Issue 100 \o/
Woop! Next up: 200 :-)
Thank you for being a subscriber. And to those that have sent feedback or an e-mail just to say thanks, you're awesome, it's really motivating to read those.
I hope you'll keep getting value out of each issue. Happy reading!
Breaches and leaks
- Healthcare.gov related service: a service used by insurance brokers had sensitive personal data of 75.000 people stolen.
- Cathay Pacific: airline, had a data store breached with personal information of 9.4 million people, including passport and identity card numbers.
- Pocket iNet: a Washington-based ISP. Had a leaky S3 bucket with 73 gigabytes of information, including passwords, network diagrams and more juicy stuff.
- Eight adult websites were breached, leaking 1.2 million e-mails and trivially-cracked passwords: link.
- VestaCP: a web hosting panel solution, many installations have been hacked and used in DDoS attacks.
- Anthem: not a new leak, thankfully, but a fine of $16 million for exposing the health information of 79 million people.
It's been actively exploited for over three years, yet somehow never became common knowledge. If you're on a LAMP stack (or your CMS is), make sure to check if you use the plugin. Hackernews discussion here, where the author reacts in a very commendable way.
You're obviously advised to patch asap. There's also three "moderately critical" bugs to motivate you a little more.
A total of 13 vulnerabilities were found, 4 of which can trigger remote code execution. Updates are available.
Signal Desktop is in a bit of hot water this week, both with the above news and the more recent news that the encryption key of the database is stored in plain text.
There was a scare this week that VLC and MPlayer were vulnerable to remote code execution, but it's not that bad. Only a specific streaming server, Live Networks LIVE555 RTSPServer, is at risk. Still, patch it if you use it.
Their "Recommended blogs" section leaked account information of the authors of those blogs, including hashed passwords, IP addresses and locations. The bug was reported through their bug bounty program and fixed within 12 hours.
Clever trick: a tweet sharing counter was abandoned, and the S3 bucket where the script was hosted was deleted. A day later someone created a new bucket with the same name, and replaced the script with a malicious version.
Since phone vendors can't always be trusted to do it on their own initiative, it's nice to know that Google is forcing their hand. It covers any device with more than 100.000 users, launched after January 31st of this year.
He figured out that the website was for Equifax themselves, and not a client like he was told. He then used his wife's brokerage account to trade on that information.
Older article, but a good introduction to the ATT&CK framework, which documents tactics and techniques that have been observed from millions of attacks on enterprise networks. Nice inspiration for red teams, and good knowledge to have for blue teams :)