Lot's of interesting news this week, with Zoom security and record GDPR fines as my personal headlines. Also, I'm very happy to share that 1Password has decided to renew their sponsorship and support of this newsletter for another full year. Thank you 1Password! If your company is interested too, there's one slot still open :-)
Breaches and leaks
- Canonical's GitHub account was hacked. Fortunately the attacker seemed to mostly mess around and didn't seem to do real damage: link.
- DNA testing company Vitagene exposed personal, medical and genetic information of over 3000 users: link.
- GE Aviation had an unsecured Jenkins server, exposing source code and passwords: link.
- 7-Eleven's Japanese payment app had an attacker abuse a woefully inadequate password reset function, causing customers to lose a total of $500.000: link.
A security researcher discovered that Zoom runs a poorly secured and undocumented local webserver to enable some of its functionality. Unfortunately, it allowed any webpage you visited to force you into joining a call with video enabled. It could also be used to trigger a denial-of-service on your machine. To make matters worse, the webserver wasn't even removed when Zoom was uninstalled.
By now Zoom published updates to fix these issues, but their initial responses were less than ideal. Apple even stepped in and force-pushed an update to remove the webserver themselves.
This outta raise some eyebrows. The fine, totalling 1.5% of BA's turnover, is related to the 2018 data breach impacting 500.000 customers. In the same trend, Marriot is receiving a GDPR fine totalling $123 million for the massive 2018 breach of their reservation system. Both companies can and will appeal the fines though. Still, GDPR is showing its teeth and I like it.
An attacker hijacked the strong_password gem and updated it to include a backdoor that allowed for remote code execution. It was discovered by a developer doing diligent security audits before updating dependencies.
The Linux security list is where sensitive security vulnerabilities are first disclosed, privately. It was rightfully pointed out that Microsoft now has several Linux builds of its own, and Linux usage even surpasses Windows usage in their cloud apparently. As such, Microsoft is now part of the closed Linux security group. It is a brave new world out there.
I liked this article because it's not a platform you think about often: a US Coast Guard vessel was infected with malware, severely impacting its operations. They issued a memo describing the importance of good security hygiene.
Back in February we had a news item detailing the fact that a firm called DarkMatter asked to be added as a trusted Certificate Authority in Firefox. The firm, however, is tied to a United Arab Emirates sponsored hacking group. As a root CA they would be able to do all kinds of mischief. Fortunately, in my humble opinion, their request was denied.
Finland has started its rotation on the EU presidency term, and cybersecurity seems to be high on their list. They're initiating a range of cyber war games, and are going to direct special attention to the potential of 5G and its security implications.
Interesting throwback to WannaCry and the work that two security researchers did to stop it by registering a domain that stopped the malware from executing.
I never properly realised though that WannaCry is still out there. If that domain goes down, it will start running again. The give you an idea: the domain is now hosted by Cloudflare, and in the brief downtime they had last week (which fortunately didn't affect the killswitch) there were 220.000 attempted WannaCry executions.
A security engineer at Google put together study notes while preparing for her interview. It's a very useful collection of topics one can deep-dive on.
If you're looking for something to do with your new Raspberry Pi 4: Kali Linux now supports it :-) Hf!