Short Takes – 1-12-23

One Small Legislative Step for Cybersecurity. LawfareBlog.com article. Medical device cybersecurity in Omnibus. Pull quote: “As I argued when I first wrote about the legislation for Lawfare in June, it offers a promising approach for incremental and sector-specific progress in addressing the widely recognized insecurity of critical infrastructure and products. Among the key features of the bill that recommend it as a model is that it situates cybersecurity within an existing regulatory framework, amending the Food, Drug, and Cosmetic Act to add a new section entitled “Ensuring Cybersecurity of Devices.” This implicitly acknowledges the reality that cybersecurity, despite its significance, is just one risk among many that a regulatory agency must consider and balance in pursuing any mission focused on safety, effectiveness, or reliability in the delivery of a product or service, whether it is health care or drinking water or transportation.”

Prototype pollution-like bug variant discovered in Python. Portswigger.net article. Always love new classes of vulnerabilities. Pull quote: “Class-based languages such as Python are supposedly immune to such manipulations. However, security researcher Abdulraheem Khaled has discovered a coding scheme that can allow attackers to perform prototype pollution-like attacks on Python programs. He calls it ‘class pollution’ in a blog post documenting his findings.”

How to track equipped cars via exploitable e-ink platemaker. TheRegister.com article. No one saw this coming (SIGH). Pull quote: “"We could take any of the normal API calls (viewing vehicle location, updating vehicle plates, adding new users to accounts) and perform the action using our super administrator account with full authorization," Curry said. The site also gave them access to fleet management functionality.” Patched within 24 hours.

The Mysterious, Unregistered Fund That Raised Big Money for Santos. NYTimes.com article. Follow the money. Pull quote: “Two former consultants to the Santos campaign who requested anonymity in order to speak freely about their former client said that they were concerned about the close arrangement between the campaign and Rise NY, and told Mr. Santos that he should shut it down. A third former consultant turned down what it described as a lucrative offer from Mr. Santos to fund-raise for the PAC, citing legal concerns.”

 

Velta and TXOne offer solution to potential ICS disruption of Microsoft DCOM hardening patch. IndustrialCybersecurityPulse.com adverticle. Pull quote: “Added Dino Busalachi, chief technology officer and Velta Technology co-founder: “DCOM is embedded into most industrial control systems, and, unless you have an accurate asset inventory, this puts your plant floor at major risk for disruptions and outages. We are excited to partner with TXOne Networks to provide a unique, cost-effective stopgap that offers organizations valuable time to implement a permanent solution.”” No details.

Response To Petition To Classify Discarded Polyvinyl Chloride as RCRA Hazardous Waste. Federal Register Notice. Summary: “The Environmental Protection Agency (EPA) is responding to a rulemaking petition from the Center for Biological Diversity requesting that discarded polyvinyl chloride be listed as a hazardous waste under the Resource Conservation and Recovery Act. After careful consideration, the Agency is tentatively denying the petition for the reasons discussed in this document. The Agency is also soliciting public comment on this tentative denial.” Public comments due February 13^th, 2023.

SpaceX readies massive Starship in preparation for test flight. TheHill.com article. Pull quote: “Starships’s orbital flight test is a crucial milestone in its development. SpaceX has big plans for its mega rocket, including sending a crew of influencers on a trip around the moon. But that’s not all, in 2021, NASA selected Starship as its human landing system — a key component of the agency’s Artemis lunar program.”

Lawmakers Introduce SANTOS Act to Punish Candidates Who Lie About Who They Are. HuffPost.com article. Congresscritters need to be careful about tossing stones…. Pull quote: “Here’s a copy of the SANTOS Act. It’s not likely to go anywhere, but it’s a hell of a starting point for the new Congress.”

Federal EPA agents conduct surprise inspection at Northampton BI-QEM chemical plant. MassLive.com article. When EPA ‘criminal investigators’ show up at a chemical plant, it is not a good day. Pull quote: ““The city of Northampton continues to work closely with our building inspectors, public safety officials, (state) Department of Environmental Protection and the EPA to ensure that BI-QEM complies with all laws and regulations relating to their manufacturing operations in Florence,” Mayor Gina-Louise Sciarra said in a written statement.”