Security News > 2020 > November

The DontTouchTheGreenButton.com website just launched by the Trump campaign in relation to the recently filed Arizona "Rejected votes" lawsuit was discovered to be leaking voter data. The data included the voter name, address, and a unique identifier.

Git LFS vulnerability allows attackers to compromise targets' Windows systemsA critical vulnerability in Git Large File Storage, an open source Git extension for versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker's malicious repository using a vulnerable Git version control tool, security researcher Dawid Golunski has discovered. November 2020 Patch Tuesday forecast: Significant OS changes aheadNovember Patch Tuesday and the end-of-year holidays are rapidly approaching.

A new script makes it easy to create an ISO for any version of Windows 10, including Windows 10 version 1507 through 20H2. For those not familiar with ISO images, they are a sector-by-sector copy of a DVD. This ISO file can then be written, or burned, to a DVD to create a replica of the original media, mounted as a drive letter in Windows, or extracted by a program like 7-Zip to access the contained files. If you want to perform a clean install of Windows 10 or run into a problem, it is always helpful to download an ISO that can be used to create Windows 10 media.

A new script makes it easy to create an ISO for any version of Windows 10, including Windows 10 version 1507 through 20H2. For those not familiar with ISO images, they are a sector-by-sector copy of a DVD. This ISO file can then be written, or burned, to a DVD to create a replica of the original media, mounted as a drive letter in Windows, or extracted by a program like 7-Zip to access the contained files. If you want to perform a clean install of Windows 10 or run into a problem, it is always helpful to download an ISO that can be used to create Windows 10 media.

Microsoft is working on adding a new Microsoft Forms phishing attempt review feature that will allow Office 365 admins to confirm and block forms that try to maliciously harvest sensitive data. Phishing attempts are detected by Microsoft Forms with the help of proactive phishing detection, a protection feature that will proactively identify malicious password collection in forms and surveys.

Chocolatey is a Windows package manager that lets you quickly install new software or prep a new Windows 10 installations with your favorite applications, all from the command line. Like every other package manager, Chocolatey is entirely a command-line tool where you have to type in the commands you wish to execute.

This post was originally published on November 7th. A Luxottica data breach has exposed the personal and protected health information of 829,454 patients at LensCrafters, Target Optical, EyeMed, and other eye care practices. In a "Security Incident" notification issued this week, Luxottica disclosed that their appointment scheduling application suffered a data breach after being hacked on August 5th, 2020.

One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers. The threat actor is highly proficient at moving laterally inside a compromised network and erasing as much of their tracks as possible before detonating Ryuk ransomware.

Let's Encrypt, a Certificate Authority that puts the "S" in "HTTPS" for about 220m domains, has issued a warning to users of older Android devices that their web surfing may get choppy next year. Next year, on September 1, 2021, the DST Root X3 certificate that Let's Encrypt initially relied for cross-signing will expire and devices that haven't been updated in the past four years to trust the X1 root certificate may find they're unable to connect to websites securely, not without throwing up error messages, at least.

Squid geopolitics. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here.