Issue 127

Breaches and leaks

  • An unsecured database was found containing detailed information on 80 million US households, including addresses, family members and income: link.
  • SkyMed: company that deals in medical emergency evacuations, had an unsecured Elasticsearch database with personal information of 137.000 people.
  • Ohio Catholic Church: two employee e-mail accounts were compromised and used to phish the church out of a whopping $1.75 million.
  • Cartoon Network: websites in 16 countries/regions have been hacked and made to show videos of Arabic memes and a male stripper.

Docker Hub hacked, data of 190,000 users exposed

Easily the biggest news item this week. They have reset passwords and revoked tokens where needed. Still, for something this vital in our software ecosystem, I'm annoyed by how vague their communication is. Also, the fact that they don't even offer 2fa has been an ongoing source of frustration for me. Hackernews discussion here.

Dell computers exposed to remote code execution

You're vulnerable if the attacker is on the same network as you. The culprit is SupportAssist, a pre-installed application (i.e. bloatware). It was discovered last year by a 17-year old security researcher, and documented here.

Vulnerable Confluence servers getting infected

If you have a Confluence server, make sure it's up to date. A recent vulnerability opens it to remote code execution, and it's actively being abused.

Serious flaw in Wordpress plugin WooCommerce Checkout Manager

It allows uploading and executing arbitrary files, so, pretty bad. About 60.000 websites are still vulnerable.

Faking the address bar on mobile for easier phishing

The article explains an interesting attack where the website uses CSS to show an address bar that isn't the actual address bar. It works on Chrome for mobile, both on iOS and Android. Hackernews discussion here.

Slack warns investors of a high risk of cyber-attacks impacting stock performance

Nothing ground breaking, but interesting nonetheless. In preparation for going public, Slack clearly lays out that cyber attacks, especially by nation-state actors, are one of the primary risks to them as a company.

US Government halves deadline for applying critical patches to 15 days

Still slow by some standards, but definitely a move in the right direction. Can't be easy to coordinate in government-level organisations.

Calling for a Civilian Cyber Corps

Interesting article discussing the possibility of a (US, in this case) civilian cyber corps, kind of like the volunteer fire department and other civilian support initiatives. It also discusses crowdsourcing the detection of disinformation. There sure are challenges with this approach, but I do like the general concept.

Google adds option to auto-delete search and location history data

Maybe more privacy than security, but interesting enough (and related to GDPR). Google will be rolling this out over the next few weeks. You'll get the option to auto-delete after 3 or 18 months.

So you want to be a pentester?

A long read, but if you want a ton of resources and guidance in one place, this is a great post to go to.


1Password: awesome UX and support

If you're not using a password manager yet, please start using one.
And if you are, but it's not 1Password, I'd recommend taking a look at what they offer. I've moved over to them because the UX is just so much better than where I came from. Despite my fears, the entire migration took less than 10 minutes and worked flawlessly.