News
Breaches and leaks
- SBI: India's biggest bank had an unsecured database showing detailed financial information of millions of customers.
- Rubrik: a large data security company had, ironically, an unsecured Elasticsearch instance with customer information.
- Huddle House: US-based restaurant chain, had its POS system compromised and credit card data leaked.
- Houzz: interior decoration website, had user data including hashed passwords leaked.
- Jack'd: dating app, exposes all of its users' private pictures.
- Visma: large Norwegian-based cloud provider, suffered a large hack back in August of last year, reportedly by the Chinese backed APT10.
- There are now a total of 5 large Collection data dumps available, with a total of over 900GB of records. It's unclear right now how much of these are new, they are still being analysed: link
- A data dump of 175GB containing documents belonging to the Russian governement has been published online: link
- Australian governement: had a "security incident" affecting everyone with a Parliament House email address. Not a lot of details available.
- Eskom: largest energy supplier in South Africa, was breached both through a malware infection and an unsecured server.
- An employee at a Chinese bank found a loophole in their ATM system that allowed him to withdraw about $1 million over the course of a year: link
- Basecamp: More of a positive story really, which is refreshing. They defended succesfully against a credential stuffing attack by blocking IP's and enabling CAPTCHA's. They then reset the passwords of the 124 account that were breached.
Apple releases fix for group FaceTime bug
It's in iOS 12.1.4, which also fixes two zero-days that are actively being exploited. The FaceTime bug is also fixed in MacOS. Update 'em if you got 'em.
Crypto exchange can't access funds after founder dies with password
To try and keep the crypto assets secure, only the founder had the password for the cold storage. About $190 million is now stuck in limbo.
Chrome to display warnings about similar or lookalike URLs
This would be a great anti-phishing feature. It's currently being experimented with in the Canary build of Chrome 74.
Firefox will soon warn users of third-party software that performs MitM attacks
More good browser news. Although this kinda falls into the category of "how was this not a thing yet?".
Opening this image file grants hackers access to your Android phone
If you're running Android you might want to install the February security updates asap. There's an exploit where simply opening a malicious .png file can compromise you. There's no attacks seen yet, but I can't image it'll take long.
New macOS zero-day allows theft of user passwords
A malicious app, even without admin privileges, can get access to passwords stored inside Keychain. However, the security researcher refuses to share details of the exploit with Apple because they don't provide a bug bounty program for MacOS.
Google introduces Adiantum, storage encryption for low-end Android devices
I keep pronouncing it "Adamantium", and now you will too. Seriously Google, if you're naming security things, why not go with Wolverine nomenclature instead of with what's apparently a type of fern.
Anyway. The fern allows lower-end Android devices to also start using device encryption. They currently can't because they don't have the computing power or hardware support for it.
Google launches Chrome extension to detect compromised credentials
It will warn you when you log into a site with credentials that are known to be leaked. They say it does this without revealing personal details to Google.
Using Gmail "dot addresses" to commit fraud
It's been known for a while that Gmail's "dot addresses" feature leads to some interesting attacks, like Netflix phishing where you're asked to update someone else's credit card info. This post shows a few more uses that have been seen, like submitting credit card applications and filing false tax returns.
Security researcher assaulted following vulnerability disclosure
The headline sounds a bit sensationalist, but it's an interesting read and a very unfortunate example of how not to react to vulnerability disclosure.
Sponsorships
1Password: a password manager worth recommending
After using 1Password Teams for several years, I finally moved my personal password vault to them as well. The UX and support are an order of magnitude better than where I came from.