Issue 110

Breaches and leaks

  • South Korea: the personal information of just under 1000 North-Korean defectors was breached. I honestly can't think of a good reason to have information like that on an Internet-connected network :-/
  • Abine: creators of the password manager Blur, among other privacy-related products, had an unsecured S3 bucket with information on 2.3 million users, including password hashes.
  • Town of Salem: a popular online RPG, had information of over 7.6 million players leaked, including e-mails and MD5-hashed passwords.
  • Victoria, Australia: the personal details of 30.000 government employees were downloaded, presumably after a successful phishing attack.
  • Nova Entertainment: an Australian broadcasting company. They had personal data leaked, impacting over 250.000 people.
  • Luas: the operator of the Dublin tram system, had its website defaced by hackers saying they had stolen data and wanted ransom.
  • Tribune Media: they publish papers like the Los Angeles Times and the Chicago Tribune, among others. They suffered a ransomware attack through a Ryuk malware infection.

Chromecast PewDiePie hack exposes long-standing unpatched bug

The same hacker who recently caused thousands of printers to print a PewDiePie message, has now gone after Chromecasts that were Internet-reachable through UPnP-enabled routers. Thousands of people were affected. This article has some more details of how it went down.
The hacker himself has gone dark now, out of fear of being prosecuted.

EU to fund bug bounty programs for 14 open source projects

Pretty awesome news and a nice precedent. After previously supporting VLC, the Apache web server and KeePass, they will now also start supporting 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), midPoint, Notepad++, PuTTY, the Symfony PHP framework, and WSO2.

Security flaws let anyone snoop on Guardzilla camera recordings

If you own a Guardzilla camera you might want to unplug it for now. They included their AWS keys in their firmware and protected it with old encryption. Once you have those keys you can access their S3 buckets with every customer's recordings on there. There seems to be no response from the company so far.

Let's Encrypt: Looking forward to 2019

Let's Encrypt has been a huge success, I think we can all agree on that. In 2019 they aim, among other things, to validate domain ownership through multiple networks to mitigate BGP hijacking and to build an industry-wide Certificate Transparency log.
Pretty incredible too is that all their infrastructure is managed by a Site Reliability Engineering (SRE) team of just six people, and that Let's Encrypt themselves operate on a budget of just $3.6 million.

The 6 reasons why Huawei gives the US and its allies security nightmares

An interesting read on the paranoia around Huawei-made systems. There's no evidence of actual backdoors, but a lot of fear of them being in there anyway.

OWASP top 10 for IoT devices

If you're responsible for building IoT devices or infrastructure, please do us all a favour and bookmark this.

Shoutout to Software Lead Weekly

This was the first curated newsletter I ever subscribed to, and I haven't been disappointed since. With over 20.000 subscribers, it seems I'm not alone :) I recommend Oren's work wholeheartedly, including his book Leading Snowflakes.


1Password for Teams and Business

We use 1Password to share passwords and secure notes at my current job, same as at my last job. I've tried many alternatives, but always ended up with them. By far the best UX and support I've seen.