Security is what we allow

https://arstechnica.com/security/2024/04/highly-capable-hackers-root-corporate-networks-by-exploiting-firewall-0-day/

Ding ding ding
https://www.marketplace.org/shows/marketplace-tech/the-65-year-old-computer-system-at-the-heart-of-american-business/

I started learning to program using COBOL in my senior year of High School and continued taking 2 more years in College as part of my degree in computer science/programming.

Also learned another 2 programming language dinosaurs, FORTRAN and RPG II. Never really used the latter two but did some COBOL programming on a IBM System 36 for several years before the business decided to convert everything to C.

Ouch again
https://thehackernews.com/2024/04/widely-used-putty-ssh-client-found.html

Security is what we allow.

Ouch again
https://thehackernews.com/2024/04/widely-used-putty-ssh-client-found.html

Security is what we allow.

Thanks for that!

The detail is:

... it has been resolved by switching to the RFC 6979 technique for all DSA and ECDSA key types, abandoning its earlier method of deriving the nonce using a deterministic approach that, while avoiding the need for a source of high-quality randomness, was susceptible to biased nonces when using P-521.

This older approach, PuTTY developers said, was devised at a time when Microsoft Windows lacked native support for a cryptographic random number generator...

... And all that is from a very long ago workaround... Long forgotten and now overtaken by new faster tech and new faster techniques...

PuTTY is still very much widely in use.

I've relied upon it in the past. But that was long long in the past when moving off the last of the Windows systems here...


All good to be caught and easily fixed.

Thanks!

Indeed, IT is what we make it...
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

Just like the "old-old days" where you bought a razor and paid extortion prices for the manufacturer's exclusive refill blades...

Class-action lawsuit accuses HP of monopolizing aftermarket ink cartridges

Recap: HP seems to have embraced the role of the villain in the realm of printers and ink cartridges, as controversies surrounding the company persist.

Legal battles have arisen over its customer policies, with recent arguments focusing on whether consumers knowingly agree to exclusively purchase HP ink when buying one of the company's printers.

Lawyers representing plaintiffs have rejected one of HP's arguments against a class-action lawsuit filed in January. HP has long been criticized by customers for repeatedly blocking the use of alternatives to its expensive ink cartridges.

The lawsuit primarily revolves around a firmware update that began rolling out in late 2022. Plaintiffs allege that this update rendered third-party cartridges unusable in HP printers. Cartridges from HP and other companies are known for their high prices, with annual costs sometimes exceeding $70. Additionally, the lawsuit accuses HP of raising prices around the same time it released the patch.

Plaintiffs argue that HP's actions – locking customers in while raising prices – amount to a monopoly on aftermarket replacement cartridges. They are seeking compensation for unusable third-party cartridges and overcharging.

However, the company contends that federal law does not permit customers to sue for overcharging. HP claims that the law clearly states that HP printers are designed to function only with HP ink cartridges.

HP has faced criticism from regulators and plaintiffs for employing digital rights management (DRM) to block third-party and refilled cartridges. It has had to compensate customers in multiple countries, faced criticism for allegedly disabling scanning and faxing functions when ink runs low, and been accused of installing its printer app onto all Windows PCs without consent.

Last month, HP introduced a subscription service that openly encourages users to continually pay to use its printers. Starting at $6.99 a month, customers receive a printer, round-the-clock customer service, and refill shipments before their ink runs out.

Yep. Subscription, just like software, pay all the time.

PaaS ... Printer as a Service

Do you trust your anti-virus?
https://thehackernews.com/2024/04/escan-antivirus-update-mechanism.html

Security is what we allow.

Ouch!

'The Man Who Killed Google Search'
wrote:

... a manager by trade -- is an example of everything wrong with the tech industry...

... a hall-of-fame rot economist, and one of the many managerial types that have caused immeasurable damage to the Internet in the name of growth and "shareholder value." And I believe these uber-managers - these ultra-pencil-pushers and growth-hounds - are the forces destroying tech's ability to innovate.

Aptly strong words for a sadly poisoned demise of our everyday tech...

IT is what we allow it to be...
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

Microsoft Issues Mega-Security Patch

Microsoft has released one of the biggest Patch Tuesday updates ever. It includes 149 security fixes, including two "zero day bugs".

Some reports suggest this is the most fixes in any monthly Microsoft update while others suggest it is "merely" the biggest in the past seven years. Either way, this is not a month for anyone who chooses to install Windows security fixes manually to hang about.

Three of the fixes are for bugs Microsoft classes as "critical", meaning attackers could exploit them without requiring any action by the user. Almost all the rest are "important," meaning the attacker would need to trick the user into an action such as opening a file or clicking a link. (Source: thehackernews.com)

AI detects individual’s political orientation accurately, a threat?

Study showed new threat in the digital age–AI’s ability to predict political orientation from even naturalistic images of individuals.

Inject signed malware on any project.
https://arstechnica.com/security/2024/05/0-click-gitlab-hijacking-flaw-under-active-exploit-with-thousands-still-unpatched/

Security is what we allow.

Inject signed malware on any project.
https://arstechnica.com/security/2024/05/0-click-gitlab-hijacking-flaw-under-active-exploit-with-thousands-still-unpatched/

Security is what we allow.

Thanks for that one.

To note:

... data showed that thousands of users had yet to install a patch released in January [2024].

[To fix/correct] A change GitLab implemented in May 2023...

Indeed that one is quite a fubar... And an amazing fail on the GitLab project...

Here's hoping that all the significant projects have been using MFA to stay safe from that attack...


Keep searchin'!
Martin

MFA: Multi-factor authentication

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

Here's hoping that all the significant projects have been using MFA to stay safe from that attack...

Not a panacea https://www.pingidentity.com/en/resources/blog/post/how-attackers-are-circumventing-mfa-and-how-stop-them.html

Security is what we allow.

Here's hoping that all the significant projects have been using MFA to stay safe from that attack...

Not a panacea https://www.pingidentity.com/en/resources/blog/post/how-attackers-are-circumventing-mfa-and-how-stop-them.html

Security is what we allow.

Indeed so...

And we need to get more serious about such silliness:

UnitedHealthcare CEO says ‘maybe a third’ of US citizens were affected by recent hack


After all, who would buy a front door without an adequate door lock?

IT and Security are what we allow them to be...
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

After all, who would buy a front door without an adequate door lock?

Around 95% of humans. Remember the door and the frame are part of the lock. Never mind the walls, floor and roof. It is when you realize a massive secure door, think bank vault, is useless if that isn't where the thief decides to cut his hole.

Security is what we allow.

VPN = Pwned
https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/

attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then

Security is what we allow.

Cybercriminals hit jackpot as 500k+ Ohio Lottery lovers lose out on their personal data

Not a lotto luck for these powerball hunters

More than half a million gamblers with a penchant for powerballs will be receiving some fairly unwelcome news very soon, if not already, as cybercriminals have made off with their personal data.

That's according to Ohio Lottery, which has this week finally revealed the scale of its Christmas Eve security breach in a regulatory filing.

The State lottery concluded its investigation into the incident on April 5 and as a result, some 538,959 individuals had their names and social security numbers exposed.

Ohio Lottery said there's no evidence to suggest that the stolen and subsequently leaked data has been misused by any malicious parties, but has offered all of those affected the standard 12 months of credit monitoring and ID theft protection.