Issue 118

Breaches and leaks

  • Dow Jones: their "watchlist" was leaked, with information on 2.4 million companies and individuals that are seen as "high-risk". The records were discovered in an unsecured Elasticsearch instance.
  • Apex Human Capital: a payroll software provider, suffered a large ransomware attack that compromised both their live environment and their disaster recovery site. They ended up paying the ransom.
  • SEDC: a cybersecurity company that provides services to over 250 utility companies, stores all their passwords in plain text, and e-mails them to forgetful customers. Maybe not a leak (yet), but my mind was blown enough that I wanted to share it anyway. They say they are fixing it now.

Cloudborne: putting backdoors in bare-metal cloud servers

It boils down to: if you rent a bare-metal dedicated server, it might have previously been used by someone else. And they could have infected the firmware with nasty things. The only way around this issue is for the cloud vendor to fully flash the firmware between owners, which is presumably what they’ll start doing now.

Thunderclap: getting full access via the Thunderbolt port

Some efforts have been made to patch it, but it seems like a hard problem. The only real mitigation seems to be to disable ports. Or at least don’t plug in stuff you don’t trust, including public USB-C chargers. Which seems like good security advice anyway.

Coinhive cryptojacking service to shut down in March 2019

All mining will stop on March 8. Considering how often they were used in cryptojacking attacks, I don’t think any security person will miss them. There are alternatives, of course, but it might provide some brief relief for previously compromised websites.

Google certifies all devices with Android 7 and above for FIDO2

This means that apps and websites can let users use their phone's biometrics or unlock mechanisms to log in, instead of regular passwords.

Marionet: letting browsers run code even after they leave your website

New research says that an attacker can let Service Workers run in the background, even after you leave the original website, and use them for all kinds of malice. Although it feels odd to me that they could be abused in such a seemingly obvious way. To be honest, I don't fully understand this yet, but it's good to keep an eye on.

Cloudflare expands its government warrant canaries

Warrent canaries are a subtle way for companies to let you know that law enforcement asked them to do something they can’t disclose. It’s worth a refresher if you, like me, kind of forgot about the concept. Good Hackernews discussion here.

CyberSecurity firm DarkMatter requests to be a trusted root CA

Mozilla is currently debating whether to allow DarkMatter as a root CA (Certificate Authority), which would mean that any TLS certificate they create would be trusted by Firefox and several Linux distributions by default. But the company has been previously connected to state-sponsored hacking and surveillance, and as such (hopefully, in my mind) would be a big no-no as a trusted root CA.

Mozilla fears encryption law could turn its employees into insider threats

The article gives a good short overview of the kind of power the Australian government holds now, with their anti-encryption laws being passed.

ETS isn't TLS and you shouldn't use it

ETS is like TLS 1.3 but with weakened security. The standard is brought forth by a group of banks, whom's internal monitoring often depends on being able to decrypt traffic. The EFF encourages us to think of ETS as standing for "Extra Terrible Security", so let's do that :-)

Newsletter highlight: Programming Digest

It's a weekly e-mail with five links on things like architecture, databases, development processes and more. Very clean and minimal feel, just the way I like it.


1Password: a password manager worth recommending

After using 1Password Teams for several years, I finally moved my personal password vault to them as well. The UX and support are an order of magnitude better than where I came from.