News
Breaches and leaks
- Jackson County, Georgia: had a ransomware infection and ended up paying $400.000 to the attackers to get their files back. It was cheaper than rebuilding from the ground up.
- Three Asian game makers were hacked and backdoors were placed into their games. Interesting read. This article goes into some more technical detail.
- An unsecured Elasticsearch database was found containing 33 million profiles of Chinese jobseekers, with detailed personal information including phones, addresses and salary history: link.
- I saved by far the creepiest for last: an unsecured database containing profiles on 1.8 million Chinese women was found, with very detailed personal information like GPS coordinates, "hasVideos" and a field called "BreedReady": link.
Citrix breached through password spraying attack
The attackers got away with, according to some reports, several terabytes of business data. Citrix products themselves are said to be safe. It's also said that the attackers are an Iranian state-backed group called Iridium. It's all a bit sketchy at this point, not the least because of the involvement of a little-known security company called Resecurity, as this Hackernews thread also points out.
Marriott CEO shares post-mortem on last year's hack
Very interesting read with lot of details on how the Marriot hack went down. For reference: this was the hack of the Marriott hotel chain that impacted >380 million people, including millions of passport numbers and credit cards.
Misconfigured Box accounts leak terabytes of companies’ sensitive data
It's not really a bug or a leak, more of a "head's up". Lot's of companies use custom share links, like "company.app.box.com/customthing", and it turns out those are really easy to enumerate with some time and a large wordlist. Many sensitive documents were found, with personal information, passwords, network diagrams and more. Box announced several improvements to prevent this issue in the future.
Researchers find serious flaw in SwissVote election system
The Swiss have recently opened up their e-voting code for review. So far at least one serious problem was found, which would allow insiders to manipulate votes without anyone knowing. All in all, the researchers don't seem impressed with the system.
DARPA is building a $10M, open-source, secure voting system
Some more e-voting news. This seems like a worthy effort, building on DARPA's secure hardware designs and opening it up to universities and DefCon hackers for scrutiny. But they admit that even they can't solve the full scope of the problem. Reminds me of this very on-point XKCD comic.
Gsuite now allows you to disable SMS or voice codes for 2fa
This is great news. Yes, text-based 2fa is better than no 2fa, but it's better to rely on authenticator apps or, preferably in my opinion, Yubikey-like solutions.
Mozilla launches Firefox Send - free encrypted file transfers
It's been a running experiment for some time, but they are now bringing it into full daylight. It's available on send.firefox.com. An Android app will soon be coming too. It looks clean, simple, and because it's from Mozilla I actually trust it. Awesome stuff.
Online safety cartoons for young kids
This just seems like a great initiative, using cartoons to teach kids lessons like asking permission of people before you share their pictures and talk to a grown up when you see something that makes you worried.
Newsletter highlight: Monitoring Weekly
This is one of the earliest curated newsletters I subscribed to, written by the awesome Mike Julian. Who, as it happens, also announced this week that he's joining forces with the awesome Corey Quinn (from Last Week in AWS). Awesomeness all around!
Sponsorships
1Password for Teams and Business
We use 1Password to share passwords and secure notes at my current job, same as at my last job. I've tried many alternatives, but always ended up with them. By far the best UX and support I've seen.