Firmware protection firm Eclypsium reported that hackers can use firmware backdoor implants on bare-metal cloud servers to gain persistence even after the next customer rents the bare-metal server from a cloud provider. That persistence, gained by exploiting the vulnerability dubbed Cloudborne, could allow attackers to brick the server, steal data, or launch ransomware attacks.Eclypsium tested its theory on IBM\u2019s SoftLayer cloud services, as SoftLayer in some cases uses vulnerable SuperMicro server hardware. The researchers modified the server\u2019s baseboard management controller (BMC) firmware, waited until it was rented out by a different customer, and then reacquired the same device later. The team determined the firmware had not been reflashed even though the server had been wiped. Additionally, the firm determined the BMC root password remained the same and the BMC logs were still there.Eclypsium disclosed the Cloudborne vulnerability to IBM in September 2018 and notified CERT in January. While the firm claims IBM never indicated it had made changes, IBM\u2019s vulnerability advisory released Monday stated that it forced \u201call BMCs, including those that are already reporting up-to-date firmware, to be reflashed with factory firmware before they are re-provisioned to other customers. All logs in the BMC firmware are erased and all passwords to the BMC firmware are regenerated.\u201dThere has been no indication, according to IBM, that the vulnerability had been maliciously exploited.Other cybersecurity newsCloudflare released transparency report, added new warrant canariesWhile our heads are in the clouds, it might be a good time to mention that Cloudflare released its transparency report (pdf) for the second half of 2018 and added three new warrant canaries. The new warrant canaries state:Cloudflare has never modified customer content at the request of law enforcement or another third party.Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.If, in the future, any of those warrant canaries are removed from the list, it will signify that law enforcement or a third party asked Cloudflare not to publicly disclose that it acted against one of the canaries.In addition, Cloudflare changed the wording from one of the 2013 original warrant canaries, which stated, \u201cCloudflare has never turned over our SSL keys or our customers SSL keys to anyone,\u201d to now state, \u201cCloudflare has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone.\u201dTurboTax parent company denies data breachIntuit, the parent company of TurboTax, claimed it did not suffer a data breach, as was previously reported. The initial report of TurboTax being hit with a credential-stuffing attack referenced a letter (pdf) sent to the Vermont Attorney General, but Intuit said the letter was \u201ca notification to a state that a customer\u2019s account experienced unauthorized access by a third party using legitimated log-in credentials that Intuit believes were obtained from sources outside the company.\u201dWhile there was \u201cNO data breach,\u201d it is a potent reminder not to reuse passwords, as attackers are all too happy to use usernames and passwords collected from the plethora of other breaches to gain access to other sites that might hold sensitive information such as tax forms would: Social Security numbers, driver\u2019s license numbers, financial information, addresses, birth dates, and more.