Issue 14

Meet Securitybot: open sourcing automated security at scale

To follow up on internal security events, Dropbox created and open sourced a Slackbot. When someone uses sudo, for example, it asks if you were the one executing it. The responses are protected with 2fa.

dropbox.com

 

Google releases E2EMail plugin to open source community

Google's e2email project is meant as a user-friendly way of using PGP through Gmail. Work has stalled though, and Google is now handing it over to the open-source community.

csoonline.com

 

Slack only took five hours to fix bug that could have allowed hackers to hijack your account

A security researcher reported a vulnerability to Slack on a Friday afternoon. They responded within 33 minutes, and fixed the problem in 5 hours. The researcher got a $3.000 bug bounty. Kudos, Slack.

grahamcluley.com

 

Robots rife with cybersecurity holes

IOActive Labs has researched 10 robots for either home, industrial or service use, and found them sorely lacking in security. They leave the door open to be used as a platform to launch other attacks from, or even cause physical damage. Their full report can be found here.

threatpost.com

 

Google tells world how to crash Microsoft Internet Explorer and Edge browsers

Google is at it again. Their Project Zero disclosed an exploit that can crash IE11 and Edge, with currently no fix available by Microsoft.

grahamcluley.com

 

Financial firms in New York face new regulations on cybersecurity

A set of rules have been enacted for NY financial and insurance companies, requiring the appointment of a CISO (Chief Information Security Officer), making data breach disclosure, encryption and two-factor authentication mandatory, and more.

out-law.com

 

Data breach at Internet-connected teddy bear company

CloudPets is a company that makes stuffed toys that you can connect to and record voice messages on. Their unsecured MongoDB database was extracted, including 800.000 user credentials and 2 million voice recordings, many of them made by children.

cyberscoop.com

 

Many unexpectedly signed out out of their Google accounts

A lot of people were signed out of their Google accounts this week. The reason is still unknown, but Google ensures that it had nothing to do with security being compromised.

hackread.com

 

Attacks on MySQL databases for ransom

After the MongoDB ransomware attacks researches are now seeing attacks targeting MySQL installations using weak passwords. They will extract and delete the database, and leave behind a note demanding payment.

helpnetsecurity.com

 

"Proof Mode" for your smartphone camera

Not security per se, but I found it interesting nonetheless. To combat images being labeled as 'fake news', they try to claim validity by signing photos with an OpenPGP key, and taking all sensor data into a sha256 hash. Not sure how strong of a proof it is, but an interesting train of thought.

schneier.com

 

mubix/osx-wificleaner: Cleans out "open" wireless connections from OSX machine

A nice little tool that cleans out all saved unsecured Wifi hotspots from your Mac. Links to a Windows-based sister project too.

github.com

 

On a personal note: less words

On the last few issues I think I had the tendency to write too much, trying to summarise the entire article. This might make the newsletter harder to read, so I dialed it down a notch. If you have feedback on this either way, you are welcome to reply.

Thanks for reading!

Dieter Van der Stock