Breaches and leaks
- Dow Jones: their "watchlist" was leaked, with information on 2.4 million companies and individuals that are seen as "high-risk". The records were discovered in an unsecured Elasticsearch instance.
- Apex Human Capital: a payroll software provider, suffered a large ransomware attack that compromised both their live environment and their disaster recovery site. They ended up paying the ransom.
- SEDC: a cybersecurity company that provides services to over 250 utility companies, stores all their passwords in plain text, and e-mails them to forgetful customers. Maybe not a leak (yet), but my mind was blown enough that I wanted to share it anyway. They say they are fixing it now.
It boils down to: if you rent a bare-metal dedicated server, it might have previously been used by someone else. And they could have infected the firmware with nasty things. The only way around this issue is for the cloud vendor to fully flash the firmware between owners, which is presumably what they’ll start doing now.
Some efforts have been made to patch it, but it seems like a hard problem. The only real mitigation seems to be to disable ports. Or at least don’t plug in stuff you don’t trust, including public USB-C chargers. Which seems like good security advice anyway.
All mining will stop on March 8. Considering how often they were used in cryptojacking attacks, I don’t think any security person will miss them. There are alternatives, of course, but it might provide some brief relief for previously compromised websites.
This means that apps and websites can let users use their phone's biometrics or unlock mechanisms to log in, instead of regular passwords.
New research says that an attacker can let Service Workers run in the background, even after you leave the original website, and use them for all kinds of malice. Although it feels odd to me that they could be abused in such a seemingly obvious way. To be honest, I don't fully understand this yet, but it's good to keep an eye on.
Warrent canaries are a subtle way for companies to let you know that law enforcement asked them to do something they can’t disclose. It’s worth a refresher if you, like me, kind of forgot about the concept. Good Hackernews discussion here.
Mozilla is currently debating whether to allow DarkMatter as a root CA (Certificate Authority), which would mean that any TLS certificate they create would be trusted by Firefox and several Linux distributions by default. But the company has been previously connected to state-sponsored hacking and surveillance, and as such (hopefully, in my mind) would be a big no-no as a trusted root CA.
The article gives a good short overview of the kind of power the Australian government holds now, with their anti-encryption laws being passed.
ETS is like TLS 1.3 but with weakened security. The standard is brought forth by a group of banks, whom's internal monitoring often depends on being able to decrypt traffic. The EFF encourages us to think of ETS as standing for "Extra Terrible Security", so let's do that :-)
It's a weekly e-mail with five links on things like architecture, databases, development processes and more. Very clean and minimal feel, just the way I like it.