Issue 114

Breaches and leaks

It's official. I now spend more time on this one segment than on the rest of the newsletter. Plenty of security work left to do people.

  • Gator smartwatches for kids: they exposed real-time location information on 35.000 children. One could trivially get admin privileges in their backend, showing you all other accounts.
  • Singapore's Ministry of Health: a database with information on 14.000 HIV patients was leaked, by someone who had apparently stolen that data himself.
  • Ascension: a financial analytics firm, had an unsecured Elasticsearch instance with over 24 million documents related to people's loans and mortgages.
  • B&Q: DIY retail store, had an exposed Elasticsearch database with the information of 70.000 identified or suspected shoplifters.
  • Airbus: had a security breach involving employee data. There's not a lot of further detail about the breach though.
  • Discover cards: customers of the Discover credit cards are getting replacements because of a possible data breach. No details are available, except that they say the breach didn't originate with them.
  • LocalBitcoins: peer-to-peer crypto exchange portal. Several users got their credentials phished, including 2fa codes.
  • Dailymotion: no real breach it seems, but they detected a credential stuffing attack (where attackers try to brute-force using passwords gained in other breaches). They stopped the attack and initiated password resets.
  • Not really a leak, but leak-related: someone found that an "admin@kremlin.ru" backdoor account exists in many of the publicly leaked databases. Russia requires access to financial systems, I guess this is that? I hope they don't re-use passwords. link.


Bug in FaceTime let's you hear the other person before they pick up

Hard to miss this bit of news this week. When you call someone and, before the other person answers, add yourself to the call's group, you hear the other side even if they haven't picked up yet. And if they mute your call the camera of that person even turns on. Ouch.
bleepingcomputer.com


Japanese government plans to hack into citizens' IoT devices

Japan has given the green light to allow government workers to try and hack into unsecured IoT devices, to then alert their owners of the problem. This is in preparation of the 2020 Olympics, where they fear large-scale hacking attacks such as the ones during the last games.
zdnet.com


GDPR statistics so far

Interesting view into the impact of GDPR so far: over 95.000 complaints, 255 initiated investigations, and over 41.000 reported data breaches.
bleepingcomputer.com


Chrome 72 released with 58 security fixes

The update also deprecates TLS 1.0 and 1.1, as a first step towards removing support all together in 2020. If you somehow still use these in your company, you might want to get on that.
bleepingcomputer.com


Europol arrests UK man for stealing €10 million worth of IOTA cryptocurrency

Do you remember the news of how someone (quite cleverly, I have to admit) "open-sourced" a seed generator for IOTA wallets, but secretly made the random number generator predictable so he could steal it all? It's worth a re-read really. Well, they caught the guy.
zdnet.com


After seizing a major DDoS-for-hire site, Europol goes after its users

Europol took down one of the best known "DDoS for hire" services last year, called webstresser.org. They've also obtained a list of 151.000 registered users of the service, and plan to start prosecuting them.
techcrunch.com


Ransomware warning: A global attack could cause $193bn in damage

A project between several universities and insurance companies researched the hypothetical impact of a world-wide ransomware infection, with an estimated bill of $193 billion.
Sure, it's a bit of scaremongering. But I can't help but wonder how far WannaCry would have gotten without the kill switch, and how far new strains could go.
zdnet.com


Business Payroll Compromise – a new way for criminals to steal from your company

It's not that new or groundbreaking, but it's good to know it happens.
You might know 'whaling', where an attacker acts like the CEO and e-mails an employee asking for a wire transfer.
This one is a bit different: the attacker acts like a regular employee, and asks HR to change their account information. That way they get the salary of the employee that was impersonated. Just like with whaling, which has already cost a total of over $12 billion, it's cheap and easy to execute.
bitdefender.com


Designing security for Billions by Facebook

All other horrible Facebook news aside, this is an interesting post on how they handle security in their company. The post describes their layered approach, involving secure frameworks, automated testing, human testing and reviews, and a bug bounty program.
fb.com


The evolution of Darknets

Very interesting set of excerpts on how commerce on Darknet marketplaces is evolving to stay ahead of law enforcement. The full article is worth a read too.
schneier.com


Sponsorships

1Password for Teams and Business

As always I'm extremely grateful to 1Password for supporting the newsletter. If you have passwords or secure notes to share with your colleagues, I highly recommend you give them a try.
1password.com