School laptop auction devolves into extortion allegation
Also: Atlassian says Jira has a 9.4 severity bug and the TSA issues milquetoast no-fly list security advisory
When a Texas school district sold some old laptops at auction last year, it probably didn't expect to end up in a public legal fight with a local computer repair shop – but a debate over what to do with district data found on the liquidated machines has led to precisely that.
The San Benito Consolidated Independent School District sold more than 3,500 devices at auction in July 2022, of which 700 were purchased by local computer repair and resale shop RDA Technologies.
RDA co-owner David Avila said he found 11 hard drives the district had failed to wipe, and which contained sensitive data on employees and students. Avila told local media that he reported the presence of the data to the district in October, saying "legally, it's their job to wipe out or destroy hard drives."
It's here things start to get complicated.
The district admitted to the exposure of the data as a result of the sale to RDA, but said Avila's company "has not agreed to our proposed solution." Avila disputed that characterization in a late January interview, saying that the district wanted him to sign a nondisclosure agreement as part of a deal to buy back the 11 computers, and an additional 503 that hadn't been inspected.
Avila says he wants the district to be open about the errors in its process – particularly as he alleges some computers sold by the district went to foreign buyers – so is not willing to sign an NDA.
The district also claimed that it wasn't given the chance to inspect the machines to verify they contained the alleged data. Avila denied this too, claiming a representative from the district had visited his shop to inspect them in October. Local news media reported they had inspected a machine and verified the data was present.
The district fired back with a statement on February 2, along with a copy [PDF] of communications with RDA. Among those communications are accusations from the district's legal representatives that Avila is attempting to "extort" the district.
Conveniently absent from the trove of communications is Avila's initial message to San Benito. Also missing is anything that actually incriminates Avila in extortion, as San Benito's lawyers allege in the missives.
The district also called RDA out for a similar scheme at a different Texas school district in 2019. RDA had machines from Edcouch-Elsa CISD where similar information was found. Avila said at the time he wanted Edcouch-Elsa to notify the public, as in this latest case.
Edcouch-Elsa said it also failed to reach an agreement with RDA.
According to San Benito CISD, the matter is now in the hands of the Texas AG, who isn't looking at its data wiping failures, but is investigating RDA. "The District is providing information to the Texas Attorney General to aid representatives from the Texas Attorney General's office in their future inspection of RDA Technologies," Superintendent Theresa Servellon said.
- Have we learnt nothing from SolarWinds supply chain attacks? Not yet it appears
- HeadCrab bots pinch 1,000+ Redis servers to mine coins
- Fast-evolving Prilex POS malware can block contactless payments
- Former Ubiquiti dev pleads guilty in data theft and extortion case
Patch now to avoid a Jira takeover
Several versions of Atlassian's Jira Service Management Server and Data Center contain an authentication vulnerability that could let an unauthenticated attacker impersonate users and gain remote access to affected systems.
"With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into," Atlassian stated in its advisory.
The Australian outfit said the bug earns a CVSS score of 9.4.
Such tokens can be accessed when an attacker is included on a Jira issue or request with the target user, or when an attacker gains access to an email containing a view request link from one of those users. Atlassian said bot accounts are particularly vulnerable in this scenario, as they are often used to communicate with other user accounts, but rarely see a human login.
Versions 5.3.x, 5.4.x and 5.5.x are all affected, Atlassian admitted, and it recommends upgrading to the latest versions now.
For those that can't immediately deploy the patch, Atlassian also issued a JAR file that will update the
servicedesk-variable-substitution-plugin, but said that's only a temporary fix.
TSA urges airlines to be careful with that no-fly list
The Transportation Security Administration has urged airlines to take a look at their systems to make sure nothing is amiss after a hacker spotted a 2019 copy of the no-fly list on an unsecured public-facing server last month.
While it doesn't appear to have been published online, a TSA spokesperson told several news outlets that the Administration had issued a security directive to all domestic airlines. Per a TSA spokesperson, the directive "reinforces existing requirements on handling sensitive security information and personally identifiable information."
We can hope those existing requirements were being grossly ignored at CommuteAir, which exposed the list by leaving a test server exposed to the internet. The server in question was taken down before news of the exposure was reported.
Nonetheless, Republicans on the Committee on Homeland Security aren't thrilled with the incident, telling TSA administrator David Pekoske in a letter that news of the no-fly list's discovery was alarming.
"The notion that such a consequential database be left unsecure is a matter concerning cybersecurity, aviation security, as well as civil rights and liberties," Representatives Mark Green and Dan Bishop wrote in their letter.
The representatives have given the TSA until February 8 to respond to their questions. ®