- Indian governement: had an unsecured Elasticsearch server showing the locations of 11.000 trains and buses. Sounds like useful information for citizens to me, but apparently it wasn't meant to be open.
- Oxo International: manufacturer of office supplies and homeware. They disclosed that a Magecart-looking attack has skimmed payment details and personal information from their website between June 2017 and October 2018.
- Australian Early Warning System: the service was hacked and used to send out a (fortunately innocent) message to subscribers.
- Singapore Airlines: had a bug in their frequent flyer program. When logging in you could see data belonging to other members.
- BenefitMall: payroll and HR services company. Had a phishing attack which might have exposed customer information.
- St Lawrence College: someone sent out phishing e-mails to parents offering a discount on tuition for the next term, if they paid now. Two parents fell for it.
- Neiman Marcus: no new breach, but the news came out that they are being fined $1.5 million for a credit card breach that occurred in 2013.
A 20-year old student has admitted to being behind the hacks that exposed personal information of German politicians and journalists. He seems to be cooperating with law enforcement and would receive a rather mild sentence.
It's a Yubikey that can be plugged into iPhones and iPads. Pretty cool, considering the only alternative so far was Bluetooth.
You'll get $2 million for remote iOS jailbreaks, $1 million for remote code execution (RCE) exploits through messaging apps, and $500.000 for Chrome RCE's. You also need a slight lack of moral standards, since those exploits might very well be used in bad ways.
A security researcher has released an impressive phishing tool. It proxies assets from the website it's impersonating, making it look identical, and then proxies both the password and 2fa token too. I think we're fast approaching a point where hardware keys are the only 2fa we'll want :-/
That's right, hot tubs. You can use geolocation to find one you like and then start playing around with the settings. Don't though. Hot tub owners are people too.
With all the hotel chain breaches of late, this is good news! Let's hope that many others will follow.
Interesting post from Bruce Schneier on how he sees machine learning impacting vulnerability management. He sees a future where ML will catch all bugs during the development process, which sounds glorious. But he does think that the ML-power will first be turned on existing software, with a flood of (exploitable) vulnerabilities as a result.
This seems like a useful tool if you're a developer and want to test HTTPS locally. It generates a root certificate that you're computer will trust from that point on, so don't share that certificate :)
As always I'm extremely grateful to 1Password for supporting the newsletter. If you have passwords or secure notes to share with your colleagues, I recommend you give them a try.