Security Leftovers
LWN ☛ Security updates for Thursday
Security updates have been issued by Debian (firefox-esr), Fedora (nginx-mod-modsecurity, php, and tomcat), Mageia (strongswan), Oracle (389-ds-base, buildah, c-ares, cockpit, containernetworking-plugins, fence-agents, firefox, gdk-pixbuf2, idm:DL1, ipa, kernel, libreoffice, podman, rpm-ostree, and thunderbird), Red Hat (dnsmasq and nghttp2), Slackware (mozilla), SUSE (curl, firefox, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, openssl-3, and python-Pillow), and Ubuntu (libmatio, libndp, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp,
linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4,
linux-xilinx-zynqmp, linux-oem-6.5, and virtuoso-opensource).
Security Week ☛ Easily Exploitable Critical Vulnerabilities Found in Open Source AI/ML Tools
Protect Hey Hi (AI) warns of a dozen critical vulnerabilities in open source AI/ML tools reported via its bug bounty program.
Netcraft ☛ Flipping the script on pig butchering – $45 million is just the tip of the iceberg
Losses to investment scams, romance fraud, and pig butchering reached $4.6 billion in the United States, a 38% increase in 2023. These scams often play out in private peer-to-peer conversations between victim and criminal, well beyond the reach of typical threat intelligence.
Russ Allbery ☛ Russ Allbery: Security review of tag2upload
For some time now, Debian has been discussing a possible enhancement to the way that Debian packages are uploaded to the archive. The basic idea is to allow a package upload to be triggered by pushing a signed tag, with some structured metadata, to Salsa, the instance of GitLab that Debian provides for packaging repositories. This would allow Debian package maintainers to use a more typical Git-first workflow, where releases are triggered by Git tags and the release artifacts are built in a clean CI environment, while still enforcing the existing Debian rules about who is allowed to upload packages.
Hong Kong Free Press ☛ Data of over 20,000 staff, students at Chinese University of Hong Kong stolen after school server hacked
The personal data of over 20,000 Chinese University of Hong Kong (CUHK) staff and students has been stolen after a server at one of the institution’s schools was hacked, the latest in a string of large-scale data breaches in the city.
Security Week ☛ French Bug Bounty Platform YesWeHack Raises $28 Million
YesWeHack has raised more than $52 million to date to build and market a crowdsourced vulnerability reporting platform.
Security Week ☛ Life360 Says Personal Information Stolen From Tile Customer Support Platform
Life360 says hackers attempted to extort it after stealing personal information from a Tile customer support platform.
Security Week ☛ City of Cleveland Scrambling to Restore Systems Following Cyberattack
The City of Cleveland says emergency services, utilities, and airport are unaffected by a recent cyberattack.
Security Week ☛ Prevalence and Impact of Password Exposure Vulnerabilities in ICS/OT
Analysis and insights on the prevalence and impact of password exposure vulnerabilities in ICS and other OT products.
Windows TCO
Silicon Angle ☛ Black Basta ransomware group suspected in Ascension data theft incident [Ed: Windows TCO]U.S. healthcare provider Ascension has provided more details of its “cyber security event” last month, admitting that data was stolen, with some reports also suggesting that the Black Basta ransomware gang was behind the attack.
