Personal note - jobs section
I got a lot of feedback on my question from last week on whether I should add a jobs section, and all of it was positive. Thanks for that!
There aren't many companies yet though who want to actually post jobs, and we can't have demand without supply. So if you want to share security-related positions with a wide range of interested people, let me know!
Breaches and leaks
- Half of the Bulgarian data that was reported stolen last week is now in the open. It was shared with reporters and password protected, but was leaked to hacker forums and cracked: link.
- Sytech, a contractor for the Russian Intelligence service, was hacked. Information on various intelligence work was leaked, like Tor deanonymization, social media monitoring, and much more : link.
- The Robinhood trading app disclosed that passwords were being logged in plaintext. They aren't resetting passwords themselves, but are asking users to do so: link.
- The London Metropolitan Police had their Twitter account hijacked: link.
- iNSYNQ, a Quickbooks Cloud hosting firm, fell victim to a ransomware attack: link.
Can I get a "woop woop". Erm. More seriously: next to the fine they also have to adopt an extensive privacy and compliance framework, dictated and monitored by the FTC. They'll have to share all events impacted data of over 500 users, never use phone numbers obtained for security features in advertising, obtain clear opt-in for facial recognition technology, and much more. The FTC's own press release can be read here. Hackernews discussion with pro's and con's here.
That seemed like a big number before I read the Facebook headline. Still though, let's hope it makes a dent. About $380 million will go towards restitution for those impacted, the rest will go to fines for various states and agencies. This post explains how you can file your claim.
There were a lot of panicking headlines about a highly critical VLC vulnerability. So just so y'all know: everything is fine. The bug reporter used an old OS version with a vulnerable third-party library. And neither the media nor the CVE-issuing parties contacted VLC before going public. The VLC maintainers are not amused, and rightfully so.
Slack was breached in 2015, when someone gained access to their infrastructure and inserted code to capture plain-text passwords as people were logging in. Back then they reset passwords for everyone they thought affected. This week they went a step further and reset passwords for all users who had a Slack account at the time, unless they changed their password since then or were using SSO.
It was found that a number of extensions like SpeakIt, Hover Zoom and others, collected browser history and shared it with a data analytics company called Nacho Analytics. It gave access to a wide range of personal data and private links. It's a long and scary read.
They've started to force citizens to install their own root certificate, so they can man-in-the-middle all HTTPS traffic. Right now the intercepting of traffic seems to focus on social media and messaging services. Officials say it's "aimed at enhancing the protection of citizens". Sure.
Where the NSA was previously mostly focused on offensive capabilities, this new division, called the Cybersecurity Directorate, will focus on defending the US against foreign cyber threats. It will become operational on October 1st.
I never read up on the CCPA until now, and this article seems like a very nice place to start. Think GDPR, but from a Californian point of view. You must comply if your company serves California residents and has at least $25 million in revenue, or personal data on at least 50,000 people, or if you sell personal information.
Although it seems certain that it's already being used in a very targeted fashion, no one has come out and created a full-on worm yet. With ~800.000 vulnerable machines still out there though, it's something to fear. It seems to be tough to exploit, mostly because of ASLR (address space layout randomization, a built-in protection against exploits), but it sounds like it's only a matter of time before that gets bypassed by malicious groups.
This is a nice long read on Winnti, a (presumably) Chinese hacker group that focuses on German businesses.