Issue 139

Personal note - jobs section

I got a lot of feedback on my question from last week on whether I should add a jobs section, and all of it was positive. Thanks for that!
There aren't many companies yet though who want to actually post jobs, and we can't have demand without supply. So if you want to share security-related positions with a wide range of interested people, let me know!

Breaches and leaks

  • Half of the Bulgarian data that was reported stolen last week is now in the open. It was shared with reporters and password protected, but was leaked to hacker forums and cracked: link.
  • Sytech, a contractor for the Russian Intelligence service, was hacked. Information on various intelligence work was leaked, like Tor deanonymization, social media monitoring, and much more : link.
  • The Robinhood trading app disclosed that passwords were being logged in plaintext. They aren't resetting passwords themselves, but are asking users to do so: link.
  • The London Metropolitan Police had their Twitter account hijacked: link.
  • iNSYNQ, a Quickbooks Cloud hosting firm, fell victim to a ransomware attack: link.

Facebook to pay over $5 billion

Can I get a "woop woop". Erm. More seriously: next to the fine they also have to adopt an extensive privacy and compliance framework, dictated and monitored by the FTC. They'll have to share all events impacted data of over 500 users, never use phone numbers obtained for security features in advertising, obtain clear opt-in for facial recognition technology, and much more. The FTC's own press release can be read here. Hackernews discussion with pro's and con's here.

Equifax to pay up to $700m

That seemed like a big number before I read the Facebook headline. Still though, let's hope it makes a dent. About $380 million will go towards restitution for those impacted, the rest will go to fines for various states and agencies. This post explains how you can file your claim.

VLC not affected by critical vulnerability

There were a lot of panicking headlines about a highly critical VLC vulnerability. So just so y'all know: everything is fine. The bug reporter used an old OS version with a vulnerable third-party library. And neither the media nor the CVE-issuing parties contacted VLC before going public. The VLC maintainers are not amused, and rightfully so.

Slack resets passwords for all pre 2015 users

Slack was breached in 2015, when someone gained access to their infrastructure and inserted code to capture plain-text passwords as people were logging in. Back then they reset passwords for everyone they thought affected. This week they went a step further and reset passwords for all users who had a Slack account at the time, unless they changed their password since then or were using SSO.

DataSpii: browser extensions gathering browsing histories from 4M users

It was found that a number of extensions like SpeakIt, Hover Zoom and others, collected browser history and shared it with a data analytics company called Nacho Analytics. It gave access to a wide range of personal data and private links. It's a long and scary read.

Kazakhstan intercepting HTTPS connections

They've started to force citizens to install their own root certificate, so they can man-in-the-middle all HTTPS traffic. Right now the intercepting of traffic seems to focus on social media and messaging services. Officials say it's "aimed at enhancing the protection of citizens". Sure.

NSA to establish a new defense-minded division

Where the NSA was previously mostly focused on offensive capabilities, this new division, called the Cybersecurity Directorate, will focus on defending the US against foreign cyber threats. It will become operational on October 1st.

California Consumer Privacy Act (CCPA): What you need to know to be compliant

I never read up on the CCPA until now, and this article seems like a very nice place to start. Think GDPR, but from a Californian point of view. You must comply if your company serves California residents and has at least $25 million in revenue, or personal data on at least 50,000 people, or if you sell personal information.

Why Microsoft’s BlueKeep bug hasn’t wreaked havoc yet

Although it seems certain that it's already being used in a very targeted fashion, no one has come out and created a full-on worm yet. With ~800.000 vulnerable machines still out there though, it's something to fear. It seems to be tough to exploit, mostly because of ASLR (address space layout randomization, a built-in protection against exploits), but it sounds like it's only a matter of time before that gets bypassed by malicious groups.

Winnti: attacking the heart of the German industry

This is a nice long read on Winnti, a (presumably) Chinese hacker group that focuses on German businesses.


1Password: awesome UX and support

If you're not using a password manager yet, please start using one.
And if you are, but it's not 1Password, I'd recommend taking a look at what they offer. I've moved over to them because the UX is just so much better than where I came from. Despite my fears, the entire migration took less than 10 minutes and worked flawlessly.