Issue 134

Breaches and leaks

  • The Oregon Department of Human Services (DHS) was breached, putting health data of over 600.000 people at risk: link.
  • A marketing agency focused on medical malpractice lawsuits leaked medical and personal data of 150.000 people: link.
  • Private emails of a charity supporting gender-diverse and transgender children were publicly viewable: link.
  • EatStreet, a food ordering service, was breached, potentially impacting 6 million people: link.

If your CEO still thinks security doesn't affect the business, these might help too:

  • AMCA, the medical bill collector that got breached recently, impacting over 20 million people, has filed for bankruptcy: link.
  • The Florida city of Riviera Beach was infected by ransomware, and has decided to pay the $600.000 ransom, plus $900.000 in new computers: link.

Firefox patches actively exploited zero-day

If you use Firefox, please make sure you're up to date. A remote code execution vulnerability has been found that can be triggered by visiting a malicious website.

Remote DoS vulnerabilities in Linux and FreeBSD

Netflix researchers discovered four vulnerabilities in the TCP stack of Linux and FreeBSD. An attacker can use them to remotely crash your servers, so updating is strongly advised.

MongoDB 4.2 adds Field Level Encryption

For obvious reasons, MongoDB is trying to work on its security features. As with all things crypto it takes deep diving to really understand every detail, but from what I can make out it seems to mean that you can have per-client encryption keys, so that only they can decrypt their data. They also note that this helps in GDPR compliance, since 'deleting all user information' can easily be done by purging the client's encryption keys. This article provides some more detail.

Microsoft previews Azure Bastion

I'm not on Azure myself, but this sounds like something you'd want to know about if you are. Bastion server as-a-service, so you don't need to roll your own and have an SSH server on a public IP.

Google launches new Chrome protection from bad URLs

Chrome introduced a new feature where they alert you if you mistyped a popular URL and are probably headed to a "typosquatting" malicious site. I love that the default button takes you away, making it "just-smash-the-ok-button"-proof. Kudos Chrome.
Related, they also released an extension that will warn users when they go to a suspicious website, for example a domain using uncommon characters.

Cloudflare launches the League of Entropy

Getting a reliable source of randomness is hugely important to a lot of things, including encryption, and it has often gone wrong in the past when that randomness was too easy to predict. Cloudflare now launched a "distributed randomness" service based on five sources of entropy/randomness, that anyone can query to get truly random data. You can get private data too, since you don't actually want to use the public data in your encryption. There's more good stuff that they are releasing as part of their Crypto Week.

Google open sources tool for sharing confidential data sets

As with most thing crypto, it slightly confuses me, but it sounds useful. The tool allows two parties to share data with each other, but each party's detailed raw data remains encrypted, really sharing only aggregated statistics.

Samsung reminds users to regularly scan their Smart TV's for viruses

Is it useful for me to include this in the newsletter? Probably not.
Did I find it both sad and hilarious? Yes.

Maciej Cegłowski on privacy in the Information Age

This is worth a read. Very nicely worded thoughts on "ambient privacy".


1Password: a password manager worth recommending

After using 1Password Teams for several years, I finally moved my personal password vault to them as well. The UX and support are an order of magnitude better than where I came from.