Breaches and leaks
It's been a busy week :-/
- Voxox: SMS provider, had a database with tens of millions of text messages publicly accessible, with a handy Elasticsearch/Kibana interface for easy search. New text messages streamed in real-time, including juicy stuff like 2fa codes.
- US Postal Service: an API used for tracking information had no proper access control, letting anyone search postal details of over 60 million users.
- Vision Direct: a contact lens vendor, had full credit card details of 16.300 customers stolen, including CVV codes. They were read from the checkout page through a malicious script.
- High Tail Hall: adult video game website, had personal data of over 400.000 subscribers stolen.
- Instagram: passwords were leaked in plain text when you used the "download your data" tool.
- Make-A-Wish Foundation: a cryptojacking script was installed on their website, which was still vulnerable to the Drupalgeddon2 exploit.
- Hospital in Texas: had a ransomware infection impacting 40.000 individuals, although they don't think any data was actually leaked. Data was restored from backups.
We haven't seen the end of those yet. The article gives a technical but very good overview of Meltdown and Spectre-type attacks.
Even if you just have commenting rights, you can escalate yourself to site admin. Make sure you have the latest version if you use this plugin, because there are already attacks underway.
Researchers were able to generate a set of "master fingerprints" that were able to fool fingerprint scanners one out of five times.
The new feature allows Administrators to block/regulate public access on an account level, instead of only on s3 bucket level.
The MiSafe smartwatches, usually purchased by parents to keep track of their children, are so poorly secured that you should probably feel safer without them.
If you somehow still use Flash (I am so, so sorry), you better update fast. The details of this exploit are publicly known, so they expect to see attacks in the wild soon.
Interesting to see that the so-called MageCart groups, i.e. the people skimming credit card details of hundreds of websites so far, are "at war" with each other. When one malicious script detects another, they fill in fake information that ruins their credit card data, meant to damage their online reputation to their buyers.
I found it interesting to see that the Mirai botnet code is now being adjusted to target regular servers too, instead of just IoT devices. Potentially making for even more DDoS powwah.
By far the best no-nonsense, easy to read explanation of the "passwordless future" that I've seen, helping me to finally make sense of FIDO2, WebAuthn and CTAP.
A great story, taken from a Twitter thread, on how a pentester was mostly unsuccessful because of how well the target company's security was. Nice example for those of us on the defensive side to see what we need to get right.