Breaches and leaks
- Jackson County, Georgia: had a ransomware infection and ended up paying $400.000 to the attackers to get their files back. It was cheaper than rebuilding from the ground up.
- Three Asian game makers were hacked and backdoors were placed into their games. Interesting read. This article goes into some more technical detail.
- An unsecured Elasticsearch database was found containing 33 million profiles of Chinese jobseekers, with detailed personal information including phones, addresses and salary history: link.
- I saved by far the creepiest for last: an unsecured database containing profiles on 1.8 million Chinese women was found, with very detailed personal information like GPS coordinates, "hasVideos" and a field called "BreedReady": link.
The attackers got away with, according to some reports, several terabytes of business data. Citrix products themselves are said to be safe. It's also said that the attackers are an Iranian state-backed group called Iridium. It's all a bit sketchy at this point, not the least because of the involvement of a little-known security company called Resecurity, as this Hackernews thread also points out.
Very interesting read with lot of details on how the Marriot hack went down. For reference: this was the hack of the Marriott hotel chain that impacted >380 million people, including millions of passport numbers and credit cards.
It's not really a bug or a leak, more of a "head's up". Lot's of companies use custom share links, like "company.app.box.com/customthing", and it turns out those are really easy to enumerate with some time and a large wordlist. Many sensitive documents were found, with personal information, passwords, network diagrams and more. Box announced several improvements to prevent this issue in the future.
The Swiss have recently opened up their e-voting code for review. So far at least one serious problem was found, which would allow insiders to manipulate votes without anyone knowing. All in all, the researchers don't seem impressed with the system.
Some more e-voting news. This seems like a worthy effort, building on DARPA's secure hardware designs and opening it up to universities and DefCon hackers for scrutiny. But they admit that even they can't solve the full scope of the problem. Reminds me of this very on-point XKCD comic.
This is great news. Yes, text-based 2fa is better than no 2fa, but it's better to rely on authenticator apps or, preferably in my opinion, Yubikey-like solutions.
It's been a running experiment for some time, but they are now bringing it into full daylight. It's available on send.firefox.com. An Android app will soon be coming too. It looks clean, simple, and because it's from Mozilla I actually trust it. Awesome stuff.
This just seems like a great initiative, using cartoons to teach kids lessons like asking permission of people before you share their pictures and talk to a grown up when you see something that makes you worried.
This is one of the earliest curated newsletters I subscribed to, written by the awesome Mike Julian. Who, as it happens, also announced this week that he's joining forces with the awesome Corey Quinn (from Last Week in AWS). Awesomeness all around!