Issue 101

Breaches and leaks

  • Facebook: the private messages of 81.000 users are being sold online for 10 cent per account. The attackers also claim to have more data on 120 million accounts, but it's unclear how truthful that is. Facebook suspects it's the result of malicious browser extensions.
  • British Airways: 185.000 more people were impacted in their September breach than originally thought.
  • Tomorrowland: a well-known music festival. Their payment provider, Paylogic, had its 2014 database breached, with 64.000 people impacted. As a yearly Tomorrowland visitor, I am not amused.
  • Eurostar: no sign of a real breach as far as I can see, but they reset everyone's password as a precaution after detecting an automated attack on their accounts.
  • Wolf Intelligence: a company that sells surveillance technologies to governments. They had all collected information, including personal data of the founders, completely public. Ouch.
  • Xnore: another spy-on-your-loved-ones app. A map on their website had identifier tokens in plain sight in the HTML, allowing you to view data on 28.000 tracked individuals.
  • Girl Scout of America: their Orange County branch had an e-mail account breached, compromising personal information of 2800 minors.
  • Radisson Hotel Group: had a breach compromising personal information on an unspecified number of hotel customers.

New vulnerabilities in widely used Bluetooth chips

The vulnerabilities are collectively called "Bleedingbit". The issue impacts Wi-Fi access points made by Cisco, Meraki and HPE’s Aruba, although there is talk that the impact could be more widespread. Both vulnerabilities can be used for remote code execution, but do seem to require physical proximity (because, I suppose, Bluetooth) and need Bluetooth enabled, which it usually isn't in these devices.

Vulnerability in X.Org grant privilege escalation in Linux and BSD systems

It's apparently trivial to exploit, making it very easy to elevate oneself to root on affected systems.

Hadoop clusters targeted by new botnet for DDoS purpouses

It leverages an Hadoop YARN (Yet Another Resource Negotiator) bug to enroll the clusters in a DDoS network. If your cluster is Internet-facing, make sure to check it out.

Google releases reCAPTCHA v3

It doesn't need user interaction anymore, and provides the website owner with a score between 0.1 and 1 to reflect how confident it is. More information can be found in Google's docs here.

Malicious typo-squatting package discovered in PyPI repository

The malicious package was called "colourama", typo-squatting the more popular "colorama". It sat in PyPi since December of last year, and was downloaded 55 times last month (which is, fortunately, not that bad). It installs a Windows script that monitors the clipboard for Bitcoin addresses, to then replace it with its own.

Windows Defender can now run inside a sandbox

This is a great move, meant to mitigate the risk of something exploiting Defender itself (as Tavis Ormandy did a few times last year). It was apparently quite an undertaking, and it makes Windows Defender the first AV to be sandboxed.

Bing serving ads that trick users into downloading a malicious Chrome install

It's specifically targeted at new Windows installs, where users open Edge and use Bing, just to download Chrome :-) Bing can't seem to keep up with it, even though Chrome and Firefox recognize the sites as malicious. Hackernews discussion here.

Apple fixes vulnerabilities in iOS, macOS and more

Including several high-level vulnerabilities in FaceTime, and a vulnerability that allows an attacker to crash any other Apple device on the network.

Co-author of the Mirai botnet receives his sentence

The sentence includes 2.500 hours of community service, 6 months house arrest and a whopping $8.6 million in fines.

Disrupting cyberwar with open source intelligence

Great article on how volunteer hacking, journalism and OSINT groups grew out of the Russian - Ukrainian conflict, and about the warning that the Ukrainians bring to the rest of the world of a new type of "hybrid warfare".

Apple T2 Security Chip overview (pdf)

If you want a deeper dive in the T2 Security Chip that Apple just announced, here's your chance.


TLDR newsletter: daily e-mail with technology news

I've been reading this one ever since I found out about it. The news is interesting, and the summaries are very well written.

1Password for Teams and Business

I use 1Password to securely share passwords and notes with my colleagues. Can't recommend them enough and I'm super honoured to have them as a sponsor.