Commit 12_05_2023: DNA, water and… spam?

Warren Umoh / Unsplash

Welcome to Commit 12_05_2023! README senior editor Nathaniel Mott here with some of the day’s leading security news.

The Verge: 23andMe says recent hack affected 6.9 million users


23andMe confirmed to The Verge that a recent breach “affected around 5.5 million users who had DNA Relatives enabled, a feature that matches users with similar genetic makeups, while an additional 1.4 million people had their family tree profiles accessed.” That means a total of 6.9 million users—so far—of the DNA testing service have had their data compromised as a result of this intrusion.

This information seems most likely to be used as blackmail fodder (especially for people who have some, ahem, unexpected branches in their family trees) or part of spearphishing attacks. Not a good look for a company that specializes in convincing people to share information they can never change, so once it’s been stolen, there’s no way to respond. You can’t exactly cycle your DNA like you would a password.

CISA: Hackers exploit Adobe ColdFusion vuln against government targets

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today in a cybersecurity advisory that unidentified threat actors have exploited a vulnerability in Adobe ColdFusion, CVE-2023-26360, “at a Federal Civilian Executive Branch (FCEB) agency” in June 2023. The full advisory includes a breakdown of the tactics, techniques and procedures associated with that particular incident.

CISA said the attack was conducted in June. CVE-2023-26360 was revealed in March, which means the agency in question went approximately three months without updating ColdFusion to defend against the vulnerability. Perhaps CISA’s report will spur other agencies—to say nothing of organizations that don’t fall under the agency’s purview—to finally patch against this nine-month-old flaw in Adobe’s software.

Ars Technica: Gmail’s spam detection is getting an AI-powered upgrade

Google might be making Gmail usable again. Ars Technica reported Monday that Google is upgrading its email service’s anti-spam protections to better detect “adversarial text manipulations”—which Ars summarized as “emails full of special characters, emojis, typos, and other junk characters that previously were legible by humans but not easily understandable by machines”—before the messages reach users.

I said in April that I was just about ready to give up on Gmail because of the sheer amount of spam by which I’d been inundated. That hasn’t changed in the intervening months. My personal Gmail is still all but unusable because of bogus sweepstakes, obvious scams and meaningless promotions. These messages are just a nuisance for me, but it’s hard not to think they pose a legitimate risk to many Gmail users.

The Record: CISA’s actively reaching out to water facilities about Unitronics flaw

Last week I said that CISA’s warning to water facilities that Unitronics programmable logic controllers (PLCs) shouldn’t use the default password—which, incredibly, is “1111”—”didn’t exactly inspire confidence” in the sector’s ability to defend against cyberattacks. Fortunately it seems that CISA isn’t content to let these facilities leave their PLCs, which are responsible for a wide variety of functions, unguarded.

The Record today reported that CISA “is working to identify water utility operators using devices from Israeli company Unitronics and notifying those organizations if they are at risk of cyberattack.” That isn’t necessarily guaranteed to make the facilities improve their security, but at least now they can’t say they’re unaware of the risks. Let’s avoid further threats to the water supplies of communities across the U.S.