Breaches and leaks
- India: an unsecured MongoDB instance was found, holding medical data on no less than 7 million pregnant women. It took a month between disclosure and it being closed up. Ffs.
- Earl Enterprise: owner of restaurant chains like Buca di Beppo, Earl of Sandwich, Planet Hollywood. Their point-of-sale systems were infected, compromising about 2 million credit cards.
- Georgia Tech: a vulnerability in a web application gave an attacker access to personal data of 1.3 million people.
- Toyota: their systems were compromised, with 3.1 million customers potentially impacted. Kudos for disclosing without being certain that something bad happened.
Worthy of its own item. That's two weeks in a row, Facebook. Despite the headline, the number of affected users is estimated to be 'only' in the tens of millions. It wasn't a leak with Facebook itself, but with a third-party. Still, it's Facebook's problem too. Amazon is also not in the clear by the way, as they didn't take the database down when the third party wouldn't respond.
Ow, hello again Facebook! Attention hog much? As with the passwords-in-plaintext fiasco of last week, having thousands of engineers, you'd think there would be at least one of them going "Hey, do we really want to do this?".
It seems that a developer's account on Rubygems was compromised, and an attacker uploaded a malicious version that allowed for remote code execution. The backdoored version was downloaded 1470 times before being taken down.
This is especially impactful in a shared hosting environment, as it allows users with limited privileges to climb up to root. Patch em if you got 'em.
Not great to have it out in the open already, but the researcher is trying to make a point. Due to the nature of open-source, people can see security fixes coming in to the early builds of Chrome, but it takes a while before it makes it to the stable product. This gives them a small time window to exploit the vulnerability. It's certainly a good point.
The exploit itself needs a sandbox breakout though before being ready for abuse, although it can always be chained with one.
The article explains why its a hard thing to measure. There seems to be progress, especially in leadership roles. At the end is an awesome list of Twitter accounts to follow, check it out!
The researcher got frustrated with the vendor ignoring him for over a year, so he wanted to draw some attention :-) Folks, when someone tries to disclose a vulnerability to you, it's best to not ignore them.
That's one way to make sure you get a proper security budget. It's not what you think though, this law would only count for proven criminal activity, and then only if negligence by the CEO can be proven. Having a data breach isn't a criminal act yet.
Cloudflare is one of those few companies I actually still trust. Having them go into the VPN business feels like a good thing. You can't use it yet, they're not ready, but you can add yourself to the waiting list.
A project of me own :-) When writing a tool at work I couldn't find an API that exposed the information on CVE vulnerabilities I needed, so I made one myself. Feel free to check it out!