Issue 119

Breaches and leaks

  • China: No less than 18 unsecured MongoDB instances were found, showing private conversations, file exchanges and location data of 364 million social media profiles.
  • Google has temporarily disabled Android TV photo sharing after a bug gave a user access to a long list of other people's pictures.
  • Verifications.io: an "email verification" service exposed a MongoDB database with a whopping 800 million e-mail addresses.
  • Comcast: several people had their phone numbers transferred by identity thieves, whom apparently only needed the phone number and a PIN which defaulted to "0000".


Google: Chrome zero-day was used together with a Windows 7 zero-day

If you're using Chrome, especially if you're on Windows 7, you'll want to restart the browser to pull in the latest update. There have been attacks seen where a vulnerability in Chrome, combined with Windows 7, can cause remote code execution simply by visiting a website.
zdnet.com


W3C approves WebAuthn as the web standard for password-free logins

It's been a long time coming, but now it's official. If you want a refresher on what WebAuthn means, I can recommend this article.
venturebeat.com


Chronicle launches Backstory - security telemetry at scale

Chronicle is a part of Alphabet, Google's parent company. It launched what it loosely describes as "Google Photos but for network security", as in: you toss a heap of (network) data in it, and it will structure, tag and analyse it, after which you can query it for things like "Are any of my computers sending data to Russia?".
forbes.com


NSA releases Ghidra, a (soon) open-source reverse-engineering tool

I don't know the first thing about proper reverse engineering, but it's a cool move and got a lot of people excited. This Hackernews thread has some nice discussions on it. If you want to see what a tool like this looks like, check the"Getting Started" video from the 4-minute mark onwards.
ghidra-sre.org


Teen becomes first hacker to earn $1M through bug bounties

The 19-year old Santiago has reported over 1600 security flaws so far, and made a very nice living out of it. He started when he was 16 and was inspired by the movie Hackers :-)
digit.fyi


What I learned about security from calling 35 contact centers

An interesting post on how various phone support desks try to authenticate you. If your company runs a contact center like this it's worth getting it right.
twilio.com


Identifying Cobalt Strike team servers in the wild

This is a fun one. Cobalt Strike is a platform to help Red Teams and pentesters attack their targets. But, naturally, it's also (ab)used by malicious parties. Until recently there was a bug where Cobalt Strike would append a whitespace character at the end of each HTTP response. By crawling for this whitespace they were able to put together a list of malicious Cobalt Strike platforms on the web.
fox-it.com


Single-page applications (SPAs) need better auditing

An interesting post on the difficulties of pentesting single-page applications, and a proof of concept browser extension called SPAudit that tries to solve these issues.
sqreen.com


bitsadmin/wesng: Windows Exploit Suggester - Next Generation

This seems like a useful tool. It runs locally on Windows and shows all vulnerabilities your system might be subject to, with exploits when available.
github.com


Newsletter highlight: React Digest

In the same trend as last week's item, and by the same writer, this is a clean, minimal way of staying up to date on React.
reactdigest.net


Sponsorships

1Password: awesome UX and support

If you're not using a password manager yet, please start using one.
And if you are, but it's not 1Password, I'd recommend taking a look at what they offer. I've moved over to them because the UX is just so much better than where I came from. Despite my fears, the entire migration took less than 10 minutes and worked flawlessly.
1password.com