Infosec in brief Former UK prime minister Boris Johnson lobbed a wrench into the works of the country's COVID-19 inquiry by claiming he couldn't remember the passcode to unlock an old phone being sought by investigators.

The inquiry has been seeking the device because it's believed to contain a trove of WhatsApp messages from the early days of the COVID-19 pandemic when the encrypted chat app was used widely - amid criticism - by the PM and other ministers unable to meet face-to-face.

BoJo reportedly last used the device in question in May 2021 after it was revealed that his phone number had been freely available to anyone online who knew where to look for a press release he had put out in 2006 while MP from Henley and shadow minister for higher education. His phone number - still in use while PM - was reportedly unchanged over the 15 years after the press release was published.

Johnson couldn't remember the passcode "with 100 percent confidence," according to The Times, leading to fears that the device could be wiped if the ex-PM guessed wrong too many times. 

Johnson's lapse of memory came after the UK High Court ruled that messages and diaries had to be handed over without redaction - which the government opposed on the grounds that it would have led to the exposure of "unambiguously irrelevant" material. 

Justices dismissed that argument last week, saying that the inclusion of irrelevant material didn't invalidate the order to turn all of it over without taking the time to redact it first. Part of the inquiry's message demand included one-on-one communications between Johnson, then-chancellor Rishi Sunak, and cabinet secretary Simon Case. 

Everyone can rest easy, though. By Thursday the government claimed that it had found a record of the pin code for Johnson's old device and opened it up to the committee. Per the BBC, the Cabinet Office has until 1600 BST Monday to hand over the requested messages in their entirety. 

This doesn't mean those outside the inquiry will see them, however. The Cabinet Office and the Inquiry itself retain the right to make redactions before wider dissemination to experts, witnesses or the public. 

Cybercriminals love to MOVEit: Two more high-profile victims admit hits

What do financial giant Deutsche Bank and elite US university Rutgers have in common? They've both become collateral damage as hackers continue exploiting vulnerabilities in MOVEit file transfer software.

In a statement to BleepingComputer earlier this week, Deutsche Bank admitted one of its external service providers in Germany experienced a security incident. While not saying that the attack was definitely caused by MOVEit vulnerabilities, DB did tell BC that "In addition to our service provider, we understand that more than 100 companies in more than 40 countries are potentially affected." 

Combined with the fact that Deutsche Bank used the affected service provider for operating its account switching service, MOVEit is a likely cause because of the high volume of data being transferred from one institution to another.

Rutgers University, on the other hand, said the exposure of some of its data handled by the National Student Clearinghouse was due to MOVEit vulnerabilities. Rutgers likely isn't alone, either: NSC works with 3,600 colleges across the US to collate student data for the Department of Education.

Rutgers and Deutsche Bank both said their internal systems were unaffected. 

CVSS 4.0 is coming

The Forum of Incident Response and Security Teams (FIRST) unveiled the fourth iteration of its Common Vulnerability Scoring System (CVSS) this week with promises to "provide the highest fidelity of vulnerability assessment for both industry and the public."

There are a number of changes in CVSS 4.0, like the removal of the "scope" concept and its replacement with "vulnerable" and "subsequent" system impacts, vulnerability scoring for software libraries and allowance for multiple base scores.

Perhaps the most notable change is to CVSS nomenclature, which is being modified to include the metrics used to arrive at the score: Base, environment or threat. CVSS scores will be labeled as CVSS-B (base only), CVSS-BE (base, environmental), CVSS-BT (base and threat) or CVSS-BTE when all three were included in calculations. 

The reason for the new nomenclature, FIRST said, is because CVSS-B scores only measure the severity of a vulnerability, but don't reflect risks to individual environments or systems. CVSS-B scores "should be supplemented with an analysis of the environment," FIRST said, and given environmental and threat metrics that are periodically updated. 

Public preview and comment for CVSS 4.0 ends July 31, with a targeted publication date of October 1, 2023, for the new standard. ®

https://www.theregister.com//2023/07/17/infosec_in_brief/