News
Breaches and leaks
- India: an unsecured MongoDB instance was found, holding medical data on no less than 7 million pregnant women. It took a month between disclosure and it being closed up. Ffs.
- Earl Enterprise: owner of restaurant chains like Buca di Beppo, Earl of Sandwich, Planet Hollywood. Their point-of-sale systems were infected, compromising about 2 million credit cards.
- Georgia Tech: a vulnerability in a web application gave an attacker access to personal data of 1.3 million people.
- Toyota: their systems were compromised, with 3.1 million customers potentially impacted. Kudos for disclosing without being certain that something bad happened.
Over 540 million Facebook records found on exposed AWS servers
Worthy of its own item. That's two weeks in a row, Facebook. Despite the headline, the number of affected users is estimated to be 'only' in the tens of millions. It wasn't a leak with Facebook itself, but with a third-party. Still, it's Facebook's problem too. Amazon is also not in the clear by the way, as they didn't take the database down when the third party wouldn't respond.
Facebook demanding the passwords of some new users
Ow, hello again Facebook! Attention hog much? As with the passwords-in-plaintext fiasco of last week, having thousands of engineers, you'd think there would be at least one of them going "Hey, do we really want to do this?".
Backdoor code found in popular Bootstrap-Sass Ruby library
It seems that a developer's account on Rubygems was compromised, and an attacker uploaded a malicious version that allowed for remote code execution. The backdoored version was downloaded 1470 times before being taken down.
Apache privilege escalation bug
This is especially impactful in a shared hosting environment, as it allows users with limited privileges to climb up to root. Patch em if you got 'em.
Researcher publishes Google Chrome exploit, not fixed in latest update
Not great to have it out in the open already, but the researcher is trying to make a point. Due to the nature of open-source, people can see security fixes coming in to the early builds of Chrome, but it takes a while before it makes it to the stable product. This gives them a small time window to exploit the vulnerability. It's certainly a good point.
The exploit itself needs a sandbox breakout though before being ready for abuse, although it can always be chained with one.
Women are only 24% of the infosec workforce. Now go follow them on Twitter.
The article explains why its a hard thing to measure. There seems to be progress, especially in leadership roles. At the end is an awesome list of Twitter accounts to follow, check it out!
Researcher prints 'PWNED!' on hundreds of GPS watches' maps
The researcher got frustrated with the vendor ignoring him for over a year, so he wanted to draw some attention :-) Folks, when someone tries to disclose a vulnerability to you, it's best to not ignore them.
Elizabeth Warren wants jail time for CEOs in Equifax-style breaches
That's one way to make sure you get a proper security budget. It's not what you think though, this law would only count for proven criminal activity, and then only if negligence by the CEO can be proven. Having a data breach isn't a criminal act yet.
Cloudflare introduces Warp VPN
Cloudflare is one of those few companies I actually still trust. Having them go into the VPN business feels like a good thing. You can't use it yet, they're not ready, but you can add yourself to the waiting list.
Personal project: cveapi.com
A project of me own :-) When writing a tool at work I couldn't find an API that exposed the information on CVE vulnerabilities I needed, so I made one myself. Feel free to check it out!
Sponsorships
1Password: awesome UX and support
If you're not using a password manager yet, please start using one.
And if you are, but it's not 1Password, I'd recommend taking a look at what they offer. I've moved over to them because the UX is just so much better than where I came from. Despite my fears, the entire migration took less than 10 minutes and worked flawlessly.