Issue 111

Breaches and leaks

  • Indian governement: had an unsecured Elasticsearch server showing the locations of 11.000 trains and buses. Sounds like useful information for citizens to me, but apparently it wasn't meant to be open.
  • Oxo International: manufacturer of office supplies and homeware. They disclosed that a Magecart-looking attack has skimmed payment details and personal information from their website between June 2017 and October 2018.
  • Australian Early Warning System: the service was hacked and used to send out a (fortunately innocent) message to subscribers.
  • Singapore Airlines: had a bug in their frequent flyer program. When logging in you could see data belonging to other members.
  • BenefitMall: payroll and HR services company. Had a phishing attack which might have exposed customer information.
  • St Lawrence College: someone sent out phishing e-mails to parents offering a discount on tuition for the next term, if they paid now. Two parents fell for it.
  • Neiman Marcus: no new breach, but the news came out that they are being fined $1.5 million for a credit card breach that occurred in 2013.

German cyber-attack: man admits to massive data breach

A 20-year old student has admitted to being behind the hacks that exposed personal information of German politicians and journalists. He seems to be cooperating with law enforcement and would receive a rather mild sentence.

Yubico announces the first Lightning security key for iPhones

It's a Yubikey that can be plugged into iPhones and iPads. Pretty cool, considering the only alternative so far was Bluetooth.

Zerodium raises zero-day payout ceiling to $2M

You'll get $2 million for remote iOS jailbreaks, $1 million for remote code execution (RCE) exploits through messaging apps, and $500.000 for Chrome RCE's. You also need a slight lack of moral standards, since those exploits might very well be used in bad ways.

Automated phishing attack tool bypasses 2FA protection

A security researcher has released an impressive phishing tool. It proxies assets from the website it's impersonating, making it look identical, and then proxies both the password and 2fa token too. I think we're fast approaching a point where hardware keys are the only 2fa we'll want :-/

Thousands of Internet connected hot tubs vulnerable to remote attacks

That's right, hot tubs. You can use geolocation to find one you like and then start playing around with the settings. Don't though. Hot tub owners are people too.

Hyatt launches public bug bounty program on HackerOne

With all the hotel chain breaches of late, this is good news! Let's hope that many others will follow.

Machine learning to detect software vulnerabilities

Interesting post from Bruce Schneier on how he sees machine learning impacting vulnerability management. He sees a future where ML will catch all bugs during the development process, which sounds glorious. But he does think that the ML-power will first be turned on existing software, with a flood of (exploitable) vulnerabilities as a result.

New app for macOS can detect keyloggers

It's free, open-source and by the same creator who makes OverSight, RansomWhere and lots of other awesome and free security tools. Worth checking out.

FiloSottile/mkcert: tool to make locally trusted development certificates

This seems like a useful tool if you're a developer and want to test HTTPS locally. It generates a root certificate that you're computer will trust from that point on, so don't share that certificate :)


1Password for Teams and Business

As always I'm extremely grateful to 1Password for supporting the newsletter. If you have passwords or secure notes to share with your colleagues, I recommend you give them a try.