There was less news volume this week than usual. Possibly related to the long weekend that our US-based friends are enjoying. It's a nice change :-) Still, plenty of things I felt were worthy of sharing. Enjoy!
Breaches and leaks
- IoT vendor Orbivo exposes unsecured Elasticsearch database, with over 2 billion logs and md5-hashed passwords: link.
- Data management firm Attunity had several unsecured s3 buckets, exposing information of several Fortune 100 companies like Ford and Netflix: link.
A medical insurance marketing website exposed an unsecured MongoDB instance with over 5 million records: link.
Not a new breach, but related to one: Dating app Jack'd got fined $240.000 for leaving users' private pictures publicly exposed for a full year after being told about it: link.
The settlement relates to a 2017 lawsuit after D-Link left hardcoded credentials in their firmware. The agreement also includes common-sense rules like source code review, threat modeling, a process for accepting vulnerability reports, and more. I find myself hoping for more lawsuits like this. (Or just legislation to enforce those rules).
The US will look into (re)implementing low-tech solutions and manual procedures into critical parts of the US power grid, to prevent large-scale disruptions through cyberattacks. It's inspired by the 2015 attacks on Ukraine's power grid. Makes a lot of sense to me, I imagine we'll see more of this in the future.
They say that although it's close, it doesn't fully comply with the OpenID standard, leaving it open to some attacks and making it more difficult for developers to implement it. They ask Apple to fix the inconsistencies and join the OpenID foundation.
Security researcher Natalie Silvanovich shared a vulnerability disclosure where a malformed message could crash your iPhone. It even survived hard resets, meaning you have to resort to wiping and restoring the device from scratch. The issue was fixed in iOS 12.3.
This caused some headlines this week, and I was greatly worried myself. But it seems to be more drama than substance. While one ethical hacker saw a temporary ban on uploading videos, that mistake was corrected. All other educational hacking content, including the ones I (try to) follow, like IppSec and LiveOverflow, are intact.
If you're feeling nostalgic: I enjoyed this read on the Conficker worm, which at one point had 10 million computers under its control.