Breaches and leaks
- SBI: India's biggest bank had an unsecured database showing detailed financial information of millions of customers.
- Rubrik: a large data security company had, ironically, an unsecured Elasticsearch instance with customer information.
- Huddle House: US-based restaurant chain, had its POS system compromised and credit card data leaked.
- Houzz: interior decoration website, had user data including hashed passwords leaked.
- Jack'd: dating app, exposes all of its users' private pictures.
- Visma: large Norwegian-based cloud provider, suffered a large hack back in August of last year, reportedly by the Chinese backed APT10.
- There are now a total of 5 large Collection data dumps available, with a total of over 900GB of records. It's unclear right now how much of these are new, they are still being analysed: link
- A data dump of 175GB containing documents belonging to the Russian governement has been published online: link
- Australian governement: had a "security incident" affecting everyone with a Parliament House email address. Not a lot of details available.
- Eskom: largest energy supplier in South Africa, was breached both through a malware infection and an unsecured server.
- An employee at a Chinese bank found a loophole in their ATM system that allowed him to withdraw about $1 million over the course of a year: link
- Basecamp: More of a positive story really, which is refreshing. They defended succesfully against a credential stuffing attack by blocking IP's and enabling CAPTCHA's. They then reset the passwords of the 124 account that were breached.
It's in iOS 12.1.4, which also fixes two zero-days that are actively being exploited. The FaceTime bug is also fixed in MacOS. Update 'em if you got 'em.
To try and keep the crypto assets secure, only the founder had the password for the cold storage. About $190 million is now stuck in limbo.
This would be a great anti-phishing feature. It's currently being experimented with in the Canary build of Chrome 74.
More good browser news. Although this kinda falls into the category of "how was this not a thing yet?".
If you're running Android you might want to install the February security updates asap. There's an exploit where simply opening a malicious .png file can compromise you. There's no attacks seen yet, but I can't image it'll take long.
A malicious app, even without admin privileges, can get access to passwords stored inside Keychain. However, the security researcher refuses to share details of the exploit with Apple because they don't provide a bug bounty program for MacOS.
I keep pronouncing it "Adamantium", and now you will too. Seriously Google, if you're naming security things, why not go with Wolverine nomenclature instead of with what's apparently a type of fern.
Anyway. The fern allows lower-end Android devices to also start using device encryption. They currently can't because they don't have the computing power or hardware support for it.
It will warn you when you log into a site with credentials that are known to be leaked. They say it does this without revealing personal details to Google.
It's been known for a while that Gmail's "dot addresses" feature leads to some interesting attacks, like Netflix phishing where you're asked to update someone else's credit card info. This post shows a few more uses that have been seen, like submitting credit card applications and filing false tax returns.
The headline sounds a bit sensationalist, but it's an interesting read and a very unfortunate example of how not to react to vulnerability disclosure.
Sponsorship slot available
One slot is taken by the amazing 1Password, but the other is currently available. If your company wants to support this newsletter and reach nearly 4000 security-minded people, hit reply and let me know :-)