Issue 108

Breaches and leaks

Here we go. Takes deep breath

  • Boomoji: the animated avatar app exposed the personal data of its entire user base, over 5.3 million people, in two Elasticsearch databases. Including user locations, what schools some users go to, and all phonebook entries of all users who allowed the app access to contacts.
  • NASA: a server from the HR departement was compromised, and attackers stole personal information of thousands of employees. The data is already for sale on the Dark Web.
  • Facebook: Not so much a breach as a bug, but it was heavily reported on. Normally apps with picture permissions only get to see timeline pictures. But due to a bug in the API they could temporarily get access to more, including unposted pictures.
  • Facebook, again: I guess we can call this a breach-by-design. Over 150 companies got "special treatment" by Facebook, getting wider access to personal data than disclosed to the users. Long but worthy read.
  • Save The Children Federation: an attacker infiltrated the charity and got them to wire $1 million into his account through false documents and invoices.
  • Wall Street Journal: their website was hacked and defaced with PewDiePie-related messages.
  • Amazon: sent 1700 Alexa recordings to the wrong person by mistake.
  • Experian: infamous for previously having the information of 15 million people stolen. This time it was discovered that they included real customer data as part of a public training manual.
  • 2018 overview: If you're feeling nostalgic, here's a nice overview of big 2018 data breaches.


Critical flaw discovered in SQLite

The flaw, dubbed "Magellan", allows for remote code execution under certain circumstances. SQLite's creator called it out as being overblown, but it seems worthy of a quick patching either way. Hackernews discussion here.
thehackernews.com


Researcher chains two Microsoft bugs to potentially take over 400M accounts

One bug allowed him to redirect access tokens to a Microsoft subdomain of his choosing, and another allowed him to take over one such subdomain. He disclosed responsibly and received a bug bounty, although we don't know how much (it better be a big check though).
hackread.com


Breaking into Android phones with a 3D printed head

Forbes was able to trick several phones into unlocking with a 3D printed head. Only the iPhone stood up to the tests. From the vendor's response though, it doesn't seem wise for anyone to rely on face-based authentication just yet.
forbes.com


Microsoft releases Windows Sandbox

Seems like a very cool feature. It ships with Windows 10 Pro or Enterprise, and allows you to quickly fire up a completely clean Windows environment where you can try out suspicious software without hurting the host system.
microsoft.com


Logitech flaw fixed after Project Zero disclosure

Google-badass Tavis Ormandy found that Logitech's Options application, used to customise buttons on Logitech's devices, opened an unsecured websocket server that any site could just connect to, and potentially inject keystrokes and other mischief. They finally fixed it after Tavis publicly called out the vulnerability when their 90 days were over.
sophos.com


Researchers slam Hola VPN over absent encryption, user IP leaks

If you use Hola VPN, especially the free version, you might want to double check that particular decision. It doesn't encrypt traffic, doesn't hide your IP very well, and sells your bandwidth. According to Hola that's all just fine and users of the free tier are well aware of this.
zdnet.com


U.S. Ballistic Missile Defense Systems fail cybersecurity audit

Horrible patch hygiene, poor 2fa use, non-encrypted USB drives, and several physical security issues. Lot's of work to be done there.
bleepingcomputer.com


Border agents routinely fail to delete traveler data after electronic searches

One of those "this is maybe more privacy- than security-related" articles, but I certainly found it an interesting read.
gizmodo.com


trimstray/the-book-of-secret-knowledge: A collection of awesome lists, manuals, blogs, hacks, one-liners, cli/web tools and more.

Great, long list of tools, blogs, news sites and much more for devops- and security-minded folks.
github.com


Newsletter shoutout: Data Eng Weekly

If you're into data engineering, distributed systems, technologies like Hadoop, Spark, Kafka, you'll want to check this one out. Curated by Joe Crobak, he already has over 11.000 readers, so he must be doing something right :-)
dataengweekly.com


Sponsorships

1Password for Teams and Business

We use 1Password to share passwords and secure notes at my current job, same as at my last job. I've tried many alternatives, but always ended up with them. By far the best UX and support I've seen.
1password.com