Security News for the Week Ending December 8, 2023
US Warns That Iran Terrorists Broke into Multiple US Water Facilities
Last week I reported that the Aliquippa, Pennsylvania Water Authority fessed up to the fact that hackers successfully broke into their network, compromising a pump station, using a vulnerability in an Israeli OT network system that is repackaged by multiple vendors. Now the FBI, NSA, CISA and EPA are saying it is really multiple water systems that were broken into. What is Congress doing? Are they passing new laws to protect us? No, they asked Justice to investigate. How does that protect anyone? Credit: The Register
HP Exec Admits That Locking in Print Customers is Very Profitable
I don’t know if there is anything illegal here but HP got tired of third parties selling supplies for much less than they did. The print business had been unprofitable for HP so they decided to try turning printing into a subscription business. Already third parties are doing that and have been for years in a wrap-around model that bundles purchase, maintenance and supplies into one contract. Now HP is charging from $0.99 to $25.99 a month for ink or toner and HP said it saw a 20% increase in the value of the customer. Just understand what you are getting into when you buy a new printer. Credit: The Register
Hackers Compromise Fed Agencies Using 2018 Version of Cold Fusion
Federal agencies using the 2018 and 2021 versions of Adobe Cold Fusion have been compromised by hackers. The 2018 version is on extended life support if you pay for it. The 2023 version was released 18 months ago. Maybe they should consider upgrading. Credit: Bleeping Computer Now CISA is saying that two government agencies were hacked due to using end-of-life software. Meaning that the agencies were not paying for “extended support” for the past end-of-life 2018 version of Cold Fusion. Maybe the government should follow its own recommendations! Credit Tech Crunch
Microsoft Hires New CISO and Deputy CISO
Microsoft’s CISO of 14 years is out and the new CISO just joined Microsoft four months ago and was the former CTO and President at hedge fund giant Bridgewater. All part of Microsoft’s Secure Future Initiative in the wave of breach after breach. I wish him good luck; he will need it. Credit: Security Week
Critical Bluetooth DESIGN Flaw – Affects Many Devices
As the title says, this is not an implementation bug, so it affects Android, iOS, macOS and Linux devices. So far it doesn’t seem to affect Windows for some reason. Basically, the hacker tries to connect to the system – such as a phone or IoT device and tells the device it is a keyboard. Since the device thinks you can’t authenticate until the keyboard is working, it lets you connect without authenticating, at which point the fake keyboard can do anything you can do. There are implementation specific bugs associated with this, which may be why it doesn’t seem to affect Windows. The bug has been present for at least 10 years. There are no patches yet. The only recommendation is to turn Bluetooth off, which may not be possible. Credit: Dark Reading