Issue 133

Personal note - back in action

After spending a full week of facetime with my awesome colleagues in Portland, I am now back in Europe and thoroughly jetlagged. Hopefully that's not too obvious in this issue ;-) Normal service should resume from now on. Thanks for bearing with me!

Breaches and leaks

  • Medical data of another 7.7 million people breached, at the same third-party vendor as the Quest Diagnostics breach of last week: link.
  • Tech Data, a large IT infrastructure provider, leaked 264GB in client and payment data through an unsecured log management server: link.
  • Cryptocurrency wallet GateHub hacked, nearly $10 million worth of Ripple stolen: link.
  • Asco, an airplane parts manufacturer, had to halt production in four countries due to a ransomware infection. Around 1000 employees had to be sent home for a week: link.

Windows 10 zero day publicly disclosed by Project Zero

Tavis Ormandy, from Google's Project Zero security researchers, disclosed a vulnerability where Windows can be made to hang or reboot by letting it validate a malicious certificate. It seems a reasonable DoS vector. There's controversy around the public disclosure though, as we've seen before. Microsoft wanted more time to fix before the vulnerability was made public, but Tavis kept to the 90 days standard deadline.

Windows 10 zero-day details published on GitHub

This is another zero day for Windows, this time concerning a local privilege escalation vulnerability. It's a bypass for a previously fixed problem, once again publicly disclosed by the researcher SandboxEscaper.

Millions of Exim mail servers are currently being attacked

A critical remote code execution flaw was discovered last week in the mail server software Exim. If you run one of those, you better patch asap. Active attacks are underway targeting unpatched servers, which apparently number in the 3 million.

Google confirms that advanced backdoor came preinstalled on Android devices

Interesting how far supply-chain attacks can go. Google confirmed that back in 2017 certain manufacturers were compromised, shipping their Android devices with pre-loaded malware called Triada.

For two hours, a large chunk of European mobile traffic was rerouted through China

It doesn't sound like it was malicious, although it's hard to prove either way. But it does yet again show how BGP routing can cause trouble.

New extortion scam threatens to ruin a website's reputation

Just a head's up in case you encounter these. Instead of the usual sextortion scam, these offenders threaten to start spamming in the name of your website, ruining its reputation. I guess there's a degree to which they could do it, but it's highly doubtful they'd make the effort. Consider it a good reminder to have DKIM, DMARC and SPF headers set up for your domain at least.

This is how scammers are abusing Google Calendar invites

I never realised this was a thing. Spammers abuse the fact that anyone can send you a calendar invite, and they populate the invite with phishing or spam links.

Yubico to replace vulnerable YubiKey FIPS security keys

Yubico has discovered a security issue in their Yubikey FIPS series, and are sending replacements. It doesn't seem to be a massive vulnerability, but good to check up on either way.

What’s the best approach to patching vulnerabilities?

An interesting bit of research on how to prioritise which vulnerabilities to patch: do we look at which vulnerabilities have active exploits, do we look at CVSS score, or do we look for keywords like "remote code execution". The conclusion seems to be common sense: look at all of those. But it's good to think about not going blindly with any one strategy.

Have I Been Pwned looking to be acquired

Maybe not in the classical sense, but more in a "let me find a big capable company that can help me with this". As Troy lays out the numbers of HIBP you realise pretty quickly how incredible it is that he managed it by himself for all these years.

Building security skills for an AWS cloud migration

A nice short blog post with useful links on getting started with (AWS) security engineering.

The clever cryptography of Apple's new 'Find My' feature

Apple announced an upcoming update to the "Find my device" feature that allows you to find a device even if it is turned off and disconnected from the Internet. It works by transmitting Bluetooth beacons for other iDevices to pick up. That sounds scary as hell from a privacy point of view, but they've set it up in a very interesting way that makes it so that no one can track your devices but yourself. It feels like a very elegant solution. I recommend taking the time to read and understand it.


1Password for Teams and Business

As always I'm extremely grateful to 1Password for supporting the newsletter. If you have passwords or secure notes to share with your colleagues, I highly recommend you give them a try.