Personal note - back in action
After spending a full week of facetime with my awesome colleagues in Portland, I am now back in Europe and thoroughly jetlagged. Hopefully that's not too obvious in this issue ;-) Normal service should resume from now on. Thanks for bearing with me!
Breaches and leaks
- Medical data of another 7.7 million people breached, at the same third-party vendor as the Quest Diagnostics breach of last week: link.
- Tech Data, a large IT infrastructure provider, leaked 264GB in client and payment data through an unsecured log management server: link.
- Cryptocurrency wallet GateHub hacked, nearly $10 million worth of Ripple stolen: link.
- Asco, an airplane parts manufacturer, had to halt production in four countries due to a ransomware infection. Around 1000 employees had to be sent home for a week: link.
Tavis Ormandy, from Google's Project Zero security researchers, disclosed a vulnerability where Windows can be made to hang or reboot by letting it validate a malicious certificate. It seems a reasonable DoS vector. There's controversy around the public disclosure though, as we've seen before. Microsoft wanted more time to fix before the vulnerability was made public, but Tavis kept to the 90 days standard deadline.
This is another zero day for Windows, this time concerning a local privilege escalation vulnerability. It's a bypass for a previously fixed problem, once again publicly disclosed by the researcher SandboxEscaper.
A critical remote code execution flaw was discovered last week in the mail server software Exim. If you run one of those, you better patch asap. Active attacks are underway targeting unpatched servers, which apparently number in the 3 million.
Interesting how far supply-chain attacks can go. Google confirmed that back in 2017 certain manufacturers were compromised, shipping their Android devices with pre-loaded malware called Triada.
It doesn't sound like it was malicious, although it's hard to prove either way. But it does yet again show how BGP routing can cause trouble.
Just a head's up in case you encounter these. Instead of the usual sextortion scam, these offenders threaten to start spamming in the name of your website, ruining its reputation. I guess there's a degree to which they could do it, but it's highly doubtful they'd make the effort. Consider it a good reminder to have DKIM, DMARC and SPF headers set up for your domain at least.
I never realised this was a thing. Spammers abuse the fact that anyone can send you a calendar invite, and they populate the invite with phishing or spam links.
Yubico has discovered a security issue in their Yubikey FIPS series, and are sending replacements. It doesn't seem to be a massive vulnerability, but good to check up on either way.
An interesting bit of research on how to prioritise which vulnerabilities to patch: do we look at which vulnerabilities have active exploits, do we look at CVSS score, or do we look for keywords like "remote code execution". The conclusion seems to be common sense: look at all of those. But it's good to think about not going blindly with any one strategy.
Maybe not in the classical sense, but more in a "let me find a big capable company that can help me with this". As Troy lays out the numbers of HIBP you realise pretty quickly how incredible it is that he managed it by himself for all these years.
A nice short blog post with useful links on getting started with (AWS) security engineering.
Apple announced an upcoming update to the "Find my device" feature that allows you to find a device even if it is turned off and disconnected from the Internet. It works by transmitting Bluetooth beacons for other iDevices to pick up. That sounds scary as hell from a privacy point of view, but they've set it up in a very interesting way that makes it so that no one can track your devices but yourself. It feels like a very elegant solution. I recommend taking the time to read and understand it.