Issue 100

Issue 100 \o/

Woop! Next up: 200 :-)

Thank you for being a subscriber. And to those that have sent feedback or an e-mail just to say thanks, you're awesome, it's really motivating to read those.

I hope you'll keep getting value out of each issue. Happy reading!



Breaches and leaks

  • Healthcare.gov related service: a service used by insurance brokers had sensitive personal data of 75.000 people stolen.
  • Cathay Pacific: airline, had a data store breached with personal information of 9.4 million people, including passport and identity card numbers.
  • Pocket iNet: a Washington-based ISP. Had a leaky S3 bucket with 73 gigabytes of information, including passwords, network diagrams and more juicy stuff.
  • Eight adult websites were breached, leaking 1.2 million e-mails and trivially-cracked passwords: link.
  • VestaCP: a web hosting panel solution, many installations have been hacked and used in DDoS attacks.
  • Anthem: not a new leak, thankfully, but a fine of $16 million for exposing the health information of 79 million people.


Zero-day in popular jQuery File Upload plugin when used with Apache and PHP

It's been actively exploited for over three years, yet somehow never became common knowledge. If you're on a LAMP stack (or your CMS is), make sure to check if you use the plugin. Hackernews discussion here, where the author reacts in a very commendable way.
zdnet.com


Critical remote code execution bugs in Drupal 7 and 8

You're obviously advised to patch asap. There's also three "moderately critical" bugs to motivate you a little more.
threatpost.com


Critical flaws found in Amazon FreeRTOS IoT operating system

A total of 13 vulnerabilities were found, 4 of which can trigger remote code execution. Updates are available.
thehackernews.com


Signal upgrade process leaves unencrypted messages on disk

Signal Desktop is in a bit of hot water this week, both with the above news and the more recent news that the encryption key of the database is stored in plain text.
bleepingcomputer.com


Critical bug impacts streaming server libraries: VLC, MPLayer not impacted

There was a scare this week that VLC and MPlayer were vulnerable to remote code execution, but it's not that bad. Only a specific streaming server, Live Networks LIVE555 RTSPServer, is at risk. Still, patch it if you use it.
threatpost.com


Tumblr had bug where personal data was exposed

Their "Recommended blogs" section leaked account information of the authors of those blogs, including hashed passwords, IP addresses and locations. The bug was reported through their bug bounty program and fixed within 12 hours.
threatpost.com


Abandoned tweet counter script hijacked through its S3 bucket

Clever trick: a tweet sharing counter was abandoned, and the S3 bucket where the script was hosted was deleted. A day later someone created a new bucket with the same name, and replaced the script with a malicious version.
bleepingcomputer.com


Google mandates two years of security updates for popular phones in new Android contract

Since phone vendors can't always be trusted to do it on their own initiative, it's nice to know that Google is forcing their hand. It covers any device with more than 100.000 users, launched after January 31st of this year.
theverge.com


Equifax engineer who designed breach portal gets 8 months of house arrest for insider trading

He figured out that the website was for Equifax themselves, and not a client like he was told. He then used his wife's brokerage account to trade on that information.
zdnet.com


What is Mitre's ATT&CK framework?

Older article, but a good introduction to the ATT&CK framework, which documents tactics and techniques that have been observed from millions of attacks on enterprise networks. Nice inspiration for red teams, and good knowledge to have for blue teams :)
csoonline.com


Sponsorship

1Password for Teams and Business

Simple and secure password management for you and your team. I use it myself every day and wouldn't want to miss it.
1password.com


Application layer security for modern teams

Both startups and enterprises trust Templarbit to protect their web applications, APIs and microservices. Run a next-gen WAF or ship a smart Content Security Policy workflow in minutes.
templarbit.com