Issue 137

Personal note

Lot's of interesting news this week, with Zoom security and record GDPR fines as my personal headlines. Also, I'm very happy to share that 1Password has decided to renew their sponsorship and support of this newsletter for another full year. Thank you 1Password! If your company is interested too, there's one slot still open :-)



Breaches and leaks

  • Canonical's GitHub account was hacked. Fortunately the attacker seemed to mostly mess around and didn't seem to do real damage: link.
  • DNA testing company Vitagene exposed personal, medical and genetic information of over 3000 users: link.
  • GE Aviation had an unsecured Jenkins server, exposing source code and passwords: link.
  • 7-Eleven's Japanese payment app had an attacker abuse a woefully inadequate password reset function, causing customers to lose a total of $500.000: link.


Zoom vulnerable to unsolicited joining of video calls and DoS

A security researcher discovered that Zoom runs a poorly secured and undocumented local webserver to enable some of its functionality. Unfortunately, it allowed any webpage you visited to force you into joining a call with video enabled. It could also be used to trigger a denial-of-service on your machine. To make matters worse, the webserver wasn't even removed when Zoom was uninstalled. By now Zoom published updates to fix these issues, but their initial responses were less than ideal. Apple even stepped in and force-pushed an update to remove the webserver themselves.
medium.com


British Airways receive GDPR penalty of a whopping $230 million

This outta raise some eyebrows. The fine, totalling 1.5% of BA's turnover, is related to the 2018 data breach impacting 500.000 customers. In the same trend, Marriot is receiving a GDPR fine totalling $123 million for the massive 2018 breach of their reservation system. Both companies can and will appeal the fines though. Still, GDPR is showing its teeth and I like it.
threatpost.com


Backdoor found in Ruby library for checking for strong passwords

An attacker hijacked the strong_password gem and updated it to include a backdoor that allowed for remote code execution. It was discovered by a developer doing diligent security audits before updating dependencies.
zdnet.com


Microsoft admitted to private Linux developer security list

The Linux security list is where sensitive security vulnerabilities are first disclosed, privately. It was rightfully pointed out that Microsoft now has several Linux builds of its own, and Linux usage even surpasses Windows usage in their cloud apparently. As such, Microsoft is now part of the closed Linux security group. It is a brave new world out there.
zdnet.com


US Coast Guard issues cybersecurity alert

I liked this article because it's not a platform you think about often: a US Coast Guard vessel was infected with malware, severely impacting its operations. They issued a memo describing the importance of good security hygiene.
marinelog.com


Mozilla Blocks DarkMatter From Becoming a Trusted CA in Firefox

Back in February we had a news item detailing the fact that a firm called DarkMatter asked to be added as a trusted Certificate Authority in Firefox. The firm, however, is tied to a United Arab Emirates sponsored hacking group. As a root CA they would be able to do all kinds of mischief. Fortunately, in my humble opinion, their request was denied.
bleepingcomputer.com


Finland brings cybersecurity to the fore as EU presidency commences

Finland has started its rotation on the EU presidency term, and cybersecurity seems to be high on their list. They're initiating a range of cyber war games, and are going to direct special attention to the potential of 5G and its security implications.
portswigger.net


The sinkhole that saved the internet: the WannaCry kill switch

Interesting throwback to WannaCry and the work that two security researchers did to stop it by registering a domain that stopped the malware from executing.
I never properly realised though that WannaCry is still out there. If that domain goes down, it will start running again. The give you an idea: the domain is now hosted by Cloudflare, and in the brief downtime they had last week (which fortunately didn't affect the killswitch) there were 220.000 attempted WannaCry executions.
techcrunch.com


Study notes for security engineering

A security engineer at Google put together study notes while preparing for her interview. It's a very useful collection of topics one can deep-dive on.
github.com


Kali Linux on the Raspberry Pi 4

If you're looking for something to do with your new Raspberry Pi 4: Kali Linux now supports it :-) Hf!
kali.org


Sponsorships

1Password for Teams and Business

As always I'm extremely grateful to 1Password for supporting the newsletter. If you have passwords or secure notes to share with your colleagues, I highly recommend you give them a try.
1password.com