Breaches and leaks
- FitMetrix: a fitness software provider, had an open Elasticsearch database exposing user data of millions (exact number unknown).
- US Department of Defense: Personal information and credit card details of 30.000 employees were compromised through a third party service provider.
- DonaldDaters: a recently launched dating app for Trump supporters, had an open database exposing personal information, session tokens and private messages.
- 35 million US voter records were found for sale on a hacking forum.
Vulnerability in LibSSH allows for trivial authentication bypass
This is as painful as they come. You tell the server "I'm authenticated, really!", and it goes "I believe you, come on in!". ... You'll want to check if you run LibSSH in your infrastructure and patch.
bleepingcomputer.com
Facebook hack impacted 30 million, of which 14 million had personal data stolen.
This is an update on the "View As" vulnerability. The attackers stole regular contact information from one half of users impacted, but far more from the other ~14 million people, including most recent locations they've checked in, most recent searches, and more.
bloomberg.com
Security support for PHP 5.6 ends in 10 weeks, hundreds of millions of websites still use it
Cross fingers that no serious vulnerability gets found after New Year's, I guess?
zdnet.com
TLS 1.0 and TLS 1.1 being retired in 2020 by all major browsers
This is a collective decision by Microsoft, Google, Apple, and Mozilla. TLS 1.2 and 1.3 are so prevalent that the fallout should be minimal.
bleepingcomputer.com
Bug in newly released iOS 12.0.1 gives access to your photos
Another passcode bypass, discovered by the same person who found the last one. Looking it the steps involved I'm curious how he finds these vulnerabilities, kudos to him.
hackread.com
US arrests alleged Chinese spy, accused of stealing US aviation secrets
The arrest happened in my home country of Belgium, no less. The intelligence officer recruited engineers from US aviation firms to travel to China and hand over blueprints.
infosecurity-magazine.com
Apple launches portal for US users to download their data
This was previously launched for EU users, under the GDPR, but is now also available to the US.
techcrunch.com
A mysterious grey-hat is patching people's outdated MikroTik routers
He's patched over 100.000 vulnerable routers, leaving a note about the fixed vulnerability and a Telegram channel for questions. A vigilante with a helpline, I can't help but get a kick out of it.
zdnet.com
Curated feed of Wordpress security news
If you're into the Wordpress ecosystem: this site aggregates Wordpress-related security news in daily or weekly e-mails and feeds.
wpsecuritybloggers.com
How I hacked modern vending machines
Fun article on how the author went about hacking the Android payment app for this vending machine.
hackernoon.com
The illustrated TLS connection: every byte explained
Fantastic post, going through every step of a TLS connection, showing every byte that's involved and explaining what it does.
ulfheim.net
Sponsorship
1Password for Teams and Business
I use 1Password to securely share passwords and notes with my colleagues. Can't recommend them enough and I'm super honoured to have them as a sponsor.
1password.com
Application layer security for modern teams
Both startups and enterprises use Templarbit to protect their web applications, APIs and microservices. Run a next-gen WAF or ship a smart Content Security Policy workflow in minutes.
templarbit.com