Breaches and leaks
- An unsecured database was found containing detailed information on 80 million US households, including addresses, family members and income: link.
- SkyMed: company that deals in medical emergency evacuations, had an unsecured Elasticsearch database with personal information of 137.000 people.
- Ohio Catholic Church: two employee e-mail accounts were compromised and used to phish the church out of a whopping $1.75 million.
- Cartoon Network: websites in 16 countries/regions have been hacked and made to show videos of Arabic memes and a male stripper.
Easily the biggest news item this week. They have reset passwords and revoked tokens where needed. Still, for something this vital in our software ecosystem, I'm annoyed by how vague their communication is. Also, the fact that they don't even offer 2fa has been an ongoing source of frustration for me. Hackernews discussion here.
You're vulnerable if the attacker is on the same network as you. The culprit is SupportAssist, a pre-installed application (i.e. bloatware). It was discovered last year by a 17-year old security researcher, and documented here.
If you have a Confluence server, make sure it's up to date. A recent vulnerability opens it to remote code execution, and it's actively being abused.
It allows uploading and executing arbitrary files, so, pretty bad. About 60.000 websites are still vulnerable.
The article explains an interesting attack where the website uses CSS to show an address bar that isn't the actual address bar. It works on Chrome for mobile, both on iOS and Android. Hackernews discussion here.
Nothing ground breaking, but interesting nonetheless. In preparation for going public, Slack clearly lays out that cyber attacks, especially by nation-state actors, are one of the primary risks to them as a company.
Still slow by some standards, but definitely a move in the right direction. Can't be easy to coordinate in government-level organisations.
Interesting article discussing the possibility of a (US, in this case) civilian cyber corps, kind of like the volunteer fire department and other civilian support initiatives. It also discusses crowdsourcing the detection of disinformation. There sure are challenges with this approach, but I do like the general concept.
Maybe more privacy than security, but interesting enough (and related to GDPR). Google will be rolling this out over the next few weeks. You'll get the option to auto-delete after 3 or 18 months.
A long read, but if you want a ton of resources and guidance in one place, this is a great post to go to.