Breaches and leaks
- PHP PEAR: the old-school PHP package manager had its website breached six months ago. Since then it served a malicious version of the PEAR downloader containing a backdoor.
- An unsecured Elasticsearch instance was found to hold data on several casino's, containing information of 108 million bets, most of which included sensitive personal details: link.
- Atlas: the new MMO game was breached twice, once by a hacked admin account and once through a game exploit.
- Redbanc: the company which runs the Chilean banking ATM networks. It was infected by malware, which an employee was tricked into installing through a Skype call.
Amazing work performed by a total of 265 security researchers, in an effort organised by Abuse.ch, a non-profit cybersecurity organisation.
Through a man-in-the-middle attack this researcher was able to execute arbitrary code as root. The vulnerability has since been patched. Hackernews discussion here.
I never realised that browser extensions can be abused themselves, instead of doing the abusing. Apparently quite a few of them expose internal API's to the outside world, giving malicious websites an avenue into browser data and user cookies.
The fine, given by France's data protection commissioner, penalizes Google for not giving sufficient information when gathering data. It's the result of a complaint by the advocacy group "None of Your Business" (NOYB), who have filed several more complaints this week against a range of tech giants.
Recent spam campaigns had a much higher than usual delivery rate. The reason was that attackers could use legitimate domains (formerly) hosted at GoDaddy. As I understand it: when the attacker created an account with the same nameservers as the target domain, they could claim that domain and start sending e-mail through it.
Just your weekly reminder to not put IoT devices directly on the web if you can help it (and to secure the heck out of them if you can't).
A well written, singular post on why this isn't a good idea, and why the parallels with traditional phone tapping aren't great. I really like his conclusion: it boils down to making systems as securely as possible vs keeping them open to attack by design.
Someone found a rogue Raspberry Pi, which was clearly meant to do something malicious. The author writes about finding out who installed it. Fun read :-)
Some researchers got their hands on communication logs between a nation state with a budget of $23 million, looking to build out a surveillance program, and a range of exploit- and surveillance providers. It's a disturbing but fascinating read.