177139787submissionitwbennett writes:
Personal health information on 4.7 million Blue Shield California subscribers was unintentionally shared between Google Analytics and Google Ads between April 2021 and January 2025 due to a misconfiguration error. Security consultant and SANS Institute instructor Brandon Evans points to two lessons to take from this debacle: - read the documentation of any third party service you sign up for, to understand the security and privacy controls;
- know what data is being collected from your organization, and what you don’t want shared.
itwbennett writes:
From the Network World article:Weeks after BIOS developer AMI released an update fixing a critical vulnerability in its MegaRAC baseband management controller (BMC) firmware used in many enterprise servers and storage systems, OEM patches addressing the issue are slowly trickling out.
The latest vendor to release patches was Lenovo, which appears to have taken until April 17 to release its patch. And although Asus patches for four motherboard models appeared only this week, the exact time these were posted is unconfirmed; the dates on the updates range from March 12 to March 28.
Among the first to release a patch was Hewlett Packard Enterprise (HPE), which on March 20 released an update for its HPE Cray XD670, used for AI and high-performance computing (HPC) workloads. Other OEMs known to use AMI’s MegaRAC BMC include AMD, Ampere Computing, ASRock, ARM, Fujitsu, Gigabyte, Huawei, Nvidia, Supermicro, and Qualcomm.
itwbennett writes:
Computerworld reports that Western Digital and Microsoft are testing ways to recover precious materials from old servers. “A new advanced sorting ecosystem with an eco-friendly non-acid process not only recaptures essential rare earth elements but also extracts metals like gold, copper, aluminum, and steel, feeding them back into the US supply chain,” Western Digital said in a statement. This part isn't new. What's new is the math. Thanks to Trump's tariff war and 'moves by China to halt the export of bismuth, which might hold the key to future faster and more efficient semiconductors,' the few dollars' worth of materials in one server might be enough ROI to make it worthwhile. Gartner analyst Autumn Stanish is positive about the Western Digital news, but advises caution. 'This seems, based on the public information, far from the volume and scale to achieve the independence and carbon savings potential presented,' she said. itwbennett writes:
From the department of doing-your-research, the cyberespionage group also known as Cozy Bear, which is linked to Russia's foreign intelligence service, is targeting 'European diplomatic entities, including non-European countries’ embassies located in Europe,' according to a new report from Check Point. 'In this current wave of attacks, the threat actors impersonate a major European Ministry of Foreign Affairs to send out invitations to wine tasting events, prompting targets to click a web link leading to the deployment of a new backdoor called GRAPELOADER.' itwbennett writes:
In a move that will further overburden IT staff, members of the CA/Browser Forum voted to cut the lifespan of the web certificates to just 47 days by 2029. The changes, which have been debated over a year, were expected and will be phased in gradually. But Jon Nelson, a principal advisory director at Info-Tech Research Group, questioned the motives of the group: "They are doing this under the auspices of reducing risk, but I question if that is the real reason. Do the people making up this group have a conflict of interest in that this move could generate additional revenue for their companies?” itwbennett writes:
A move announced last week by the new Labour government in the UK could mean the estimated 1.6 million organizations that use.io domain names may have to eventually replace that ccTLD, according to a report in Computerworld. As part of a diplomatic deal, the UK will hand over the Chagos Islands to Mauritius and in so doing will eliminate the region represented by the.io domain. itwbennett writes:
According to a consent decree published on Monday by the US Federal Communications Commission, T-Mobile must pay a $15.75 million penalty and invest the an equal amount 'to strengthen its cybersecurity program, and develop and implement a compliance plan to protect consumers against similar data breaches in the future.' The settlement stems from FCC investigations ‘focused on three major T-Mobile data breaches in 2021, 2022, and 2023, which impacted millions of its customers,’ writes Evan Schuman for CSOonline.com. ‘Implementing these practices will require significant — and long overdue — investments. To do so at T-Mobile’s scale will likely require expenditures an order of magnitude greater than the civil penalty here,’ the consent decree said. Notes Schuman: ‘One order of magnitude greater than the $15.75 million penalty would be $157.5 million.’ itwbennett writes:
BitSight security researchers have discovered 11 critical and high-severity vulnerabilities in six automatic tank gauge (ATG) models from five different manufacturers. The flaws, which CISA has issued an advisory for, included OS command injection, hardcoded credentials, authentication bypasses, cross-site scripting, SQL injection, arbitrary file reads, and privilege escalation. These systems "are used to monitor the fuel level, pressure, and temperature inside fuel tanks and are also designed to detect potential leaks and trigger countermeasures," explains CSOonline's Lucian Constantin. These systems have a history of being insecure. "The vulnerability of ATG systems has been known since before 2015 when a Trend Micro investigation set up the GasPots Experiment using honeypot systems to lure attackers, investigate their methods, and assess weaknesses," writes Constantin. itwbennett writes:
Bloomberg reports that the US DOJ is investigating German software provider SAP and reseller Carahsoft for allegedly conspiring to overcharge the US government. "The investigation centers on more than $2 billion worth of SAP technology purchased by US government agencies since 2014," writes Gyana Swain for CIO.com. "This isn’t the first time SAP has faced legal challenges related to its business practices. Earlier this year, the German software developer agreed to pay $222 million to settle allegations of bribery schemes in seven countries." itwbennett writes:
Back in 2020, Microsoft said it would make itself 'carbon negative' by 2030 and wouldn't use tricks like carbon offsets to achieve get there. But then along came power-hungry AI and those climate vows are a distant memory, writes Preston Gralla for Computerworld, or at least that's "the message delivered by Microsoft’s spike in water use to cool AI data centers, and the company’s recently proposed deal to reopen Three Mile Island, the site of the worst nuclear power disaster in US history." itwbennett writes:
An average of 2000 to 3000 publicly exposed Microsoft SQL servers a day are being infected with remote access Trojans and cryptominers as part of an attack campaign that has been traced back to 2018, reports Lucian Constantin in CSOonline. While the primary goal of the attack seems to be cryptocurrency mining, ‘what makes these database servers appealing for attackers apart from their valuable CPU power is the huge amount of data they hold,’ say researchers from Guardicore who investigated the attacks. The researchers also note that most machines (60%) stay infected only briefly, but ‘almost 20% of all breached servers remained infected for more than a week and even longer than two weeks,’ and 10% become reinfected. Infections from this campaign are thorough and have multiple components, and the attackers aggressively remove malware from competitors from targeted machines, says Constantin. itwbennett writes:
According to a new report from Akamai, nearly 20% of attempted credential stuffing attacks, a type of brute-force attack where criminals use lists of username and password combinations to gain access to accounts, are now done through APIs rather than user-facing login pages. And the number is higher in the financial services industry 'where the use of APIs is widespread and in part fueled by regulatory requirements,' and competition from fintech startups writes Lucian Constantin for CSO. Credential stuffing has become more of an issue in recent years because of the billions of stolen credentials that have been dumped on the internet and 'API usage and widespread adoption have enabled criminals to automate their attacks,' Akamai said in its report, adding that several problems with API development, such as the lack of rate limiting for authentication attempts, make it easier for attackers to abuse them. itwbennett writes:
Security researcher Chris Kubecka has identified (and reported to Boeing and the Department of Homeland Security back in August) a number of security vulnerabilities in Boeing’s networks, email system, and website. ‘[T]he company's failure to remedy the security failures she reported demonstrate either an unwillingness or inability to take responsibility for their information security,’ writes JM Porup for CSO online. The vulnerabilities include a publicly exposed test developer network, a lack of encryption on the boeing.com website, failure to use DMARC for email security, and, perhaps most notably, an email server infected with malware. For its part, Boeing says that the vulnerabilities Kubecka reported are ‘common IT vulnerabilities — the type of cyber-hygiene issues thousands of companies confront every day’ and that the company has ‘no indication of a compromise in any aviation system or product that Boeing produces.’ What Porup’s reporting and Kubecka’s research clearly shows, however, is how poor information security practices can become aviation security risks. itwbennett writes:
iTerm2 users: It’s time to upgrade. A security audit sponsored by the Mozilla Open Source Support Program uncovered a critical remote code execution (RCE) vulnerability in the popular open-source terminal app for macOS. The flaw, which is now tracked as CVE-2019-9535, has existed in iTerm2 for the past seven years and is located in the tmux integration. The flaw was fixed in iTerm2 version 3.3.6,which was released today. itwbennett writes:
Researchers from security firm Bitdefender discovered and reported a year ago a new CPU vulnerability that 'abuses a system instruction called SWAPGS and can bypass mitigations put in place for previous speculative execution vulnerabilities like Spectre,' writes Lucian Constantin for CSO. There are three attack scenarios involving SWAPGS, the most serious of which 'can allow attackers to leak the contents of arbitrary kernel memory addresses. This is similar to the impact of the Spectre vulnerability.' Microsoft released mitigations for the vulnerability in July's Patch Tuesday, although details were withheld until August 6 when Bitdefender released its whitepaper and Microsoft published a security advisory. 
