Breaches and leaks
This one section took me almost as long to piece together as all other articles combined.
Btw, if you happen to run Elasticsearch in your company, make sure it's secured. Or I'll let you write these next week.
Here we go:
- Atrium Health: a large US healthcare provider, they were hacked through a third-party vendor. Personal details of over 2.65 million patients were extracted, including 700.000 social security numbers.
- Urban: a massage app, had an unsecured Elasticsearch database that exposed personal information and sensitive reviews.
- Sky Brasil: the TV company exposed an unsecured Elasticsearch database with personal information of 32 million customers.
- FIESP : Brazil's largest industry association, made up of 130.000 companies, exposed an Elasticsearch instance with millions of personal records.
- Adept.io: a company that sells contact data for sales leads. They had an exposed MongoDB instance with over 9 million records.
- Data & Leads Inc.: another data gathering company, with another unsecured Elasticsearch instance, this time exposing information of an estimated 83 million people.
- Dunkin' Donuts: an attacker compromised customer accounts, presumably through a credential stuffing attack (using usernames and passwords from other breaches).
- Dell: not really a breach it seems, they interrupted an attack that was underway to steal customer credentials. As a precaution Dell is resetting passwords though.
- Uber: not a new breach, but they were fined £385,000 by the UK and €600,000 by The Netherlands for the too-late disclosed data breach of 57 million people in 2016.
Food for thought and discussion. I don't think we'll solve this kind of problem soon, but it's worth solving :-/
The Sennheiser software installs a root certificate on your machine, which researchers were able to crack. This means that any user of that software wouldn't recognize a fake certificate for google.com, paypal.com, or any site. It's similar to the Superfish adware that was installed on Lenovo machines a few years back. Ironically, they just had to settle a $7.3 million lawsuit for that mistake.
The vulnerabilities are variants of those that Tavis Ormandy found in August, who made it clear at the time that there would be more to come.
Remember that Ghostscript gets installed as part of Imagemagick. If you want to mitigate future issues, I'd advise (apart from updating the packages) to install a security policy for Imagemagick to block unsafe operations if you don't need em.
No, I will resist making jokes about a 4-20 version being slow.
It seems that the Spectre mitigation slows the OS up to 50%. From what I can make out, they're discussion whether to disable the mitigation or disable the root cause of it, simultaneous multi-threading.
Another reminder that cellphone based 2fa really isn't that great. The attacker convinced the telecom operator that he was the rightful owner of the cellphone number, and then used it to steal $1 million out of someone's Gemini and Coinbase accounts.
If you use Hashicorp's Consul with the "-enable-script-checks" option, you can be vulnerable to remote code execution. Either way, you might want to update to the latest version that mitigates that risk.
Very worth-while first step in my opinion. It's a long list of guidelines on password strength, firmware updates, open ports and more. Compliance is optional for vendors, but if you are compliant you get to put a sticker on your box.
It's a kind of scam that seems to be spreading, where attackers suggest an edit to Google Maps with their phone number for a bank office. When people call the number their account information gets phished.
The first GDPR fine in Germany is a thing now. The fine is for a hack that exposed 808.000 e-mail addresses and 1.8 million credentials. The authorities were mild though, because of how well they cooperated.
Fortunately, they realize what kind of a horrible security risk that is. So it's not certain that the API will be made, and they're doing research now on how they might make it work.
Interesting introduction on Britain's 77th Brigade, who focus on information warfare. It still sounds weird to my ears, but "editing videos" and "writing social media posts" is fast becoming a standard part of any battlefield.
Nice thread on Hackernews on career switching into security.