Breaches and leaks
- Bankers Life: insurance agency, had a data breach impacting over 500.000 customers.
- Kars4Kids: the charity had an unsecured MongoDB instance, containing the information of over 21.000 donors.
- Nordstrom: the retailer notified its employees this week that a contractor gained unauthorised access to employee personal data.
- The Twitter accounts of both Google's Gsuite and Target were hacked this week, and used in a Bitcoin scam: link
There was a lot of news this week around Google's downtime, which was caused by another BGP misconfiguration. Even though it looks suspicious, most seem to agree that it was an accident.
Over a million servers are currently vulnerable, according to Shodan. If you're running anything older than 1.15.6 and 1.14.1, make sure you check it out.
Very cool. DARPA held a live exercise where a red team tried to bring down the electrical grid, and the defenders had to hold them off and recover. Looking at Ukraine's recent history, it's not just a theoretical exercise either.
The iPhone X, Galaxy S9, and Xiaomi Mi6 were all owned. The winners were the two members of Team Fluoroacetate, who took home a whopping 215.000 USD for their exploits.
Just a nice example of how we suck at router security. The flaw has been known and patched since 2013, yet this botnet was able to gather 100.000 compromised routers in only two months.
Attackers were found to actively exploit a flaw in an often used GDPR plugin for Wordpress. If you use it, make sure you update.
The drone maker had an XSS vulnerability which allowed researchers to steal cookies, giving access to user accounts, flight logs, pictures and videos.
Update all the things \o/
- Microsoft: had its Patch Tuesday, fixing 64 vulnerabilities, 12 of which are critical, including one zero-day vulnerability that's being exploited in the wild.
- Adobe fixed three information disclosure vulnerabilities in Acrobat and Reader.
In case you're running an old system that didn't get Spectre patches, there's now a bootloader available that patches your CPU at runtime. You do always have to boot from the USB in question. And obviously you have to trust the person who created it. Still, might be useful to some.
It's an open-source tool for XSS detection. I haven't tested it out yet, but it looks pretty sweet.
I don't think I've seen a Linux shell on iOS yet, so I figure it's worth a share :-)
Just a nice collection of security-related talks, in case you're bored on these grey, drab autumn evenings.