Breaches and leaks
- Facebook: the private messages of 81.000 users are being sold online for 10 cent per account. The attackers also claim to have more data on 120 million accounts, but it's unclear how truthful that is. Facebook suspects it's the result of malicious browser extensions.
- British Airways: 185.000 more people were impacted in their September breach than originally thought.
- Tomorrowland: a well-known music festival. Their payment provider, Paylogic, had its 2014 database breached, with 64.000 people impacted. As a yearly Tomorrowland visitor, I am not amused.
- Eurostar: no sign of a real breach as far as I can see, but they reset everyone's password as a precaution after detecting an automated attack on their accounts.
- Wolf Intelligence: a company that sells surveillance technologies to governments. They had all collected information, including personal data of the founders, completely public. Ouch.
- Xnore: another spy-on-your-loved-ones app. A map on their website had identifier tokens in plain sight in the HTML, allowing you to view data on 28.000 tracked individuals.
- Girl Scout of America: their Orange County branch had an e-mail account breached, compromising personal information of 2800 minors.
- Radisson Hotel Group: had a breach compromising personal information on an unspecified number of hotel customers.
The vulnerabilities are collectively called "Bleedingbit". The issue impacts Wi-Fi access points made by Cisco, Meraki and HPE’s Aruba, although there is talk that the impact could be more widespread. Both vulnerabilities can be used for remote code execution, but do seem to require physical proximity (because, I suppose, Bluetooth) and need Bluetooth enabled, which it usually isn't in these devices.
It's apparently trivial to exploit, making it very easy to elevate oneself to root on affected systems.
It leverages an Hadoop YARN (Yet Another Resource Negotiator) bug to enroll the clusters in a DDoS network. If your cluster is Internet-facing, make sure to check it out.
It doesn't need user interaction anymore, and provides the website owner with a score between 0.1 and 1 to reflect how confident it is. More information can be found in Google's docs here.
The malicious package was called "colourama", typo-squatting the more popular "colorama". It sat in PyPi since December of last year, and was downloaded 55 times last month (which is, fortunately, not that bad). It installs a Windows script that monitors the clipboard for Bitcoin addresses, to then replace it with its own.
This is a great move, meant to mitigate the risk of something exploiting Defender itself (as Tavis Ormandy did a few times last year). It was apparently quite an undertaking, and it makes Windows Defender the first AV to be sandboxed.
It's specifically targeted at new Windows installs, where users open Edge and use Bing, just to download Chrome :-) Bing can't seem to keep up with it, even though Chrome and Firefox recognize the sites as malicious. Hackernews discussion here.
Including several high-level vulnerabilities in FaceTime, and a vulnerability that allows an attacker to crash any other Apple device on the network.
The sentence includes 2.500 hours of community service, 6 months house arrest and a whopping $8.6 million in fines.
Great article on how volunteer hacking, journalism and OSINT groups grew out of the Russian - Ukrainian conflict, and about the warning that the Ukrainians bring to the rest of the world of a new type of "hybrid warfare".
If you want a deeper dive in the T2 Security Chip that Apple just announced, here's your chance.