Breaches and leaks
- The Oregon Department of Human Services (DHS) was breached, putting health data of over 600.000 people at risk: link.
- A marketing agency focused on medical malpractice lawsuits leaked medical and personal data of 150.000 people: link.
- Private emails of a charity supporting gender-diverse and transgender children were publicly viewable: link.
- EatStreet, a food ordering service, was breached, potentially impacting 6 million people: link.
If your CEO still thinks security doesn't affect the business, these might help too:
- AMCA, the medical bill collector that got breached recently, impacting over 20 million people, has filed for bankruptcy: link.
- The Florida city of Riviera Beach was infected by ransomware, and has decided to pay the $600.000 ransom, plus $900.000 in new computers: link.
If you use Firefox, please make sure you're up to date. A remote code execution vulnerability has been found that can be triggered by visiting a malicious website.
Netflix researchers discovered four vulnerabilities in the TCP stack of Linux and FreeBSD. An attacker can use them to remotely crash your servers, so updating is strongly advised.
For obvious reasons, MongoDB is trying to work on its security features. As with all things crypto it takes deep diving to really understand every detail, but from what I can make out it seems to mean that you can have per-client encryption keys, so that only they can decrypt their data. They also note that this helps in GDPR compliance, since 'deleting all user information' can easily be done by purging the client's encryption keys. This article provides some more detail.
I'm not on Azure myself, but this sounds like something you'd want to know about if you are. Bastion server as-a-service, so you don't need to roll your own and have an SSH server on a public IP.
Chrome introduced a new feature where they alert you if you mistyped a popular URL and are probably headed to a "typosquatting" malicious site. I love that the default button takes you away, making it "just-smash-the-ok-button"-proof. Kudos Chrome.
Related, they also released an extension that will warn users when they go to a suspicious website, for example a domain using uncommon characters.
Getting a reliable source of randomness is hugely important to a lot of things, including encryption, and it has often gone wrong in the past when that randomness was too easy to predict. Cloudflare now launched a "distributed randomness" service based on five sources of entropy/randomness, that anyone can query to get truly random data. You can get private data too, since you don't actually want to use the public data in your encryption.
There's more good stuff that they are releasing as part of their Crypto Week.
As with most thing crypto, it slightly confuses me, but it sounds useful. The tool allows two parties to share data with each other, but each party's detailed raw data remains encrypted, really sharing only aggregated statistics.
Is it useful for me to include this in the newsletter? Probably not.
Did I find it both sad and hilarious? Yes.
This is worth a read. Very nicely worded thoughts on "ambient privacy".