A data leak involving personal details of hundreds of millions of Facebook users is being reviewed by Ireland's Data Protection Commission (DPC). The BBC reports: The database is believed to contain a mix of Facebook profile names, phone numbers, locations and other facts about more than 530 million people. Facebook says the data is "old," from a previously-reported leak in 2019. But the Irish DPC said it will work with Facebook, to make sure that is the case.

Ireland's regulator is critical to such investigations, as Facebook's European headquarters is in Dublin, making it an important regulator for the EU. The most recent data dump appears to contain the entire compromised database from the previous leak, which Facebook said it found and fixed more than a year and a half ago. But the dataset has now been published for free in a hacking forum, making it much more widely available. It covers 533 million people in 106 countries, according to researchers who have viewed the data. That includes 11 million Facebook users in the UK and more than 30 million Americans. The DPC's deputy commissioner Graham Doyle said the recent data dump "appears to be" from the previous leak -- and that the data-scraping behind it had happened before the EU's GDPR privacy legislation was in effect.

"However, following this weekend's media reporting we are examining the matter to establish whether the dataset referred to is indeed the same as that reported in 2019," he added.

An anonymous reader quotes a report from The Intercept: The popular legal research and data brokerage firm LexisNexis signed a $16.8 million contract to sell information to U.S. Immigration and Customs Enforcement, according to documents shared with The Intercept. The deal is already drawing fire from critics and comes less than two years after the company downplayed its ties to ICE, claiming it was "not working with them to build data infrastructure to assist their efforts." Though LexisNexis is perhaps best known for its role as a powerful scholarly and legal research tool, the company also caters to the immensely lucrative "risk" industry, providing, it says, 10,000 different data points on hundreds of millions of people to companies like financial institutions and insurance companies who want to, say, flag individuals with a history of fraud. LexisNexis Risk Solutions is also marketed to law enforcement agencies, offering "advanced analytics to generate quality investigative leads, produce actionable intelligence and drive informed decisions" -- in other words, to find and arrest people.

The LexisNexis ICE deal appears to be providing a replacement for CLEAR, a risk industry service operated by Thomson Reuters that has been crucial to ICE's deportation efforts. In February, the Washington Post noted that the CLEAR contract was expiring and that it was "unclear whether the Biden administration will renew the deal or award a new contract." LexisNexis's February 25 ICE contract was shared with The Intercept by Mijente, a Latinx advocacy organization that has criticized links between ICE and tech companies it says are profiting from human rights abuses, including LexisNexis and Thomson Reuters. The contract shows LexisNexis will provide Homeland Security investigators access to billions of different records containing personal data aggregated from a wide array of public and private sources, including credit history, bankruptcy records, license plate images, and cellular subscriber information. The company will also provide analytical tools that can help police connect these vast stores of data to the right person. In a statement to The Intercept, a LexisNexis Risk Solutions spokesperson said: "Our tool contains data primarily from public government records. The principal non-public data is authorized by Congress for such uses in the Drivers Privacy Protection Act and Gramm-Leach-Bliley Act statutes." They declined to say exactly what categories of data the company would provide ICE under the new contract, or what policies, if any, will govern how agency agency uses it.

This week the lead consumer technology writer for The New York Times urged readers to switch their browser from Chrome, Safari, or Microsoft Edge to a private browser.

"For about a week, I tested three of the most popular options — DuckDuckGo, Brave and Firefox Focus. Even I was surprised that I eventually switched to Brave as the default browser on my iPhone." Firefox Focus, available only for mobile devices like iPhones and Android smartphones, is bare-bones. You punch in a web address and, when done browsing, hit the trash icon to erase the session. Quitting the app automatically purges the history. When you load a website, the browser relies on a database of trackers to determine which to block.

The DuckDuckGo browser, also available only for mobile devices, is more like a traditional browser. That means you can bookmark your favorite sites and open multiple browser tabs. When you use the search bar, the browser returns results from the DuckDuckGo search engine, which the company says is more focused on privacy because its ads do not track people's online behavior. DuckDuckGo also prevents ad trackers from loading. When done browsing, you can hit the flame icon at the bottom to erase the session.

Brave is also more like a traditional web browser, with anti-tracking technology and features like bookmarks and tabs. It includes a private mode that must be turned on if you don't want people scrutinizing your web history. Brave is also so aggressive about blocking trackers that in the process, it almost always blocks ads entirely. The other private browsers blocked ads less frequently....

In the end, though, you probably would be happy using any of the private browsers... For me, Brave won by a hair. My favorite websites loaded flawlessly, and I enjoyed the clean look of ad-free sites, along with the flexibility of opting in to see ads whenever I felt like it. Brendan Eich, the chief executive of Brave, said the company's browser blocked tracking cookies "without mercy."

"If everybody used Brave, it would wipe out the tracking-based ad economy," he said.

Count me in.

An anonymous reader quotes a report from TorrentFreak: The popular and entirely legal Steam Database has found itself in a precarious position following two erroneous DMCA notices from SEGA. Steam Database's host is being asked to suspend the platform due to a claimed lack of response to the first notice. This prompted the site to take down entirely legal content in an effort to address the problem. [...]

TorrentFreak was able to review the notice sent by SEGA to SteamDB's host and it pulls no punches. SEGA doubles down by stating that SteamDB is illegally distributing the game Yakuza: Like a Dragon, noting that it has tried to inform SteamDB but was "not able" to resolve the issue. Worryingly, it then implies that legal action might be taken against SteamDB for non-compliance, adding that the host should "immediately suspend" SteamDB due to the alleged ongoing infringement. Which, of course, is not taking place.

This puts SteamDB's host in a tough position. Failure to act against an allegedly infringing customer can put the host at risk in terms of liability but disabling a customer's website can cause a whole new set of problems, especially when that customer has not infringed anyone's rights. In an effort to sort the problem out, SteamDB's host asked for additional input from the operators of SteamDB but nevertheless warned that if that information was not received, it may still block the SteamDB server within 24 hours, as demanded in the SEGA takedown notice. In order to defuse the situation, SteamDB took down the allegedly-infringing page which as far as SEGA goes (and at least in theory) should solve the disconnection threat problem. However, the entire situation has proven counterproductive for SEGA too.

David Leonhardt, writing at The New York Times: Bruce Sacerdote, an economics professor at Dartmouth College, noticed something last year about the Covid-19 television coverage that he was watching on CNN and PBS. It almost always seemed negative, regardless of what was he seeing in the data or hearing from scientists he knew. When Covid cases were rising in the U.S., the news coverage emphasized the increase. When cases were falling, the coverage instead focused on those places where cases were rising. And when vaccine research began showing positive results, the coverage downplayed it, as far as Sacerdote could tell. But he was not sure whether his perception was correct.

To check, he began working with two other researchers, building a database of Covid coverage from every major network, CNN, Fox News, Politico, The New York Times and hundreds of other sources, in the U.S. and overseas. The researchers then analyzed it with a social-science technique that classifies language as positive, neutral or negative. The results showed that Sacerdote's instinct had been right -- and not just because the pandemic has been mostly a grim story. The coverage by U.S. publications with a national audience has been much more negative than coverage by any other source that the researchers analyzed, including scientific journals, major international publications and regional U.S. media. "The most well-read U.S. media are outliers in terms of their negativity," Molly Cook, a co-author of the study, told me. About 87 percent of Covid coverage in national U.S. media last year was negative. The share was 51 percent in international media, 53 percent in U.S. regional media and 64 percent in scientific journals. Notably, the coverage was negative in both U.S. media outlets with liberal audiences (like MSNBC) and those with conservative audiences (like Fox News).

"Adobe doesn't want third-parties to pirate its software, so the company regularly sends out DMCA notices to remove infringing copies," reports TorrentFreak. In a recent tweet, F-Secure researcher Mikko Hypponen mentioned that the software company removed one of his tweets that linked to an old copy of Acrobat Reader for MS-DOS, which came out more than 27-years ago, shortly after the PDF was invented. From the report: The security researcher posted the tweet five years ago and at the time there were no issues. The message was copied a few weeks ago by his own Twitter bot, which reposts all his original tweets five years later. "They sent a DMCA notice to my bot (@mikko__2016) when it posted that tweet on the tweet's 5th anniversary. The original tweet is fine," Hypponen notes. While the original tweet is still up, the reposted message was swiftly removed by Twitter. Not just that, the bot's account was locked as well, which is standard practice nowadays.

Looking more closely at the takedown notice, we see that it was sent by the "brand protection analyst" at Incopro, which is one of Adobe's anti-piracy partners. It doesn't provide any further details on the reasons for taking it down, other than an alleged copyright infringement. Things get even more curious when we look at the full DMCA notice, posted by the Lumen database. This shows that the tweet was listed among other links, which all point to "infringing' copies of more recent software. Intriguingly, the notice also reveals that Hypponen's original tweet was targeted as well, albeit indirectly. The takedown notice lists t.co/tbAT0CH25o, which still points to the 2016 tweet today, so Twitter decided not to take action there.

We wonder if the DMCA notice is intentional at all. Over the years we have seen many bizarre takedown claims, which are often the result of automated filters. That may be a plausible explanation here as well. In that case, it shows that DMCA takedown process is far from perfect. However, if Adobe seriously has a problem with the fact that a 27-year-old copy of Acrobat Reader is being shared on an external site, it's more effective to target the site where it's hosted. Not the person who links to it in a tweet.

A lapsed domain registration tied to WeLeakInfo, a wildly popular service that sold access to more than 12 billion usernames and passwords from thousands of hacked websites, "let someone plunder and publish account data on 24,000 customers who paid to access the service with a credit card," reports Krebs on Security. This comes after the service was seized a little over a year ago by the FBI and law enforcement partners overseas. From the report: In a post on the database leaking forum Raidforums, a regular contributor using the handle "pompompurin" said he stole the WeLeakInfo payment logs and other data after noticing the domain wli[.]design was no longer listed as registered. "Long story short: FBI let one of weleakinfo's domains expire that they used for the emails/payments," pompompurin wrote. "I registered that domain, & was able to [password] reset the stripe.com account & get all the Data. [It's] only from people that used stripe.com to checkout. If you used paypal or [bitcoin] ur all good."

Cyber threat intelligence firm Flashpoint obtained a copy of the data leaked by pompompurin, and said it includes partial credit card data, email addresses, full names, IP addresses, browser user agent string data, physical addresses, phone numbers, and amount paid. One forum member commented that they found their own payment data in the logs.

Tinder and Match have announced a new partnership with Garbo, a non-profit, female-founded background check platform. In theory, it should allow Tinder (and Match Group's other sites) to ping Garbo's database and proactively show users when it finds something they might want to be aware of. Engadget reports: If you're not familiar with Garbo, it was founded by Kathryn Kosmides, a "survivor of gender-based violence" who wanted to make it easier to find information about people you may connect with online. Garbo's platform aggregates numerous data sources to provide details on an individual, including "arrests, convictions, restraining orders, harassment, and other violent crimes." The organization's site says that often times, you don't even need a last time to find some details on an individual -- a first name and phone number will work.

As part of the deal, Garbo's platform will be available to people using Match Group apps, starting with Tinder later this year. [...] Garbo cites making ridesharing services safer as another core initiative for the non-profit in addition to working with dating services, so it wouldn't surprise us to see a similar partnership appear between Garbo and companies like Uber or Lyft -- but for now, it's starting with Tinder.

An anonymous reader quotes a report from IEEE Spectrum: Now researchers at MIT have developed a new way to produce holograms nearly instantly -- a deep-learning based method so efficient, it can generate holograms on a laptop in a blink of an eye. They detailed their findings this week, which were funded in part by Sony, online in the journal Nature. Using physics simulations for computer-generated holography involves calculating the appearance of many chunks of a hologram and then combining them to get the final hologram. Using lookup tables is like memorizing a set of frequently used chunks of hologram, but this sacrifices accuracy and still requires the combination step.
[...]
The researchers first built a custom database of 4,000 computer-generated images, which each included color and depth information for each pixel. This database also included a 3D hologram corresponding to each image. Using this data, the convolutional neural network learned how to calculate how best to generate holograms from the images. It could then produce new holograms from images with depth information, which is provided with typical computer-generated images and can be calculated from a multi-camera setup or from lidar sensors, both of which are standard on some new iPhones. The new system requires less than 620 kilobytes of memory, and can generate 60 color 3D holograms per second with a resolution of 1,920 by 1,080 pixels on a single consumer-grade GPU. The researchers could run it an iPhone 11 Pro at a rate of 1.1 holograms per second and on a Google Edge TPU at a rate of 2 holograms per second, suggesting it could one day generate holograms in real-time on future virtual-reality (VR) and augmented-reality (AR) mobile headsets.

Uber and Lyft will work together to share information on US drivers and delivery people accused of physical and sexual assault to ensure those individuals are banned on both platforms, the two companies announced on Thursday in separate blog posts. Engadget reports: HireRight, a company that specializes in conducting background checks, will oversee the Industry Sharing Safety Program database. Other transportation and delivery companies in the US will have the chance to contribute and access the database as long as they adhere to the same data accuracy and privacy policies that Uber and Lyft must follow.

"We want to share this information with each other and hopefully in the near future with other companies, so that our peers in this space can be informed and make decisions for their own platforms to keep those platforms safe," Jennifer Brandenburger, Lyft's head of policy development, told NBC News. The database won't include information on victims. Additionally, the incident that landed a driver in the database will fall in broad categories.

An anonymous reader quotes a report from Los Angeles Times: Clearview AI has amassed a database of more than 3 billion photos of individuals by scraping sites such as Facebook, Twitter, Google and Venmo. It's bigger than any other known facial-recognition database in the U.S., including the FBI's. The New York company uses algorithms to map the pictures it stockpiles, determining, for example, the distance between an individual's eyes to construct a "faceprint." This technology appeals to law enforcement agencies across the country, which can use it in real time to help determine people's identities.

It also has caught the attention of civil liberties advocates and activists, who allege in a lawsuit filed Tuesday that the company's automatic scraping of their images and its extraction of their unique biometric information violate privacy and chill protected political speech and activity. The plaintiffs -- four individual civil liberties activists and the groups Mijente and NorCal Resist -- allege Clearview AI "engages in the widespread collection of California residents' images and biometric information without notice or consent."

This is especially consequential, the plaintiffs argue, for proponents of immigration or police reform, whose political speech may be critical of law enforcement and who may be members of communities that have been historically over-policed and targeted by surveillance tactics. Clearview AI enhances law enforcement agencies' efforts to monitor these activists, as well as immigrants, people of color and those perceived as "dissidents," such as Black Lives Matter activists, and can potentially discourage their engagement in protected political speech as a result, the plaintiffs say. [...] The plaintiffs are seeking an injunction that would force the company to stop collecting biometric information in California. They are also seeking the permanent deletion of all images and biometric data or personal information in their databases.

tsu doh nimh shares a report: Over the past few weeks, three of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have been hacked. In two of the intrusions, the attackers made off with the forums' user databases, including email and Internet addresses and hashed passwords. Members of all three forums are worried the incidents could serve as a virtual Rosetta Stone for connecting the real-life identities of the same users across multiple crime forums. On Tuesday, someone dumped thousands of usernames, email addresses and obfuscated passwords on the dark web apparently pilfered from Mazafaka (a.k.a. "Maza," "MFclub"), an exclusive crime forum that has for more than a decade played host to some of the most experienced and infamous Russian cyberthieves.

At the top of a 35-page PDF leaked online is a private encryption key allegedly used by Maza administrators. The database also includes ICQ numbers for many users. ICQ, also known as "I seek you," was an instant message platform trusted by countless early denizens of these older crime forums before its use fell out of fashion in favor of more private networks, such as Jabber and Telegram. This is notable because ICQ numbers tied to specific accounts often are a reliable data point that security researchers can use to connect multiple accounts to the same user across many forums and different nicknames over time. Cyber intelligence firm Intel 471 assesses that the leaked Maza database is legitimate.

The far-right social media platform Gab says a trove of its contents has been stolen in a security breach -- including passwords and private communications. Wired reports: On Sunday night the WikiLeaks-style group Distributed Denial of Secrets is revealing what it calls GabLeaks, a collection of more than 70 gigabytes of Gab data representing more than 40 million posts. DDoSecrets says a hacktivist who self-identifies as "JaXpArO and My Little Anonymous Revival Project" siphoned that data out of Gab's backend databases in an effort to expose the platform's largely right-wing users. Those Gab patrons, whose numbers have swelled after Parler went offline, include large numbers of Qanon conspiracy theorists, white nationalists, and promoters of former president Donald Trump's election-stealing conspiracies that resulted in the January 6 riot on Capitol Hill.

DDoSecrets cofounder Emma Best says that the hacked data includes not only all of Gab's public posts and profiles -- with the exception of any photos or videos uploaded to the site -- but also private group and private individual account posts and messages, as well as user passwords and group passwords. "It contains pretty much everything on Gab, including user data and private posts, everything someone needs to run a nearly complete analysis on Gab users and content," Best wrote in a text message interview with WIRED. "It's another gold mine of research for people looking at militias, neo-Nazis, the far right, QAnon, and everything surrounding January 6." DDoSecrets says it's not publicly releasing the data due to its sensitivity and the vast amounts of private information it contains. Instead the group says it will selectively share it with journalists, social scientists, and researchers.

According to DDoSecrets' Best, the hacker says that they pulled out Gab's data via a SQL injection vulnerability in the siteâ"a common web bug in which a text field on a site doesn't differentiate between a user's input and commands in the site's code, allowing a hacker to reach in and meddle with its backend SQL database. Despite the hacker's reference to an "Anonymous Revival Project," they're not associated with the loose hacker collective Anonymous, they told Best, but do "want to represent the nameless struggling masses against capitalists and fascists." The company's CEO, Andrew Torba, responded in a public statement on the company's blog that "reporters, who write for a publication that has written many hit pieces on Gab in the past, are in direct contact with the hacker and are essentially assisting the hacker in his efforts to smear our business and hurt you, our users."

Slashdot reader b-dayyy writes: CrowdSec is a massively multiplayer firewall designed to protect Linux servers, services, containers, or virtual machines exposed on the Internet with a server-side agent. It was inspired by Fail2Ban and aims to be a modernized, collaborative version of that intrusion-prevention tool.

CrowdSec is free and open-source (under an MIT License), with the source code available on GitHub. It uses a behavior analysis system to qualify whether someone is trying to hack you, based on your logs. If your agent detects such aggression, the offending IP is then dealt with and sent for curation. If this signal passes the curation process, the IP is then redistributed to all users sharing a similar technological profile to 'immunize' them against this IP.

The goal is to leverage the power of the crowd to create a real-time IP reputation database. As for the IP that aggressed your machine, you can choose to remedy the threat in any manner you feel appropriate. Ultimately, CrowdSec leverages the power of the community to create an extremely accurate IP reputation system that benefits all its users.

It was clear to the founders that Open Source was going to be one of the main pillars of CrowdSec. The project's founders have been working on open-source projects for decades — they didn't just jump on the train. Rather, they are strong Open Source believers. They believe that the crowd is key to the mass hacking plague we are experiencing, and that Open Source is the best lever to create a community and have people contribute their knowledge to the project, ultimately make it better and more secure.

The solution recently turned 1.x, introducing a major architectural change: the introduction of a local REST API.

Android users can now take advantage of the Password Checkup feature that Google first introduced in its Chrome web browser in late 2019, the OS maker announced today. From a report: On Android, the Password Checkup feature is now part of the "Autofill with Google" mechanism, which the OS uses to select text from a cache and fill in forms. The idea is that the Password Checkup feature will take passwords stored in the Android OS password manager and check them against a database containing billions of records from public data breaches and see if the password has been previously leaked online. If it has, a warning is shown to the user.

Massachusetts-based amateur historian Jim Hamilton, who developed the Free Fall Research Page -- an online database of nearly every imaginable human plummet, documents one case of a sky diver who, upon total parachute failure, was saved by bouncing off high-tension wires. Contrary to popular belief, water is an awful choice. Like concrete, liquid doesn't compress. Hitting the ocean is essentially the same as colliding with a sidewalk, Hamilton explains, except that pavement (perhaps unfortunately) won't "open up and swallow your shattered body." Popular Mechanics: With a target in mind, the next consideration is body position. To slow your descent, emulate a sky diver. Spread your arms and legs, present your chest to the ground, and arch your back and head upward. This adds friction and helps you maneuver. But don't relax. This is not your landing pose. The question of how to achieve ground contact remains, regrettably, given your predicament, a subject of debate. A 1942 study in the journal War Medicine noted "distribution and compensation of pressure play large parts in the defeat of injury." Recommendation: wide-body impact. But a 1963 report by the Federal Aviation Agency argued that shifting into the classic sky diver's landing stance -- feet together, heels up, flexed knees and hips -- best increases survivability. The same study noted that training in wrestling and acrobatics would help people survive falls. Martial arts were deemed especially useful for hard-surface impacts: "A 'black belt' expert can reportedly crack solid wood with a single blow," the authors wrote, speculating that such skills might be transferable.

The ultimate learn-by-doing experience might be a lesson from Japanese parachutist Yasuhiro Kubo, who holds the world record in the activity's banzai category. The sky diver tosses his chute from the plane and then jumps out after it, waiting as long as possible to retrieve it, put it on and pull the ripcord. In 2000, Kubo -- starting from 9,842 feet -- fell for 50 seconds before recovering his gear. A safer way to practice your technique would be at one of the wind-tunnel simulators found at about a dozen U.S. theme parks and malls. But neither will help with the toughest part: sticking the landing. For that you might consider -- though it's not exactly advisable -- a leap off the world's highest bridge, France's Millau Viaduct; its platform towers 891 feet over mostly spongy farmland. Water landings -- if you must -- require quick decision-making. Studies of bridge-jump survivors indicate that a feet-first, knife-like entry (aka "the pencil") best optimizes your odds of resurfacing. The famed cliff divers of Acapulco, however, tend to assume a head-down position, with the fingers of each hand locked together, arms outstretched, protecting the head. Whichever you choose, first assume the free-fall position for as long as you can. Then, if a feet-first entry is inevitable, the most important piece of advice, for reasons both unmentionable and easily understood, is to clench your butt.

Slashdot reader b-dayyy quotes the Linux Security blog: What if you could block connections to your network in real-time from countries around the world such as Russia, China and Brazil where the majority of cyberattacks originate? What if you could redirect connections to a single network based on their origin? As you can imagine, being able to control these things would reduce the number of attack vectors on your network, improving its security. You may be surprised that this is not only possible, but straightforward and easy, by implementing GeoIP filtering on your nftables firewall with GeoIP for nftables.

GeoIp for nftables is a simple and flexible Bash script released in December of 2020 designed to perform automated real-time filtering using nftables firewalls based on the IP addresses for a particular region. In a recent interview with LinuxSecurity researchers, the project's lead developer Mike Baxter explained the mission of GeoIP for nftables, "I hope this project is beneficial to those who may not have the IT budget or resources to implement a commercial solution. The code runs well on servers, workstations and low-power systems like Raspberry Pi. The script has the built-in ability to flush and refill GeoIP sets after a database update without restarting the firewall, allowing servers to run uninterrupted without dropping established connections."

This article will examine the concept of GeoIP filtering and how it could add a valuable layer of security to your firewall, and will then explore how the GeoIP for nftables project is leveraging Open Source to provide intuitive, customizable GeoIP filtering on Linux.

An anonymous reader quotes a report from TechCrunch: Minneapolis voted Friday to ban the use of facial recognition software for its police department, growing the list of major cities that have implemented local restrictions on the controversial technology. After an ordinance on the ban was approved earlier this week, 13 members of the city council voted in favor of the ban, with no opposition. The new ban will block the Minneapolis Police Department from using any facial recognition technology, including software by Clearview AI. That company sells access to a large database of facial images, many scraped from major social networks, to federal law enforcement agencies, private companies and a number of U.S. police departments. The Minneapolis Police Department is known to have a relationship with Clearview AI, as is the Hennepin County Sheriff's Office, which will not be restricted by the new ban.

A web hosting company named No Support Linux Hosting announced today it was shutting down after a hacker breached its internal systems and compromised its entire operation. From a report: According to a message posted on its official site, the company said it was breached on Monday, February 8. The hacker appears to have "compromised" the company's entire operation, including its official website, admin section, and customer database. A No Support Linux Hosting (NSLH) spokesperson did not return a request for comment seeking details about the attack. But while details about the intrusion are unclear, the attack appears to have been destructive in its nature. "We can no longer operate the No Support Linux Hosting business," the company flatly acknowledged today. "All customers should immediately download backups of their websites and databases through cPanel," NSLH said, urging clients to do so before servers go down for good. At the time of writing, the nature of the NSLH attack is unclear, and we don't know if the hacker downloaded & wiped the company's database and backups or if we're talking about a classic ransomware attack where the intruder encrypted files and demanded a ransom for the decryption key.

An anonymous reader quotes a report from Ars Technica: SolarWinds, the previously little-known company whose network-monitoring tool Orion was a primary vector for one of the most serious breaches in US history, has pushed out fixes for three severe vulnerabilities. Martin Rakhmanov, a researcher with Trustwave SpiderLabs, said in a blog post on Wednesday that he began analyzing SolarWinds products shortly after FireEye and Microsoft reported that hackers had taken control of SolarWinds' software development system and used it to distribute backdoored updates to Orion customers. It didn't take long for him to find three vulnerabilities, two in Orion and a third in a product known as the Serv-U FTP for Windows. There's no evidence any of the vulnerabilities have been exploited in the wild.

The most serious flaw allows unprivileged users to remotely execute code that takes complete control of the underlying operating system. Tracked as CVE-2021-25274 the vulnerability stems from Orion's use of the Microsoft Message Queue, a tool that has existed for more than 20 years but is no longer installed by default on Windows machines. [...] The second Orion vulnerability, tracked as CVE-2021-25275, is the result of Orion storing database credentials in an insecure manner. Specifically, Orion keeps the credentials in a file that's readable by unprivileged users. Rakhmanov facetiously called this "Database Credentials for Everyone." While the files cryptographically protect the passwords, the researcher was able to find code that converts the password to plaintext. The result: anyone who can log in to a box locally or through the Remote Desktop Protocol can gain the credentials for the SolarWindsOrionDatabaseUser.

The third vulnerability, tracked as CVE-2021-25276, resides in the Serv-U FTP for Windows. The program stores details for each account in a separate file. Those files can be created by any authenticated Windows user. Rakhmanov wrote: "Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up. Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive. Now we can log in via FTP and read or replace any file on the C:\ since the FTP server runs as LocalSystem." Fixes for Orion and Serv-U FTP are available here and here.