Issue 105

Breaches and leaks

This one section took me almost as long to piece together as all other articles combined.

Btw, if you happen to run Elasticsearch in your company, make sure it's secured. Or I'll let you write these next week.

Here we go:

  • Atrium Health: a large US healthcare provider, they were hacked through a third-party vendor. Personal details of over 2.65 million patients were extracted, including 700.000 social security numbers.
  • Urban: a massage app, had an unsecured Elasticsearch database that exposed personal information and sensitive reviews.
  • Sky Brasil: the TV company exposed an unsecured Elasticsearch database with personal information of 32 million customers.
  • FIESP : Brazil's largest industry association, made up of 130.000 companies, exposed an Elasticsearch instance with millions of personal records.
  • Adept.io: a company that sells contact data for sales leads. They had an exposed MongoDB instance with over 9 million records.
  • Data & Leads Inc.: another data gathering company, with another unsecured Elasticsearch instance, this time exposing information of an estimated 83 million people.
  • Dunkin' Donuts: an attacker compromised customer accounts, presumably through a credential stuffing attack (using usernames and passwords from other breaches).
  • Dell: not really a breach it seems, they interrupted an attack that was underway to steal customer credentials. As a precaution Dell is resetting passwords though.
  • Uber: not a new breach, but they were fined £385,000 by the UK and €600,000 by The Netherlands for the too-late disclosed data breach of 57 million people in 2016.


Popular JavaScript library hijacked to steal Bitcoin funds

The Javascript package, called Event-Stream, is pretty popular, with 2 million downloads per week. The original creator didn't want to maintain the library, and handed the reigns to someone who turned out to be malicious. Bitcoin-stealing code was injected that was specifically targeted against CoPay, a Bitcoin wallet. Food for thought and discussion. I don't think we'll solve this kind of problem soon, but it's worth solving :-/
zdnet.com


Sennheiser headset software allows for man-in-the-middle SSL attacks

The Sennheiser software installs a root certificate on your machine, which researchers were able to crack. This means that any user of that software wouldn't recognize a fake certificate for google.com, paypal.com, or any site. It's similar to the Superfish adware that was installed on Lenovo machines a few years back. Ironically, they just had to settle a $7.3 million lawsuit for that mistake.
bleepingcomputer.com


New vulnerabilities in Ghostscript, can trigger remote code execution

The vulnerabilities are variants of those that Tavis Ormandy found in August, who made it clear at the time that there would be more to come.
Remember that Ghostscript gets installed as part of Imagemagick. If you want to mitigate future issues, I'd advise (apart from updating the packages) to install a security policy for Imagemagick to block unsafe operations if you don't need em.
semmle.com


Spectre mitigation guts Linux 4.20 performance

No, I will resist making jokes about a 4-20 version being slow. It seems that the Spectre mitigation slows the OS up to 50%. From what I can make out, they're discussion whether to disable the mitigation or disable the root cause of it, simultaneous multi-threading.
sophos.com


Man arrested for stealing $1m via SIM-swapping

Another reminder that cellphone based 2fa really isn't that great. The attacker convinced the telecom operator that he was the rightful owner of the cellphone number, and then used it to steal $1 million out of someone's Gemini and Coinbase accounts.
hackread.com


Protecting Consul from remote code execution

If you use Hashicorp's Consul with the "-enable-script-checks" option, you can be vulnerable to remote code execution. Either way, you might want to update to the latest version that mitigates that risk.
hashicorp.com


Germany proposes router security guidelines

Very worth-while first step in my opinion. It's a long list of guidelines on password strength, firmware updates, open ports and more. Compliance is optional for vendors, but if you are compliant you get to put a sticker on your box.
zdnet.com


Google Maps scammers put their own phone numbers onto bank listings

It's a kind of scam that seems to be spreading, where attackers suggest an edit to Google Maps with their phone number for a bank office. When people call the number their account information gets phished.
sophos.com


First GDPR sanction in Germany fines Flirty Chat platform EUR 20,000

The first GDPR fine in Germany is a thing now. The fine is for a hack that exposed 808.000 e-mail addresses and 1.8 million credentials. The authorities were mild though, because of how well they cooperated.
bleepingcomputer.com


Google and Mozilla working on API to let web apps edit files

Fortunately, they realize what kind of a horrible security risk that is. So it's not certain that the API will be made, and they're doing research now on how they might make it work.
techrepublic.com


Inside the British Army's secret information warfare machine

Interesting introduction on Britain's 77th Brigade, who focus on information warfare. It still sounds weird to my ears, but "editing videos" and "writing social media posts" is fast becoming a standard part of any battlefield.
wired.co.uk


Ask HN: Starting a career in security at 40?

Nice thread on Hackernews on career switching into security.
ycombinator.com


Sponsorship

1Password for Teams and Business

Simple and secure password management for you and your team. I use it myself every day and wouldn't want to miss it.
1password.com


Overview of recent breaches and cyber attacks

Templarbit maintains this great list of breaches and attacks, with severity, sources, location, and more. Worth checking out!
templarbit.com