Personal note - jobs section?
I'm thinking of adding a security-related jobs section to the newsletter, with two jobs each week and maybe a longer listing on the website. If you have any kind of feedback on this, or open positions you might want to submit, hit reply and let me know.
Breaches and leaks
- The Bulgarian tax authority has been hacked, and data on practically all Bulgarian citizens was exfiltrated: link.
- Sprint, the US telecom, had a breach impacting an unknown number of users through a Samsung.com "Add a line" advertisement website. I'm not super clear if they ran the site or Samsung did? link.
- An unsecured Elasticsearch instance was found containing financial, personal and location data on millions of Chinese users, aggregated from loan-applying apps: link.
- Bitpoint, a Japan-based crypto exchange, lost $32 million in a hack last week: link.
- Netlog, a Belgian-based social network that has been gone for a few years, discovered that they were hacked back in 2012: link (pdf).
Google outsources the transcribing of foreign languages recorded on their Home speakers to native-speaking companies. One of such companies had an employee share the recordings with a media outlet. Also, some recordings happened without the 'OK Google' trigger.
Neither of these things are completely unexpected in my view, but it does raise a lot of good hard questions.
(The VRT news media that the article speaks of is Belgian, not Dutch. But hey, nobody's perfect.)
GandCrab is one of the more well known ransomware strains out there. Bitdefender, together with the FBI, Europol and others, have gained access to the decryption keys of certain versions and are now sharing them publicly.
A nice bit of insight in how prolific nation-state hackers are. Around 84% of the attacks were targeted at enterprises, and 16% to home consumers and their personal email accounts.
Anyone in the vicinity can connect to them and send keyboard input to your device. The problem was reported and fixed in 2016, but Logitech never recalled existing devices that were still being sold.
US government services are increasingly targeted by ransomware, probably because they often pay up. They've now resolved to stop doing so. It'll be interesting to see if they keep up that resolve and whether or not it makes a difference in ransomware targeting.
Clickbait-y title aside, it's a nice read. Mobile Instagram users can request a 6-digit passcode to do a password reset. Brute-forcing the code didn't really work by itself, because it's rate limited. But it was rate limited to 250 attempts per IP. So with some automation to spread out over many IP's, one had a very good chance of getting into any account. The researcher received $30.000 for his work.
A security researcher tried to use the 'Name your Tesla' feature to trigger XSS in the app or website, but initially failed. But when he needed service a few months later, his XSS struck gold on an internal support application. Tesla fixed it within 12 hours of reporting and paid out a nice bounty. Kudos to all parties involved.
It was plagued with bypasses and false positives, and was too hard to maintain. It will be replaced by the Trusted Types API, a web standard that ought to eliminate DOM-based XSS attacks.
The first in a series of blogposts by Google on how they implemented BeyondCorp, a concept I find very interesting. Traditionally you have access to all-the-things if you're inside your corporate network or VPN, and none if you're outside. But Google determines access based on a range of factors, not (just) what network you connect from.
I still have lots to learn on it. I can recommend this book if you want to learn more about it too.