Schneider Electric has patched a vulnerability in its InduSoft Web Studio and InTouch Machine Edition. The products aren't themselves control systems, but rather toolsets used to develop SCADA systems, human-machine interfaces, and applications that connect automated systems. The bug, discovered and disclosed by Tenable, is a buffer-overflow issue that could be exploited to execute arbitrary code.
NetScout's Arbor Networks reported a possible backdoor in LoJack for Laptops, a tool that enables administrators to remotely lock, locate, and remove files from a stolen computer. Five LoJack agents were found to be communicating with four dodgy command-and-control domains, three of which have in the past been associated with Fancy Bear, Russia's GRU. Absolute Software, which makes LoJack for Laptops, says it's been in discussions with Arbor Networks, takes the matter seriously and is investigating, but doesn't believe its customers are at risk.
Travel reward points are relatively easy to monetize, and they're being sold in Russian-language dark web souks. Botnet operators often pick up such credentials incidentally in the course of other illicit activities, and for the most part they sell them to other criminals.
Becton Dickinson has advised that its medical devices using WPA2 encryption are vulnerable to KRACK key reinstallation attacks. This general Wi-Fi problem isn't confined to medical systems, but Becton Dickinson has issued a fix. And the US FDA has ordered the recall of about 465 thousand St. Jude implantable cardioverter defibrillators for a firmware update.
Today is World Password Day. Do you know where your credentials are?