Summary:
Personal data of nearly all Xfinity customers was "probably" accessed by hackers in October using a vulnerability in Citrix cloud software. Citrix notified Xfinity and other companies about the vulnerability on October 10. It released a patch at that time, but other guidance was announced on October 23. Between those October 16 and 19, Xfinity determined that its own customer data had been accessed by unauthorized parties. Xfinity disclosed this situation in a regulatory filing with the SEC.

Citrix said that when it issued a notice about the vulnerability on October 10, it was unaware that any exploits had occurred. However, by October 23 it was aware of "targeted attacks" that were enabled by the vulnerability. Mandiant issued guidance about remediation for the affected products (NetScaler ADC and Gateway appliances), and Citrix gave the information to its customers.

Summary:
The SSH protocol for secure access to remote computers has been used since 1996, and it has been the subject of extensive security analysis. Thus, it was a surprise when it was recently found to have a flaw. The hack, named "Terrapin", utilizes an active man-in-middle attack against particular ciphers and/or cipher modes. These are supported by over 75% of Internet servers, and one or more are preferred access modes on over half of the servers.

The "ChaCha20-Poly1305" cipher or "CBC with Encrypt-then-MAC" mode for SSH have the vulnerability. If an attacker can block several messages at the beginning of the protocol, when it is setting up a secure end-to-end connection, then the integrity of the exchange can be undermined. The attacker can inject packets that will be accepted by the server as having come from the client. The result is an SSH session that the attacker controls.

The researchers who discovered the vulnerability have recommended a complete redesign of SSH. The protocol suffers from having had too many new ciphers and modes added to it over time, and some of those additions are inconsistent with the assumptions used in 2016 to prove the protocol's security.

Summary:
Modern-day museums offer views of their collections through online photographs and videos, and management of those digital artifacts is done through software systems tailored to the way museums operate. The company Gallery Systems is such a provider to the likes of the Boston Museum of Fine Arts, the Rubin Museum of Art in New York, and the Frances Lehman Loeb Art Center at Vassar College, When Gallery Systems was hit by a ransomware attack on December 28, they took immediate steps to isolate their affected systems. As a result, the museums' digital collections were unavailable, and in some cases their administrative data, like lists of donors, were similarly offline. Those museums that took care to keep such data on local systems did not suffer disruption to their administrative functions. Curators noted that information is the major part of the value their collections, and they would be much harmed if the information behind the objects was lost.

The status of recovery by Gallery Systems was not readily available at the time of this writing.

In a similar story, the British Library is "crawling back online" after a cyberattack in October on its website.

Summary:
Beijing Wangshen Dongjian Justice Appraisal Institute in China's capital announced that they could compromise the user privacy of Apple's cellphone protocol for peer-to-peer networking. The announcement implied that the information had been used by police to identify several people suspected of sharing "inappropriate information". The suspects are assumed to be participants in the 2022 anti-government protests in Hong Kong.

However, no one familiar with AirDrop security should be surprised. The weaknesses in the protocol are well-known.

Summary:
China monitors iPhone AirDrop usage in Hong Kong, not just during protests. Anti-government people share organizational and other information using the peer-to-peer protocol. Apple's intention was to keep everything except the iPhone "name" (which is user settable) protected from view, but the user name and email address of both the sender and receiver are inadequately obscured. The hash values of the fields are accessible, and there is no cryptographic protection. This means that brute force attacks can easily reveal the information for the phone number, and the email address will also be revealed if it is either short (less than 14 characters randomly chosen) or available in any kind of public database.

Apple has known about the problem since at least 2019, but industry experts surmise that changes to the protocol were ruled out because they could not achieve backwards compatibility.

Summary: This article, from 2021, explains more detail about the AirDrop protocol and its "handshake" in which "the devices exchange the full SHA-256 hashes of the owners' phone numbers and email addresses". Researchers who found the problem distributed an open source solution called "PrivateDrop" on GitHub, but Apple did not have any comment on the matter.

Summary:
On January 9, the X social media account for the US Securities and Exchange Commission announced the widely anticipated approval of "spot bitcoin exchange traded product (ETP) shares" (aka ETFs), but the Commission immediately retracted the statement, blaming a compromise of its X account for misinformation. However, the next day, the Commission actually did issue the approval. On January 12, the SEC issued a statement the "unauthorized party" access to its X account, noting that it "takes its cybersecurity obligations seriously" but giving no information other than their preliminary assessment that their internal infrastructure was not compromised.

Their statement did not seem to rule out the possibility of an insider ("authorized user") leaking the information ahead of time. Until the SEC releases a complete analysis of the incident, mysteries remain.

Summary:
As long ago as last November, a nation-state entity surreptitiously accessed "a very small percentage of Microsoft corporate email accounts," the company announced in a blog post. Moreover, some of the accounts belong to members of its senior leadership team and employees in its cybersecurity and legal departments. That attacking entity was "Midnight Blizzard", a Russian state-sponsored group aka "Nobelium."

And what was the group seeking from Microsoft's senior leadership? None other than information about Midnight Blizzard itself. And how did they gain access to that small percentage of accounts? Apparently by trying a bank of commonly used passwords. Did Microsoft fail to notice the password guessing activity? Why didn't their own security team detect the guessable passwords as part of normal security checkups? What about two-factor authentication? Etc., etc. In all likelihood, these barndoors are in the process of being closed.