HTTPS Certificates Get New Security Requirements; Oracle Health Data Breach; 23andMe Future Buyer Must Follow Privacy Policy

The idea is to offset risks from BGP attacks used to obtain fraudulent certificates. Requester domain validation will be performed from multiple geographic locations, to offset risks of routing attacks, coupled with enhanced linting to ensure good algorithms are used and errors detected, which should increase the overall integrity of certificate issuing with nominal impact on legitimate certificate requests.

Lee Neely

These changes should be transparent to anybody requesting certificates from participating certificate authorities. So far, the more disruptive proposals, like a shortened certificate lifetime, were not implemented.

Johannes Ullrich

The CA/Browser Forum has been very slow to force improvements in validation and authorization before certificates are issued, even as 'SSL everywhere!' was trumpeted. Good to see this initiative become a requirement.

John Pescatore

Does making these procedures public improve security?

William Hugh Murray

This is not to be confused with the earlier claims of a breach of Oracle Cloud's Federated SSO login servers, although both incidents are lacking in formal notification. Written notices were provided, but not on company letterhead, directing customers to only communicate verbally with their CISO. In this case Oracle Health is offering to pay for the mailing vendor for patient notification and offering credit monitoring, but they are not willing to send on behalf of the affected hospitals, unlike UHG/Change Healthcare. Without more transparent breach notifications, not only are hospitals challenged to investigate/report accurately, Oracle Health may be subject to an investigation from HHS.

Lee Neely

A key aspect in outsourcing your data and/or services with a third party is having trust with that third party. When that third party begins to deal with you during a breach using only lawyers, not publicly acknowledging they suffered a breach, and communicating with you on un-headed paper, then that third party is no longer acting as a trusted party.

Brian Honan

Seems a bit like Change Healthcare in the way they've communicated; hopefully, they don't plan on using their incident response playbook. It's time for Oracle Health to officially own the incident and take action to lessen the impact in the loss of health records.

Curtis Dukes

Almost from its first year the Verizon DBIR has warned of the risk of orphan data and servers.

William Hugh Murray

The thing about genetic data is that it is not only sensitive, but cannot be changed, unlike a phone number. Adherence to the privacy policy signed by the user is critical in this case. It's not clear that the purchasing company won't attempt to replace that with their policy with an automatic opt-in, which runs afoul of modern privacy legislation which requires notification and active acceptance. Your best bet is a data deletion request.

Lee Neely

The sensitivity of data increases with associations. While one person's DNA is no more sensitive than other biometric data, a DNA database may contain intimate associations among individuals of which they are not even aware. One likes to think that this contractual provision will be enforceable in bankruptcy.

William Hugh Murray

Don't wait for lawyers to decide what the appropriate use cases are. If you have data with 23andMe, go in and delete it now.

Curtis Dukes

Healthcare systems are a huge target, in part due to the large attack surface, not always well secured, which is prioritized for continuous operation, making patching/security windows virtually nonexistent. Couple that with the need for FDA validation of cybersecurity changes, meaning a fix can take up to a year to implement. That means that healthcare organizations are going to need to focus on boundary and network security (protections and detection) to offset running vulnerable code on potentially unsupported operating systems. One hopes they can leverage free resources, like CISA, to offset shortage of SME or other resources.

Lee Neely

The success of ransomware attacks suggest that hospital risk is high in part because too much is exposed to the Internet. While we do not see much abuse or misuse of medical appliances, any one may represent a risk to health and safety and 650K devices is a mammoth attack surface.

William Hugh Murray

CVE-2025-2857, Firefox sandbox escape, only affects Firefox on Windows. While not currently known to be exploited, the similarity to CVE-2025-2783, Chrome sandbox escape, suggests that will change. While you're rolling out your Firefox update, if you're still on ESR 115.21, take a look at moving to ESR 128.8.1 as your users are likely seeing out-of-date browser prompts.

Lee Neely

Good catch by Firefox developers looking at vulnerabilities reported that may be applicable to their product. Simply restart your Firefox browser to update to the latest version.

Curtis Dukes

That the USB Restricted Mode and Web content sandbox escape fixes were back ported to older OS versions, not just current and one prior, indicates the importance of applying these updates. Take note of your devices running older OS releases and start the lifecycle replacement process now so you can have current hardware before the new OS releases hit this summer and fall, rendering those unsupported.

Lee Neely

AAPL quietly provides security updates as part of its normal patch cycle. What's different and bears immediate attention is the fact that these vulnerabilities are being actively exploited. Update to the latest version available for the various AAPL operating systems. Further get into the habit of updating as AAPL makes updates to their product operating systems; it will save you a lot of pain-n-suffering later.

Curtis Dukes

Grab the IOCs from the Infoblox blog to see if any traces of Morphing Meerkat are discovered. Review your DNS security measures, including blocking access to external/unsanctioned DoH services. Beyond having good monitoring on DNS, tracking adtech and sharing site use should be in place to fuel the discussion about blocking non-approved sites in these categories.

Lee Neely

This is an interesting variant in that it attempts to identify the victim's email provider (Microsoft, Google,) and emulates the 'correct' phishing page for the user. Older phishing kits just added collateral like company logos based on the email domain. This version may catch a few new victims.

Johannes Ullrich

Short summary: reusable credentials like passwords need to be replaced with phishing-resistant strong authentication. Especially for users like the example 'high-profile professionals, such as a head of network operations for a large financial services software company' used in the report.

John Pescatore

Never underestimate the ability of the attacker. Basically, they are now commoditizing initial access as part of ransomware as a service. DNS filtering continues to be the best defense and is offered at both the enterprise and user level.

Curtis Dukes

MU Plugins are typically placed by hosting providers to ensure the use of their value-added services. Correspondingly, they cannot be activated/deactivated/removed from the WordPress UI. They are listed under installed plugins, make sure all are legitimate, then make sure your security scanner is scanning the mu-plugins directory and review any skipped directory settings, as well as checking for changed files, down-rev plugins/themes and WP version. Review your administrative users, and plugins, removing any which are unrecognized, as well as verifying 2FA is on for everyone.

Lee Neely

A design flaw with WordPress that allows attackers to maintain persistence on the system. Add the directory to regular scanning for malicious files and restrict access to only admins. Further, maintain a tight update schedule for all plugins.

Curtis Dukes

The advantage of the Microsoft account is it allows central storing of bitlocker keys, settings, preferences, etc. The downside is users have to both have a MS account and be online to access Windows 11 systems. Running the bypassnro.cmd script during setup allowed setup networking to be bypassed and a local account created. To achieve that now, you'll need to pause setup at the network setup, open a CMD prompt and set the OOBE BypasssNRO registry value to 1, then reboot.

Lee Neely

Understanding the difference between PredAI (statistical analysis + ML) and GenAI (prompts + generated content + huge data sets) is important as the attack vectors and techniques are different. GenAI attacks focus on prompt injection and jailbreak, while PredAI attacks are based on objectives and capabilities, think data poisoning, evasion and privacy breaches. Mitigating the attack risks is an evolving topic, you can start by building risk models by leveraging NIST's AI Risk Management Framework (AI RMF 1.0) to help you assess the risks and develop mitigation strategies.

Lee Neely

This is pretty dense report, though almost half of the 114 pages are reference footnotes. From an action point of view, you could block replace every mention of AI and ML with 'complex database applications' and reach the same recommendations. The report acknowledges this, stating, 'For example, managing the security of AI systems will require combining mitigations from the field of AML with best practices for the development of secure software from the field of cybersecurity.' Without data governance and access control, no application (with or without AI/ML) will end up secure.

John Pescatore

RESURGE is associated with CVE-2025-0282, CVSS score 9.0, from back in January. Regardless of patch status, grab the IOCs and go threat hunting. If for some reason you were delayed deploying the Ivanti update, assume a compromise. If you find anything, or have any doubts, perform a factory reset. Compromise of associated domain accounts should perform two password resets, revoke Kerberos and cloud tokens. Cloud joined devices will need to be disabled to revoke the device token.

Lee Neely

Given that many employees are being required to return to offices, this one is good reminder to include a process for reminding them to safely dispose of work-related information on personal devices, printer memories, file folders, home/personal cloud backup systems etc.

John Pescatore

Beyond classified data, consider the allowance of external storage device connection (to include smartphones) as well as camera use in areas where sensitive data is processed. A photograph of the screen can be as valuable as capturing a document, and a lot harder to detect, and with modern text recognition, not a big hindrance to understanding the data. Also make sure that you have a clear policy, with stated consequences, and supporting training on how and where your sensitive data are to be processed, handled and stored.

Lee Neely

The intelligence community places a lot of trust in the individual. That said, there are also system-level checks to ensure that national security secrets are protected. Mr. Arshad intentionally violated that trust and should be held fully accountable.

Curtis Dukes

We continue to see instances within the intelligence community in which junior people are not supervised in a manner consistent with the sensitivity of the information to which they have access. In this case, one can only wonder how an intern could have access to top secret data either outside a SCIF or take a mobile into a SCIF.

William Hugh Murray