Issue 113

Breaches and leaks

  • PHP PEAR: the old-school PHP package manager had its website breached six months ago. Since then it served a malicious version of the PEAR downloader containing a backdoor.
  • An unsecured Elasticsearch instance was found to hold data on several casino's, containing information of 108 million bets, most of which included sensitive personal details: link.
  • Atlas: the new MMO game was breached twice, once by a hacked admin account and once through a game exploit.
  • Redbanc: the company which runs the Chilean banking ATM networks. It was infected by malware, which an employee was tricked into installing through a Skype call.

Security researchers take down 100,000 malware sites over the last ten months

Amazing work performed by a total of 265 security researchers, in an effort organised by, a non-profit cybersecurity organisation.

Remote code execution in apt/apt-get

Through a man-in-the-middle attack this researcher was able to execute arbitrary code as root. The vulnerability has since been patched. Hackernews discussion here.

Websites can steal browser data via extensions APIs

I never realised that browser extensions can be abused themselves, instead of doing the abusing. Apparently quite a few of them expose internal API's to the outside world, giving malicious websites an avenue into browser data and user cookies.

Google fined €50M for GDPR violations by France

The fine, given by France's data protection commissioner, penalizes Google for not giving sufficient information when gathering data. It's the result of a complaint by the advocacy group "None of Your Business" (NOYB), who have filed several more complaints this week against a range of tech giants.

Weakness at GoDaddy responsible for rise in spam delivery

Recent spam campaigns had a much higher than usual delivery rate. The reason was that attackers could use legitimate domains (formerly) hosted at GoDaddy. As I understand it: when the attacker created an account with the same nameservers as the target domain, they could claim that domain and start sending e-mail through it.

Hijacked Nest cam broadcasts false warning about incoming missiles

Just your weekly reminder to not put IoT devices directly on the web if you can help it (and to secure the heck out of them if you can't).

Bruce Schneier on government-mandated backdoors

A well written, singular post on why this isn't a good idea, and why the parallels with traditional phone tapping aren't great. I really like his conclusion: it boils down to making systems as securely as possible vs keeping them open to attack by design.

The curious case of the Raspberry Pi in the network closet

Someone found a rogue Raspberry Pi, which was clearly meant to do something malicious. The author writes about finding out who installed it. Fun read :-)

An inside look at the exploit industry working with a nation state

Some researchers got their hands on communication logs between a nation state with a budget of $23 million, looking to build out a surveillance program, and a range of exploit- and surveillance providers. It's a disturbing but fascinating read.


1Password for Teams and Business

We use 1Password to share passwords and secure notes at my current job, same as at my last job. I've tried many alternatives, but always ended up with them. By far the best UX and support I've seen.