Issue 112

Minimal version

Both my wife and daughter fell ill this week, so I wasn't able to dedicate the usual amount of time to the newsletter. Family first!

I'll share the links that seemed interesting to me, but with less filtering and summarising than usual. I hope you still get value from it.

Breaches and leaks

Oh my.

  • Data dump with 87GB of emails and passwords found, dubbed "Collection #1": link
  • Unsecured rsync server exposes 7 years of FBI investigations at the Oklahoma Securities Commission: link
  • 200 million resumes in unsecured MongoDB instance: link
  • Another set of resumes in an unsecured s3 bucket: link
  • Amadeus airline booking system, used by 141 airlines, had "change this ID in the URL to get access" flaw: link
  • Development server left unsecured at VOIPO, calls and text messages leaked: link
  • Data stolen from South Korea's Defense Ministry: link
  • Amazon India had a breach where financial information of sellers was leaked to competing sellers: link
  • A health care provider in Indiana had a third-party breach exposing data of 31.000 patients: link
  • Misconfigured Jira server at NASA: link
  • Ransomware attack on City Hall of Del Rio, Texas: link
  • Several employees fired and fined for previous SingHealth breach, a healthcare system in Singapore: link

Linux systemd affected by memory corruption vulnerabilities

Worldwide hacking spree uses DNS trickery to nab data

SCP implementations impacted by 36-years-old security flaws

A security conference will let you hack a Tesla car and earn cash prizes

Arrests and sentences

Two high-profile ones that I came across this week:

  • Martin Gottesfeld: got 10 years and a $443.000 fine for DDoS'ing the Boston Children's Hospital, as retribution for allegedly mishandling the medical case of a 15-year old.
  • Daniel Kaye: got two years and eight months for operating a DDoS-for-hire service that took down all Internet access for the country of Liberia.

Flaws in Android app ES File Explorer put 100 million users' data at risk

WordPress to show warnings on servers running outdated PHP versions

Mozilla to disable Flash plugin by default in Firefox 69

Cyber-insurance refuses to pay NotPetya ransomware clean-up bill – claims it's 'an act of war'

USB-C authentication sounds great, so why are people worried?

Introducing, a new site to help businesses achieve GDPR compliance by Protonmail

Kubernetes security best practices


1Password: a password manager worth recommending

After using 1Password Teams for several years, I finally made the leap and moved my personal password vault to them as well. The UX and support are an order of magnitude better than where I came from. And I'm not just saying that because they sponsor me.