Issue 100

Issue 100 \o/

Woop! Next up: 200 :-)

Thank you for being a subscriber. And to those that have sent feedback or an e-mail just to say thanks, you're awesome, it's really motivating to read those.

I hope you'll keep getting value out of each issue. Happy reading!

Breaches and leaks

  • related service: a service used by insurance brokers had sensitive personal data of 75.000 people stolen.
  • Cathay Pacific: airline, had a data store breached with personal information of 9.4 million people, including passport and identity card numbers.
  • Pocket iNet: a Washington-based ISP. Had a leaky S3 bucket with 73 gigabytes of information, including passwords, network diagrams and more juicy stuff.
  • Eight adult websites were breached, leaking 1.2 million e-mails and trivially-cracked passwords: link.
  • VestaCP: a web hosting panel solution, many installations have been hacked and used in DDoS attacks.
  • Anthem: not a new leak, thankfully, but a fine of $16 million for exposing the health information of 79 million people.

Zero-day in popular jQuery File Upload plugin when used with Apache and PHP

It's been actively exploited for over three years, yet somehow never became common knowledge. If you're on a LAMP stack (or your CMS is), make sure to check if you use the plugin. Hackernews discussion here, where the author reacts in a very commendable way.

Critical remote code execution bugs in Drupal 7 and 8

You're obviously advised to patch asap. There's also three "moderately critical" bugs to motivate you a little more.

Critical flaws found in Amazon FreeRTOS IoT operating system

A total of 13 vulnerabilities were found, 4 of which can trigger remote code execution. Updates are available.

Signal upgrade process leaves unencrypted messages on disk

Signal Desktop is in a bit of hot water this week, both with the above news and the more recent news that the encryption key of the database is stored in plain text.

Critical bug impacts streaming server libraries: VLC, MPLayer not impacted

There was a scare this week that VLC and MPlayer were vulnerable to remote code execution, but it's not that bad. Only a specific streaming server, Live Networks LIVE555 RTSPServer, is at risk. Still, patch it if you use it.

Tumblr had bug where personal data was exposed

Their "Recommended blogs" section leaked account information of the authors of those blogs, including hashed passwords, IP addresses and locations. The bug was reported through their bug bounty program and fixed within 12 hours.

Abandoned tweet counter script hijacked through its S3 bucket

Clever trick: a tweet sharing counter was abandoned, and the S3 bucket where the script was hosted was deleted. A day later someone created a new bucket with the same name, and replaced the script with a malicious version.

Google mandates two years of security updates for popular phones in new Android contract

Since phone vendors can't always be trusted to do it on their own initiative, it's nice to know that Google is forcing their hand. It covers any device with more than 100.000 users, launched after January 31st of this year.

Equifax engineer who designed breach portal gets 8 months of house arrest for insider trading

He figured out that the website was for Equifax themselves, and not a client like he was told. He then used his wife's brokerage account to trade on that information.

What is Mitre's ATT&CK framework?

Older article, but a good introduction to the ATT&CK framework, which documents tactics and techniques that have been observed from millions of attacks on enterprise networks. Nice inspiration for red teams, and good knowledge to have for blue teams :)


1Password for Teams and Business

Simple and secure password management for you and your team. I use it myself every day and wouldn't want to miss it.

Application layer security for modern teams

Both startups and enterprises trust Templarbit to protect their web applications, APIs and microservices. Run a next-gen WAF or ship a smart Content Security Policy workflow in minutes.