Breaches and leaks
- FEMA: exposed personal information of 2.3 million people by needlessly sharing it with a third-party contractor.
- Family Locator: an app where you can "share your location with your loved ones" had an unsecured MongoDB instance, showing plaintext passwords and the precise locations of over 238.000 people.
- Another consumer spyware vendor has left a database unsecured full of highly sensitive contents, including over 95.000 images and 25.000 phone recordings: link.
This made the news enough to warrant its own item. Between 200 and 600 million users had their passwords written to logs in plaintext. That's a really big no-no in security terms. This has been going on since 2012. Since then the logs were accessed by around 2000 engineers.
Dubbed "ShadowHammer", because why not. This is a nice example of a supply-chain attack. Attackers hijacked Asus' Live Updates server, creating a backdoor in hundreds of thousands of Windows machines. Only about 600 machines were actively exploited though, which the malware selected based on MAC addresses. So it seems that this was in fact a targeted attack, although we don't know who the target was.
I think we can all agree that being able to hack someone to death is bad. The radio-based protocol that these devices use have no authentication or encryption. This, combined with a set of vulnerabilities, allowed researchers to take full control of the device and even rewrite the firmware.
They're making good progress, having most of their business units up and running again. Costs are estimated to be over $40 million, which is not that bad compared to Maersk's $300 million after NotPetya.
Two popular Wordpress plugins being exploited
If you are using the Social Warfare plugin or the Easy WP SMTP plugin, you'll want to update quickly. Both are being actively exploited.
Pwn2Own had another edition. It's a competition where hackers get to hack well-known software and get paid for it. The writeup above is for day one, there's also day two and day three.
Researchers demonstrated flaws in Safari, VMware Workstation, VirtualBox, Firefox, Edge and a Tesla. A total of $545.000 was paid to contestants, with no less than $375.000 (and the Tesla) going to the duo of Team Fluoroacetate.
That's pretty awesome. I like Windows Defender quite a bit, and it seems that they are now rolling it out to other platforms (and rebranding it to Microsoft Defender). Linux might even be next.
This is one for the facepalm department. There are two serious vulnerabilities in two Cisco routers, which are actively being exploited. The proof of concept code from the researchers who discovered the flaw used curl to make the requests. Cisco's "patch" consisted of.. blocking the curl user-agent. Which can be trivially changed.
No actual fix is available yet.
Just a nice cautionary tale on why employee offboarding and 2fa are important things.
This isn't directly security related, but it's important enough that I wanted to include it. We probably all heard something on the EU vote related to upload filters and link taxes. This article from the EFF describes pretty well what the next steps are.