Issue 107

Breaches and leaks

  • An unsecured web server was exposing personal information of 120 million Brazilians, showing their equivalent of social security numbers, bank accounts, addresses, loans and more: link.
  • Google found another security vulnerability in Google+, impacting 52 million people. Because of this the planned shut-down date for the service got moved up four months.
  • Cap Cod Community College: $800.000 was taken from their bank accounts after a series of phishing attacks.
  • Not really a breach, but an unsecured MongoDB instance was found online with scraped LinkedIn information of over 66 million individuals. It's not known whom the database belongs to. link.
  • Humble Bundle: Also not really a breach, but they discovered that an attacker abused a bug to enumerate subscription statuses of a number of customers. Even though no personal data was leaked they still disclosed very responsibly.


Linux.org domain hacked and defaced

An attacker hijacked the DNS account and pointed the domain name to its own page, filled with all kinds of obscenities. Apparently the owner of the domain didn't have 2fa enabled. Go figure.
theregister.co.uk


Exploit code for the Kubernetes flaw is now available

Several instances of exploit code are now available for the critical privilege escalation flaw that was reported last week. If you haven't patched your cluster yet, please do so.
bleepingcomputer.com


Australian government passes contentious encryption law

It seems that this is a law that forces software makers to give law enforcement access to otherwise end-to-end encryption systems, somehow. I have to admit it's hard to deep-dive into this because of political shenanigans and personal anger on my part. It'll be very "interesting" to see how this plays out in practice.
nytimes.com


Marriott data breach is traced to Chinese hackers

The prevailing sentiment seems to be that the Marriott breach is the work of the Chinese, who are hoovering up all personal data they can get in order to identify spies by travel habits, recruiting new intelligence assets, and more.
nytimes.com


Text-based reCaptcha defeated by an AI bot

It seems that text-based CAPTCHA really is dead now. The AI system can be trained with only 500 captcha samples, and can then solve them as accurately as a human, with an average tested speed of 0.05 seconds.
hackercombat.com


Patch all the things \o/

  • Microsoft had its Patch Tuesday, fixing 39 vulnerabilities, 10 of which are rated critical, and two of which are actively being exploited.
  • Adobe did its thing too on Patch Tuesday, fixing no less than 87 vulnerabilities in Acrobat and Reader, several of which are critical.
  • Wordpress released an update for its 5.0 branch, fixing several vulnerabilities and a bug that allowed Google to index sensitive pages.


UK-based DNA project moves servers to military datacenter because of attacks

I really don't like DNA data in Internet-connected machines. The "100.000 Genomes Project" in the UK had to move its servers to a military base to protect it better, after being inundated with attacks.
sophos.com


Europol takes down Euro counterfit operations

The police of 13 countries conducted no less than 300 house searches and arrested 235 people suspected of buying counterfit Euro banknotes from a Dark Web marketplace.
zdnet.com


Toyota's PASTA - an open-source car hacking tool

It doesn't seem to be a sort of "Metasploit for cars" as I first thought, but rather a complete kit that gives you a playground to learn about car-related security.
hackread.com


On how location information is being gathered and sold

Might be more privacy-related than security-related, but I found it more than interesting enough to include. The NY Times takes a deep dive in how un-anonymous much of our smartphone location data is, and what kind of companies buy and sell that data.
nytimes.com


Named vulnerabilities and their practical impact

A Github-hosted list of well-known vulnerabilities like Heartbleed, EternalBlue, Spectre, and many more, and whether or not they were ever seen exploited in the wild. It's a lot less than you'd think.
That doesn't mean they don't need to be fixed in your infrastructure, but it's refreshing to balance out against our usual the-world-is-on-fire mode.
github.com


Cybersecurity books recommended by top security researchers

If you're looking to fill your reading list, this might be a good place to get some inspiration.
hpe.com


Sponsorships

1Password: a password manager worth recommending

After using 1Password Teams for several years, I finally made the leap and moved my personal password vault to them as well. The UX and support are an order of magnitude better than where I came from. And I'm not just saying that because they sponsor me.
1password.com