- An unsecured web server was exposing personal information of 120 million Brazilians, showing their equivalent of social security numbers, bank accounts, addresses, loans and more: link.
- Google found another security vulnerability in Google+, impacting 52 million people. Because of this the planned shut-down date for the service got moved up four months.
- Cap Cod Community College: $800.000 was taken from their bank accounts after a series of phishing attacks.
- Not really a breach, but an unsecured MongoDB instance was found online with scraped LinkedIn information of over 66 million individuals. It's not known whom the database belongs to. link.
- Humble Bundle: Also not really a breach, but they discovered that an attacker abused a bug to enumerate subscription statuses of a number of customers. Even though no personal data was leaked they still disclosed very responsibly.
An attacker hijacked the DNS account and pointed the domain name to its own page, filled with all kinds of obscenities. Apparently the owner of the domain didn't have 2fa enabled. Go figure.
It seems that this is a law that forces software makers to give law enforcement access to otherwise end-to-end encryption systems, somehow. I have to admit it's hard to deep-dive into this because of political shenanigans and personal anger on my part. It'll be very "interesting" to see how this plays out in practice.
The prevailing sentiment seems to be that the Marriott breach is the work of the Chinese, who are hoovering up all personal data they can get in order to identify spies by travel habits, recruiting new intelligence assets, and more.
It seems that text-based CAPTCHA really is dead now. The AI system can be trained with only 500 captcha samples, and can then solve them as accurately as a human, with an average tested speed of 0.05 seconds.
- Microsoft had its Patch Tuesday, fixing 39 vulnerabilities, 10 of which are rated critical, and two of which are actively being exploited.
- Adobe did its thing too on Patch Tuesday, fixing no less than 87 vulnerabilities in Acrobat and Reader, several of which are critical.
- Wordpress released an update for its 5.0 branch, fixing several vulnerabilities and a bug that allowed Google to index sensitive pages.
I really don't like DNA data in Internet-connected machines. The "100.000 Genomes Project" in the UK had to move its servers to a military base to protect it better, after being inundated with attacks.
The police of 13 countries conducted no less than 300 house searches and arrested 235 people suspected of buying counterfit Euro banknotes from a Dark Web marketplace.
It doesn't seem to be a sort of "Metasploit for cars" as I first thought, but rather a complete kit that gives you a playground to learn about car-related security.
Might be more privacy-related than security-related, but I found it more than interesting enough to include. The NY Times takes a deep dive in how un-anonymous much of our smartphone location data is, and what kind of companies buy and sell that data.
A Github-hosted list of well-known vulnerabilities like Heartbleed, EternalBlue, Spectre, and many more, and whether or not they were ever seen exploited in the wild. It's a lot less than you'd think.
That doesn't mean they don't need to be fixed in your infrastructure, but it's refreshing to balance out against our usual the-world-is-on-fire mode.
If you're looking to fill your reading list, this might be a good place to get some inspiration.
After using 1Password Teams for several years, I finally made the leap and moved my personal password vault to them as well. The UX and support are an order of magnitude better than where I came from. And I'm not just saying that because they sponsor me.