Personal note - over 5000 subscribers!
\o/ This was a huge milestone for me. I’m over the moon on this, and also quite proud if i'm honest. Thank you for reading this newsletter, and for your kindness when sharing feedback. I hope to provide this service to you for a long long time.
Breaches and leaks
- Citycomp: provides internet infrastructure to large brands like Airbus, Volkswagen, Oracle and others. The attackers claim to have over 500GB of financial and private data, and are asking CityComp for a ransom.
- Binance: the crypto exchange was breached, and attackers got away with over $40 million in Bitcoins.
- Freedom Mobile: large Canadian telco provider, had an unsecured database containing personal information, credit card numbers and subscription details of (their estimate) 15.000 customers.
- PrismWeb: e-commerce software was hijacked by Magecart credit card stealing malware, impacting over 200 college campus stores.
- BurgerKing: had an unsecured Elasticsearch containing personal information of 37.000 customers of their Kool King Shop product, an online shop tailored to be used by kids.
Well, that ain't good. Although from what I find it's not quite as horrible as it sounds. You can't just get into any Alpine container out of the box. Instead, it needs an exposed service that uses the shadow file (where Linux user passwords are stored) as an authentication base. Maybe SSH in certain configurations? Warrants a deeper dive if you run Alpine. Hackernews discussion here.
Several hundreds of repositories in Github, Bitbucket and Gitlab were being 'wiped' and replaced with a ransom note. The attacker got access through credentials retrieved from exposed /.git/config files.
However, since it's Git, I doubt anyone actually lost anything? For one, you probably have a copy somewhere locally. If not, this seems to be the way to roll back what the attacker did.
This must have been painful for Mozilla engineers :-/ An intermediate certificate expired causing all Firefox extensions to stop working. More from Mozilla themselves in this blogpost.
There's also good news on the Firefox add-on front. Most malicious extensions have obfuscated code in them, and they will now be blocked. There will be a soft block and a hard block, with soft meaning that the user can override the sanction and use the extension anyway. Chrome has this feature too, since October last year.
Most important of which are cryptographically-signed updates to prevent supply-chain attacks and a new crypto library.
New Android versions will have several security improvements, including certain core modules that can receive updates without having to reboot the device, support for TLS3, MAC address randomization, and increased control over location data.
It seems like a technology that bundles up a website for delivery, keeping everything intact like HTTPS, but can be delivered through anyone else instead of through the origin server. Sounds promising for privacy and against censorship. It works only in Chrome Canary right now, and non-Chromium browsers seem to be against the idea. I can image there being quite a few implications in this that I'm not grasping yet.
There's a lot to say on the subject, but this article focuses mostly on the EU’s commitment of €1 million in bug bounties for open source software. The writers (quite rightfully in my view) lament the fact that that money might be better served supporting the actual maintainers of the software. Since most are already overworked, handing them a bunch of security bugs to fix, while noble, might hurt them more than help.