To follow up on internal security events, Dropbox created and open sourced a Slackbot. When someone uses sudo, for example, it asks if you were the one executing it. The responses are protected with 2fa.
Google's e2email project is meant as a user-friendly way of using PGP through Gmail. Work has stalled though, and Google is now handing it over to the open-source community.
A security researcher reported a vulnerability to Slack on a Friday afternoon. They responded within 33 minutes, and fixed the problem in 5 hours. The researcher got a $3.000 bug bounty. Kudos, Slack.
IOActive Labs has researched 10 robots for either home, industrial or service use, and found them sorely lacking in security. They leave the door open to be used as a platform to launch other attacks from, or even cause physical damage. Their full report can be found here.
Google is at it again. Their Project Zero disclosed an exploit that can crash IE11 and Edge, with currently no fix available by Microsoft.
A set of rules have been enacted for NY financial and insurance companies, requiring the appointment of a CISO (Chief Information Security Officer), making data breach disclosure, encryption and two-factor authentication mandatory, and more.
CloudPets is a company that makes stuffed toys that you can connect to and record voice messages on. Their unsecured MongoDB database was extracted, including 800.000 user credentials and 2 million voice recordings, many of them made by children.
A lot of people were signed out of their Google accounts this week. The reason is still unknown, but Google ensures that it had nothing to do with security being compromised.
After the MongoDB ransomware attacks researches are now seeing attacks targeting MySQL installations using weak passwords. They will extract and delete the database, and leave behind a note demanding payment.
Not security per se, but I found it interesting nonetheless. To combat images being labeled as 'fake news', they try to claim validity by signing photos with an OpenPGP key, and taking all sensor data into a sha256 hash. Not sure how strong of a proof it is, but an interesting train of thought.
A nice little tool that cleans out all saved unsecured Wifi hotspots from your Mac. Links to a Windows-based sister project too.
On a personal note: less words
On the last few issues I think I had the tendency to write too much, trying to summarise the entire article. This might make the newsletter harder to read, so I dialed it down a notch. If you have feedback on this either way, you are welcome to reply.
Thanks for reading!
Dieter Van der Stock