Issue 115

Breaches and leaks

  • SBI: India's biggest bank had an unsecured database showing detailed financial information of millions of customers.
  • Rubrik: a large data security company had, ironically, an unsecured Elasticsearch instance with customer information.
  • Huddle House: US-based restaurant chain, had its POS system compromised and credit card data leaked.
  • Houzz: interior decoration website, had user data including hashed passwords leaked.
  • Jack'd: dating app, exposes all of its users' private pictures.
  • Visma: large Norwegian-based cloud provider, suffered a large hack back in August of last year, reportedly by the Chinese backed APT10.
  • There are now a total of 5 large Collection data dumps available, with a total of over 900GB of records. It's unclear right now how much of these are new, they are still being analysed: link
  • A data dump of 175GB containing documents belonging to the Russian governement has been published online: link
  • Australian governement: had a "security incident" affecting everyone with a Parliament House email address. Not a lot of details available.
  • Eskom: largest energy supplier in South Africa, was breached both through a malware infection and an unsecured server.
  • An employee at a Chinese bank found a loophole in their ATM system that allowed him to withdraw about $1 million over the course of a year: link
  • Basecamp: More of a positive story really, which is refreshing. They defended succesfully against a credential stuffing attack by blocking IP's and enabling CAPTCHA's. They then reset the passwords of the 124 account that were breached.

Apple releases fix for group FaceTime bug

It's in iOS 12.1.4, which also fixes two zero-days that are actively being exploited. The FaceTime bug is also fixed in MacOS. Update 'em if you got 'em.

Crypto exchange can't access funds after founder dies with password

To try and keep the crypto assets secure, only the founder had the password for the cold storage. About $190 million is now stuck in limbo.

Chrome to display warnings about similar or lookalike URLs

This would be a great anti-phishing feature. It's currently being experimented with in the Canary build of Chrome 74.

Firefox will soon warn users of third-party software that performs MitM attacks

More good browser news. Although this kinda falls into the category of "how was this not a thing yet?".

Opening this image file grants hackers access to your Android phone

If you're running Android you might want to install the February security updates asap. There's an exploit where simply opening a malicious .png file can compromise you. There's no attacks seen yet, but I can't image it'll take long.

New macOS zero-day allows theft of user passwords

A malicious app, even without admin privileges, can get access to passwords stored inside Keychain. However, the security researcher refuses to share details of the exploit with Apple because they don't provide a bug bounty program for MacOS.

Google introduces Adiantum, storage encryption for low-end Android devices

I keep pronouncing it "Adamantium", and now you will too. Seriously Google, if you're naming security things, why not go with Wolverine nomenclature instead of with what's apparently a type of fern. Anyway. The fern allows lower-end Android devices to also start using device encryption. They currently can't because they don't have the computing power or hardware support for it.

Google launches Chrome extension to detect compromised credentials

It will warn you when you log into a site with credentials that are known to be leaked. They say it does this without revealing personal details to Google.

Using Gmail "dot addresses" to commit fraud

It's been known for a while that Gmail's "dot addresses" feature leads to some interesting attacks, like Netflix phishing where you're asked to update someone else's credit card info. This post shows a few more uses that have been seen, like submitting credit card applications and filing false tax returns.

Security researcher assaulted following vulnerability disclosure

The headline sounds a bit sensationalist, but it's an interesting read and a very unfortunate example of how not to react to vulnerability disclosure.

Sponsorship slot available

One slot is taken by the amazing 1Password, but the other is currently available. If your company wants to support this newsletter and reach nearly 4000 security-minded people, hit reply and let me know :-)


1Password: a password manager worth recommending

After using 1Password Teams for several years, I finally moved my personal password vault to them as well. The UX and support are an order of magnitude better than where I came from.