Issue 10

WordPress secretly fixed critical zero-day

Wordpress has pushed out a fix for a very critical exploit, which allowed anyone to modify any post or page on any Wordpress site. Because of its critical nature, the exploit was kept strictly secret until a fix was available. They did contact sites like Cloudflare and certain Wordpress hosting companies to have them set up protection rules in their web-application firewalls in advance of making the exploit public.
If you do not have automatic updates enabled on your Wordpress installation, make sure to update fast.


GitLab suffers major backup failure after data deletion incident

Not security news exactly, but it still feels relevant. Gitlab had a huge problem when production data was accidentally deleted (300 GB of it), and it turned out that none of the five backup methods they relied upon seemed to work. To their defence, they have been exceptionally transparant while reporting on this. But most importantly it serves as a huge reminder that backups only count as backups when you've tested them.


Half of web traffic is now encrypted

Some positive security news, for a change. According to Mozilla, more than half of internet traffic is now encrypted with HTTPS. In recent years initiatives like Let's Encrypt, Cloudflare SSL and Google preferring HTTPS sites in their rankings have moved us along at a high pace. We're still a while away from full encryption, but we're on the right track.


Taking a closer look at the SSL handshake

For those who want to understand HTTPS better, this is a good and to the point explanation of how an HTTPS connection is established.


Breach notification website LeakedSource shut down, allegedly raided.

I've previously mentioned LeakedSource, the service that stores hacked databases and let's you examine leaked datasets. There was quite a lot of debate on LeakedSource's usefulness to malicious hackers, and the ethics of the service itself.
It seems this service has been shut down, possibly by law enforcement. When trying to visit the site a Cloudflare cache was still available, but that's it. For now, if you want to know what data of yours was compromised in a public breach, Troy Hunt's Have I been pwned is your best bet.


Password-stealing security hole discovered in many Netgear routers

Netgear routers are, again, found vulnerable to a high-impact exploit. The admin interface has a mechanism that accepts a password recovery token. It turns out whatever you send as a token, you always get logged in. It can be used locally, like at home or in public WiFi spots, or used remotely if you have remote admin interface enabled (which you really shouldn't). Patching your router is highly advised, although it seems that not all routers have a patch available yet.
Funnily, the exploit was found by a security researcher who was too lazy to get out of bed to reset the router, so he decided to see if he could break in remotely. If that isn't a nice anecdote to highlight our current router security landscape.


Google announcing new enterprise-grade controls and visibility in G Suite

Google has released a set of improvements to G Suite (previously Google Apps). Among them is the support for enforcing the usage of physical 2fa keys like Yubikey, and the availability of a hosted S/MIME service to encrypts messages all the way to the recipients inbox, regardless of in-between hops like forwarders and relays. For a more thorough explanation of these two changes, see this article on Threatpost.


Facebook and GitHub test new account recovery option

Having strong passwords is one thing, but its benefits are often negated by horrible password recovery mechanisms, like 'security questions'. Facebook and Github have started a collaboration on 'delegated account recovery', where if you loose access to your Github account you can regain access by authenticating with your Facebook account and using a Github-specific token that you stored there. The reverse will also be implemented, and they hope that other services will follow suit.


How we handle security at Slack

Pleasant, albeit very high-level, interview with Slack's Chief Security Officer. In the article they link to a recently published white paper by Slack on how they handle security, which provides a more elaborate overview.


Robot beats "I am not a Robot" Captcha (Youtube video)

Someone made a robot to defeat the "I'm not a robot" captcha. Not exactly scalable to a full fake-accounts-making botnet, but funny nonetheless :-)