AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 11/02/2023

3,000 Apache ActiveMQ servers vulnerable to RCE attacks exposed online 

Over three thousand internet-exposed Apache ActiveMQ servers are vulnerable to a recently disclosed critical remote code execution (RCE) vulnerability. Apache ActiveMQ is a scalable open-source message broker that fosters communication between clients and servers, supporting Java and various cross-language clients and many protocols, including AMQP, MQTT, OpenWire, and STOMP. Thanks to the project’s support for a diverse set of secure authentication and authorization mechanisms, it is widely used in enterprise environments where systems communicate without direct connectivity. 

 

Iowa company faces a blizzard of litigation over massive data breach 

An Iowa-based national meal-delivery company is facing another class action lawsuit in a blizzard of litigation over the alleged loss of customer data in a massive cyberattack. The latest lawsuit against Purfoods, which does business as Mom’s Meals, was originally filed in South Carolina being before transferred to U.S. District Court for the Southern District of Iowa this week. It is at least the 11th class-action lawsuit filed against the company in the past two months, although several of those cases were recently consolidated into a single case. 

 

Boeing says ‘cyber incident’ hit parts business after ransom threat 

Boeing (BA.N), one of the world’s largest defense and space contractors, said on Wednesday it was investigating a cyber incident that impacted elements of its parts and distribution business and cooperating with a law enforcement probe into it. Boeing acknowledged the incident days after the Lockbit cybercrime gang said on Friday it had stolen “a tremendous amount” of sensitive data from the U.S. planemaker that it would dump online if Boeing didn’t pay ransom by Nov. 2. 

 

AI Safety Summit: OWASP Urges Governments to Agree on AI Security Standards 

Top-level discussions on security and ethical risks AI-powered tools pose are no longer enough to mitigate the dangers posed by the rapid adoption of artificial intelligence (AI), according to the Open Worldwide Application Security Project (OWASP). Ahead of the AI Safety Summit, held in Bletchley Park, England, on November 1-2, the non-profit released a call to action urging Summit attendees to rapidly pledge to agree on – and adopt – actionable AI security standards. The OWASP Foundation said in an open letter that it “wholeheartedly agrees with Lindy Cameron, the CEO of the UK’s National Cyber Security Centre (NCSC), for the urgent need to stay ahead of risks and the vital role of global industry security standards for AI. This will require alignment to avoid a Babel of standards.” 

 

To protect teens, YouTube’s limiting some video recommendations 

Starting November 2nd, YouTube will impose restrictions on how often teens receive repeated video recommendations related to sensitive topics like body image, the company announced on Thursday. YouTube says the new safeguards are the result of its partnership with the Youth and Families Advisory Committee, which consists of psychologists, researchers, and other experts in child development, children’s media, and digital learning. For years, the committee has advised YouTube on the potentially harmful mental health effects repeated exposure to certain content online can have on teenagers. 

 

Bitwarden begins adding passkey support to its password manager 

Bitwarden, one of our top picks for free password managers, is adding support for passkeys in the latest version of its browser extensions. Passkeys can use your device’s pin, face, or fingerprint for authentication, and are a more secure and convenient alternative to traditional passwords that are also more resilient to phishing attacks. Although the company has announced that passkey support is coming in the new 2023.10 release, the update appears to be in the process of rolling out — I’m still seeing the previous 2023.9.2 version listed on the Chrome Web Store as of this writing. But I’ve verified that it’s working on Safari with the  and extension. The rollout of the feature follows support from Apple and Google’s built-in password managers, as well as competing third-party password managers like 1Password. 

 

Related Posts