Breaches and leaks
Personal note: I feel like this section is becoming too overwhelming. My aim with this newsletter is to digest news, not flood you with it.
I'm going to curate these more strictly, like I do with the other articles. So know that this isn't an exhaustive list of this week's breaches, but rather a selection.
- Chinese city of Xinjiang: Exposed an unsecured MongoDB instance holding real-time tracking information of the Muslim population of the city. Ffs.
- VFEmail: An e-mail provider. The attackers just plain wiped everything, including backups. All emails for US-based customers are lost.
- A collection of 620 million credentials is being sold, with databases from 500px (with md5 passwords), MyFitnessPall, DataCamp, and many more. The same people are also selling a second collection with 127 million records.
- Bank of Malta: attackers got in and wired €13 million.
To be specific: the vulnerability sits in runc, the tool that spawns and runs containers in Docker. A malicious image could take over the host server completely, and also enter other containers running on the host. It's definitely bad enough that you want to update your container infrastructure. This Hackernews thread has links to AWS and Google Cloud updates, among others.
It's not remotely exploitable, but once inside an attacker can use it to create root-level accounts. The vulnerability sits in Snapd, a package management tool that's primarily used in Ubuntu. A proof-of-concept is already available, so it's good to update when you can.
Due to insecure communication between the app and the scooter, one can rather easily force it to brake or speed up remotely. Good stuff Xiaomi.
Fuzzing is a testing method that throws various inputs at an application to try and trigger bugs, crashes and security problems. Google developed ClusterFuzz to do this at massive scale, finding over 16.000 bugs just in Chrome. They previously made it available to 160 open source projects and found 11.000 bugs there too, and now they've made it available for anyone to run.
Fascinating and scary. They want to make sure they can survive a large-scale cyberattack by reverting to a Russia-only "intranet", and seemingly also want to sample more expansive filtering/censorship abilities, since this test involves routing all traffic through Russia's national telecom regulator.
Air gapping is a great way to isolate a system from external threats (although not foolproof, as Stuxnet showed), but it obviously makes the isolated system a lot less useful. Darpa is asking for ideas on how to have the same benefits as air gaps, without the actual isolation. Interesting conundrum for sure.
Just in case you needed a good facepalming today.
Fellow curator Pek sends an e-mail every single day with links to long-form articles that take a deep dive on all fields of programming. If you take software engineering seriously, this is definitely worth a look and subscribe.