Issue 112

Minimal version

Both my wife and daughter fell ill this week, so I wasn't able to dedicate the usual amount of time to the newsletter. Family first!

I'll share the links that seemed interesting to me, but with less filtering and summarising than usual. I hope you still get value from it.



Breaches and leaks

Oh my.

  • Data dump with 87GB of emails and passwords found, dubbed "Collection #1": link
  • Unsecured rsync server exposes 7 years of FBI investigations at the Oklahoma Securities Commission: link
  • 200 million resumes in unsecured MongoDB instance: link
  • Another set of resumes in an unsecured s3 bucket: link
  • Amadeus airline booking system, used by 141 airlines, had "change this ID in the URL to get access" flaw: link
  • Development server left unsecured at VOIPO, calls and text messages leaked: link
  • Data stolen from South Korea's Defense Ministry: link
  • Amazon India had a breach where financial information of sellers was leaked to competing sellers: link
  • A health care provider in Indiana had a third-party breach exposing data of 31.000 patients: link
  • Misconfigured Jira server at NASA: link
  • Ransomware attack on City Hall of Del Rio, Texas: link
  • Several employees fired and fined for previous SingHealth breach, a healthcare system in Singapore: link


Linux systemd affected by memory corruption vulnerabilities


bleepingcomputer.com


Worldwide hacking spree uses DNS trickery to nab data


wired.com


SCP implementations impacted by 36-years-old security flaws


zdnet.com


A security conference will let you hack a Tesla car and earn cash prizes


zdnet.com


Arrests and sentences

Two high-profile ones that I came across this week:

  • Martin Gottesfeld: got 10 years and a $443.000 fine for DDoS'ing the Boston Children's Hospital, as retribution for allegedly mishandling the medical case of a 15-year old.
  • Daniel Kaye: got two years and eight months for operating a DDoS-for-hire service that took down all Internet access for the country of Liberia.


Flaws in Android app ES File Explorer put 100 million users' data at risk


bleepingcomputer.com


WordPress to show warnings on servers running outdated PHP versions


zdnet.com


Mozilla to disable Flash plugin by default in Firefox 69


bleepingcomputer.com


Cyber-insurance refuses to pay NotPetya ransomware clean-up bill – claims it's 'an act of war'


theregister.co.uk


USB-C authentication sounds great, so why are people worried?


sophos.com


Introducing GDPR.eu, a new site to help businesses achieve GDPR compliance by Protonmail


protonmail.com


Kubernetes security best practices


cncf.io


Sponsorships

1Password: a password manager worth recommending

After using 1Password Teams for several years, I finally made the leap and moved my personal password vault to them as well. The UX and support are an order of magnitude better than where I came from. And I'm not just saying that because they sponsor me.
1password.com