Issue 103

Breaches and leaks

  • Bankers Life: insurance agency, had a data breach impacting over 500.000 customers.
  • Kars4Kids: the charity had an unsecured MongoDB instance, containing the information of over 21.000 donors.
  • Nordstrom: the retailer notified its employees this week that a contractor gained unauthorised access to employee personal data.
  • The Twitter accounts of both Google's Gsuite and Target were hacked this week, and used in a Bitcoin scam: link


Google goes down after major BGP mishap routes traffic through China

There was a lot of news this week around Google's downtime, which was caused by another BGP misconfiguration. Even though it looks suspicious, most seem to agree that it was an accident.
arstechnica.com


DARPA uses a remote island to stage a cyberattack on the US power grid

Very cool. DARPA held a live exercise where a red team tried to bring down the electrical grid, and the defenders had to hold them off and recover. Looking at Ukraine's recent history, it's not just a theoretical exercise either.
sophos.com


Nginx server flaws found, can trigger DoS attack

Over a million servers are currently vulnerable, according to Shodan. If you're running anything older than 1.15.6 and 1.14.1, make sure you check it out.
securityaffairs.co


Pwn2Own Tokyo wrap-up: 325.000 USD handed out for 18 vulnerabilities

The iPhone X, Galaxy S9, and Xiaomi Mi6 were all owned. The winners were the two members of Team Fluoroacetate, who took home a whopping 215.000 USD for their exploits.
bleepingcomputer.com


Botnet pwns 100,000 routers using ancient security flaw

Just a nice example of how we suck at router security. The flaw has been known and patched since 2013, yet this botnet was able to gather 100.000 compromised routers in only two months.
sophos.com


WordPress GDPR compliance plugin hacked

Attackers were found to actively exploit a flaw in an often used GDPR plugin for Wordpress. If you use it, make sure you update.
sophos.com


DJI drone flight logs, photos and videos exposed to unauthorised access

The drone maker had an XSS vulnerability which allowed researchers to steal cookies, giving access to user accounts, flight logs, pictures and videos.
bleepingcomputer.com


Update all the things \o/

  • Microsoft: had its Patch Tuesday, fixing 64 vulnerabilities, 12 of which are critical, including one zero-day vulnerability that's being exploited in the wild.
  • Adobe fixed three information disclosure vulnerabilities in Acrobat and Reader.


The Intel Microcode boot loader protects older CPUs from Spectre

In case you're running an old system that didn't get Spectre patches, there's now a bootloader available that patches your CPU at runtime. You do always have to boot from the USB in question. And obviously you have to trust the person who created it. Still, might be useful to some.
bleepingcomputer.com


XSStrike: Most advanced XSS detection suite

It's an open-source tool for XSS detection. I haven't tested it out yet, but it looks pretty sweet.
github.com


iSH - An iOS Linux Shell for your iPhone or iPad

I don't think I've seen a Linux shell on iOS yet, so I figure it's worth a share :-)
bleepingcomputer.com


12 TED talks on cybersecurity

Just a nice collection of security-related talks, in case you're bored on these grey, drab autumn evenings.
varonis.com


Sponsorship

1Password for Teams and Business

We use 1Password to share passwords and secure notes at my current job, same as at my last job. I've tried many alternatives, but always ended up with them. By far the best UX and support I've seen.
1password.com


Overview of recent breaches and cyber attacks

Templarbit maintains this great list of breaches and attacks, with severity, sources, location, and more. Worth checking out!
templarbit.com