Woop! Next up: 200 :-)
Thank you for being a subscriber. And to those that have sent feedback or an e-mail just to say thanks, you're awesome, it's really motivating to read those.
I hope you'll keep getting value out of each issue. Happy reading!
- Healthcare.gov related service: a service used by insurance brokers had sensitive personal data of 75.000 people stolen.
- Cathay Pacific: airline, had a data store breached with personal information of 9.4 million people, including passport and identity card numbers.
- Pocket iNet: a Washington-based ISP. Had a leaky S3 bucket with 73 gigabytes of information, including passwords, network diagrams and more juicy stuff.
- Eight adult websites were breached, leaking 1.2 million e-mails and trivially-cracked passwords: link.
- VestaCP: a web hosting panel solution, many installations have been hacked and used in DDoS attacks.
- Anthem: not a new leak, thankfully, but a fine of $16 million for exposing the health information of 79 million people.
It's been actively exploited for over three years, yet somehow never became common knowledge. If you're on a LAMP stack (or your CMS is), make sure to check if you use the plugin. Hackernews discussion here, where the author reacts in a very commendable way.
You're obviously advised to patch asap. There's also three "moderately critical" bugs to motivate you a little more.
A total of 13 vulnerabilities were found, 4 of which can trigger remote code execution. Updates are available.
There was a scare this week that VLC and MPlayer were vulnerable to remote code execution, but it's not that bad. Only a specific streaming server, Live Networks LIVE555 RTSPServer, is at risk. Still, patch it if you use it.
Their "Recommended blogs" section leaked account information of the authors of those blogs, including hashed passwords, IP addresses and locations. The bug was reported through their bug bounty program and fixed within 12 hours.
Clever trick: a tweet sharing counter was abandoned, and the S3 bucket where the script was hosted was deleted. A day later someone created a new bucket with the same name, and replaced the script with a malicious version.
Since phone vendors can't always be trusted to do it on their own initiative, it's nice to know that Google is forcing their hand. It covers any device with more than 100.000 users, launched after January 31st of this year.
He figured out that the website was for Equifax themselves, and not a client like he was told. He then used his wife's brokerage account to trade on that information.
Older article, but a good introduction to the ATT&CK framework, which documents tactics and techniques that have been observed from millions of attacks on enterprise networks. Nice inspiration for red teams, and good knowledge to have for blue teams :)
Simple and secure password management for you and your team. I use it myself every day and wouldn't want to miss it.
Both startups and enterprises trust Templarbit to protect their web applications, APIs and microservices. Run a next-gen WAF or ship a smart Content Security Policy workflow in minutes.