Issue 106

Marriott hotel group hack hits 500 million people

Some breaches deserve their own dedicated item, this is one of them.
The hotel group, known from Sheraton, Le Méridien and others, found out that attackers had access to their database since 2014, impacting personal data of a whopping 500 million guests. And apparently they're fudging up the aftermath too with easily spoof-able domains and other PR failures.
bbc.com


Quora hacked - 100 million user's data exposed

Another get-your-own-item winner! An attacker had access to 100 million names, emails, hashed passwords, direct messages and more.
bleepingcomputer.com


Other breaches and leaks

The rest goes into a list. Hey, we can't all be special.

  • Sotheby's: the auction house reported that one of it's e-commerce portals was infected with a Magecart credit-card stealing script. While only recently discovered, the script itself was on the site at least since March 2017.
  • 1-800-Flowers: the Canadian version of the flower shop reported that credit card data was breached, from as early as August 2014 till September of this year. It's unclear how many customers are impacted.
  • eBay Japan: no personal data leak, thankfully. But a researcher found that they exposed their Git repo, and was able to download the entire code base, including database passwords, logs, and more.
  • Bethesda: the game maker had "an issue" with their support system. Multiple users were able to see support tickets from other players, including sensitive information like name, address and purchase information.
  • National Republican Congressional Committee (NRCC): attackers had access to the e-mail accounts of four senior aides for several months.


Critical privilege escalation vulnerability discovered in Kubernetes

The vulnerability allows anyone to get admin privileges on the Kubernetes nodes. It's easy to exploit and requires no user interaction. If you run k8s, make sure to install the patch.
bleepingcomputer.com


The event-stream vulnerability explained

Fantastic post that dives deeper in last week's news of how the event-stream library was modified to target the Copay Bitcoin wallet. It's pretty scary to see how well the attack was executed, and how hard it is to detect.
schneid.io


Microsoft replacing Edge with new Chromium-based browser

It looks like Microsoft will halt efforts on Edge and its EdgeHTML browser engine and instead will launch a new Chromium-based browser under the codename Anaheim.
bleepingcomputer.com


Fitness-tracking apps caught misusing Touch ID to steal money

The malicious apps asked to scan your fingerprint, and then quickly popped up a payment request while your finger was on the Touch ID button. They've been taken out of the App Store since.
grahamcluley.com


U.S. military uncovers catfishing operation aimed at its soldiers

A sextortion ring was being operated from South Carolina prisons, targeting specifically U.S. military service members. A total of 442 people were catfished, extorting more than $500.000.
threatpost.com


Printers pulled into 9100 port attack spew PewDiePie propaganda

Someone went to the Shodan search engine, found 800.000 vulnerable printers, and made a chunk of them print out a PewDiePie-related message. Quite unsettling too is that he claims to have done it, start to finish, in half an hour.
sophos.com


Trump’s Cybersecurity advisor thinks his Twitter was hacked because of a typo

I'll let the article explain this facepalm moment.
vice.com


Want to be a Hacker? Go to Dallas.

Fun article about a large hacker group in Dallas, Texas. Apparently the call for cybersecurity experts is even bigger there than in Silicon Valley.
popularmechanics.com


Swift Weekly: curated newsletter on Swift development for iOS and OSX

Once and a while I'll do a cross-promote with another newsletter. It's great to cross-polinate our subscriber bases :-) If you're in to Swift development, definitely check them out!
swiftweekly.com


Sponsorships

Breachroom: curated list of breaches and attacks

Breachroom is a concept by Templarbit, an application security provider, where they maintain an overview of recent breaches and cyber attacks.
templarbit.com


1Password for Teams and Business

We use 1Password to share passwords and secure notes at my current job, same as at my last job. I've tried many alternatives, but always ended up with them. By far the best UX and support I've seen.
1password.com