Eclypsium this morning released a study of potential security issues that arise with bare-metal cloud services. IBM, among the vendors affected, responded yesterday by requiring that all Baseboard Management Controllers "be reflashed with factory firmware before they are re-provisioned to other customers." Eclypsium says it's pleased to learn of this mitigation, but that they disagree with IBM's assessment of the vulnerability as "low severity"—Eclypsium thinks it more serious than that.
New research from the University of Cambridge and Rice University shows that computers with USB-C ports are more vulnerable to direct memory access attacks than previously thought. Current protection provided by input-output memory management units, or IOMMUs, was found to be insufficient. As a result, Cambridge says, many computers running Windows, macOS, and Linux can be compromised by peripheral devices like chargers. Complete remediation will require "changes in system design" on the part of the technology companies, which the researchers say is in progress. Until then, users are advised to avoid connecting untrusted devices to their platforms.
A hacker hijacked the Twitter account for the mayor of Tampa, Florida, and used it to post a series of vile and threatening tweets, including a fake ballistic missile warning. Naked Security notes that the "egregious nature" of the other tweets led most people to conclude that the account had been hacked, so the inbound missile alert was widely dismissed.
TurboTax didn't suffer a data breach, contrary to some reports. Rather, credential stuffing attacks hit an undisclosed number of accounts, Newsweek reports.