessments are key for effective DSA enforcement
Under the EU DSA, companies designated as VLOPs or VLOSEs must assess fundamental rights risks stemming from their services. Access Now and ECNL have published a new policy paper to support enforcement of this requirement.
-
Mitigations for Critical c-ares DoS, Code Execution Bug Released
A critical buffer overflow vulnerability has been found in c-ares before 1_16_1 thru 1_17_0 via the function ares_parse_soa_reply in ares_parse_soa_reply.c ( CVE-2020-22217 ). Due to how simple this bug is to exploit and its significant threat to the confidentiality, integrity, and availability of impacted systems, it has received a National Vulnerability Database base score of 9.8 out of 10 (''Critical'' severity).
-
Imagine Making Shadowy Data Brokers Erase Your Personal Info. Californians May Soon Live the Dream
California state Legislature has passed the Delete Act to allow individuals to order data brokers to delete their personal data — and to cease acquiring and selling it in the future.
UPDATE
More incidents, mostly Windows:
-
NYC schools are tightening cybersecurity. Some educators fear unintended consequences.
Following two high-profile data breaches, New York City’s Education Department has moved to shore up its cybersecurity protocols, increasing its vetting of software vendors and tightening email access for schools and parent leaders.
Because of the new protocols, the school year has started without approvals for scores of programs, including popular ones like Class Dojo, technology teachers told Chalkbeat.
Meanwhile, roughly 1,000 of the city’s 1,600 or so schools have abandoned school-specific websites and email addresses, and moved their communications under a centrally managed Education Department domain — a move an Education Department spokesperson said was “critical in ensuring the security of students’ personally identifiable information.”
-
K–12 IT Administrators Encounter Additional Security Controls for Users Under 18
Following the shift to incorporate more online and digital learning, schools leaned into the adoption of educational software products and applications. Many of these applications tracked student data, with data collection being the primary driver of some applications’ use in schools, as educators found value in tools that could analyze students’ progress.
In other cases, however, applications accessed and collected data that seemed irrelevant to their educational purpose. Savvy IT professionals in K–12 schools began investigating apps’ permissions and vetting the programs their users were downloading. This also helped schools protect their networks from third-party risk as a result of these software solutions.
-
Law Firm Accused of Waiting More Than a Year to Inform Affected Parties About Data Breach
Los Angeles-based law firm Hill, Farrer & Burrill was slapped with a data breach class action over allegations it detected a data breach in March 2022 but waited over a year to inform affected individuals their personal information had been leaked. […]
According to the complaint, Hill Farrer determined that cybercriminals gained unauthorized access to its systems between March 14 and March 18, 2022. The hackers are alleged to have accessed and stole sensitive personal information, including names, dates of birth, Social Security numbers, and medical treatment information of Booker and other victims.
-
Visiting Physician’s Network in Texas silent about ransomware attack and incident response
One of the newer ransomware groups to open a leak site is “ThreeAM.” Bleeping Computer recently reported that the ThreeAM malware is written in Rust, and on at least one occasion, researchers discovered that when LockBit failed, ThreeAM (aka 3AM) was successfully deployed. Symantec has more details on the malware and the group’s methods.
[...]
On September 15, DataBreaches reached out to VPN via their website contact form. No reply was received. A second inquiry was sent today, requesting that they answer some questions via email or telephone. No reply has been received, though.
-
More victims of MOVEit breach are revealed: Nuance discloses for covered entities.
A check of Clop’s leak site today indicates that Clop has leaked what they describe as a 50-part Part 1 of data from Nuance. They do not indicate the total amount of data they acquired or when they might leak more, but the fact that Nuance is listed and at least partially leaked indicates that Nuance declined to pay any extortion demand from Clop. Whether any specific covered entities were contacted by Clop and agreed to pay is unknown to DataBreaches.
-
Cyberattack on a Breton municipality: private data released
The town of Betton (Ille-et-Vilaine), close to Rennes, was the victim of a cyberattack by hackers who disseminated personal data due to the municipality’s refusal to pay a “ransom”, according to corroborating sources. The “ransomware” attack was committed on the night of August 30 to 31 by a group called Medusa which had already targeted the town of Sartrouville (Yvelines) two weeks earlier by the same process. The attack had encrypted “all data” on the computer system to make it inaccessible and also allowed hackers to steal data, explains the town hall of Betton (12,500 inhabitants) in a press release released on Monday.
The pirates demanded a ransom of $100,000, which the town refused to pay.
-
Experiment: How easy it was for me to influence Anonymous hacktivists
To say that we are living in a volatile time would be a brazen understatement. Since the onset of #OpRussia and successive operations, arguably the entire landscape of hacktivism has changed.
On February 25th, 2022, Anonymous officially declared war on Russia in response to the Russian-Ukrainian war. What I witnessed in the aftermath is disturbing.