Issue 136

Hey everyone!

There was less news volume this week than usual. Possibly related to the long weekend that our US-based friends are enjoying. It's a nice change :-) Still, plenty of things I felt were worthy of sharing. Enjoy!

Breaches and leaks

  • IoT vendor Orbivo exposes unsecured Elasticsearch database, with over 2 billion logs and md5-hashed passwords: link.
  • Data management firm Attunity had several unsecured s3 buckets, exposing information of several Fortune 100 companies like Ford and Netflix: link.
  • A medical insurance marketing website exposed an unsecured MongoDB instance with over 5 million records: link.

  • Not a new breach, but related to one: Dating app Jack'd got fined $240.000 for leaving users' private pictures publicly exposed for a full year after being told about it: link.

D-Link to undergo security audits for 10 years as part of FTC settlement

The settlement relates to a 2017 lawsuit after D-Link left hardcoded credentials in their firmware. The agreement also includes common-sense rules like source code review, threat modeling, a process for accepting vulnerability reports, and more. I find myself hoping for more lawsuits like this. (Or just legislation to enforce those rules).

US wants to isolate power grids with 'retro' technology to limit cyber-attacks

The US will look into (re)implementing low-tech solutions and manual procedures into critical parts of the US power grid, to prevent large-scale disruptions through cyberattacks. It's inspired by the 2015 attacks on Ukraine's power grid. Makes a lot of sense to me, I imagine we'll see more of this in the future.

OpenID Foundation says 'Sign In with Apple' is not secure enough

They say that although it's close, it doesn't fully comply with the OpenID standard, leaving it open to some attacks and making it more difficult for developers to implement it. They ask Apple to fix the inconsistencies and join the OpenID foundation.

Google Project Zero reveals bad iMessages could have bricked your iPhone

Security researcher Natalie Silvanovich shared a vulnerability disclosure where a malformed message could crash your iPhone. It even survived hard resets, meaning you have to resort to wiping and restoring the device from scratch. The issue was fixed in iOS 12.3.

YouTube policy on removing ‘instructional hacking’ content causes outrage

This caused some headlines this week, and I was greatly worried myself. But it seems to be more drama than substance. While one ethical hacker saw a temporary ban on uploading videos, that mistake was corrected. All other educational hacking content, including the ones I (try to) follow, like IppSec and LiveOverflow, are intact.

Conficker: The worm that nearly ate the Internet

If you're feeling nostalgic: I enjoyed this read on the Conficker worm, which at one point had 10 million computers under its control.


1Password for Teams and Business

We use 1Password to share passwords and secure notes at my current job, same as at my last job. I've tried many alternatives, but always found them to be the best option. Especially because of their UX and support,