US Legislators Draft Nationwide Data Privacy Act; Acuity Confirms Their GitHub Repositories Were Breached; D-Link NAS Vulnerability Affects End-of-Life Devices; Help Us Improve NewsBites

Two US legislators have drafted the American Privacy Rights Act, which eliminates the existing patchwork of state comprehensive data privacy laws, and establishes robust enforcement mechanisms to hold violators accountable, including a private right of action for individuals. The legislation would restrict the types of data companies can collect, retain, and use to only what is necessary to provide products and services. It would also hold companies accountable for their data security obligations.

The US Department of State is investigating a potential cyber incident after information that was purportedly taken from national security agencies was leaked online. Tech consulting firm Acuity, which is a US government contractor, has confirmed that intruders breached their GitHub repositories and stole documents.

A vulnerability affecting more than 92,000 D-Link network-attached storage (NAS) devices is being actively exploited. The issue was discovered by a researcher known online as netsecfish, who writes, The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hardcoded credentials, and a command injection vulnerability via the system parameter. The vulnerable devices are no longer supported and thus will not be patched.

Please take 3 minutes to give us your suggestions.

Hoya Corporation has disclosed a cybersecurity incident that the company says has affected some production facilities and some product ordering systems. Hoya says that on March 30, they discovered a discrepancy in system behavior that revealed a system failure, and was advised by third-party experts that it was likely due to unauthorized access. Hoya is a Tokyo-based manufacturer of optical products, including eyeglasses, contact lenses, endoscopy products, and glass substrate used in hard disk drives.

The Germany state of Schleswig-Holstein says it plans to move from Microsoft Windows to Linux. Schleswig-Holstein digitalization minister Dirk Schršdter noted that the use of open-source software also benefits from improved IT security, cost-effectiveness, data protection, and seamless collaboration between different systems. He also cited digital sovereignty as a reason for the move. The switch to open-source is not a surprise: several years ago, the state announced its intention to switch from Microsoft Office to LibreOffice, with a goal of migrating 25,000 computers by 2026.

Home Depot has acknowledged a recent cybersecurity incident that exposed employee data. Home Depot told Bleeping Computer that A third-party Software-as-a-Service (SaaS) vendor inadvertently made public a small sample of Home Depot associates' names, work email addresses and User IDs during testing of their systems. The number of affected employees is not specified.

The US Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) has published a sector alert warning of an increase in social engineering attacks targeting IT help desks in the healthcare sector. The calls in the recent campaigns come from phone numbers spoofed to appear local to the organization; the callers have managed to convince help desk staffers to enroll new devices for MFA authentication.

Google is adding a V8 sandbox to their Chrome browser with the goal of preventing memory corruption in V8 from spreading within the host process. Memory corruption vulnerabilities in V8 are usually not garden variety memory corruption issues: most cannot be addressed by switching to memory-safe programming languages or using hardware memory safety features.

Due to a phishing campaign aimed at obtaining city employee account credentials, the New York City Automated Personnel System, Employee Self Service (NYCAPS/ESS) is not currently publicly available. According to Recorded Future, New York City's Office of Technology and Innovation said that employees were receiving smishing (phishing via SMS) messages. While the website is not accessible to the general public, it is still accessible to employees through NYC's secure internal network (intranet). The smishing messages, which asked employees to set up MFA, appears to be a scam based out of Lithuania.

A data security incident at a US Department of Justice (DoJ) third-party contractor has resulted in the exposure of DoJ-related information belonging to more than 340,000 people. The Greylock McKinnon Associates consulting firm said the incident occurred in May 2023. The compromised data include Medicare information and Social Security numbers.