Personal note - jobs section
Alright, after some back and forth I've decided on accepting jobs into the newsletter. Pricing is always tricky, but I've settled on €100 per job posting per issue, and each job stays on the website for 60 days.
Responses are still sparse on the supply side, so we'll just take it as it comes. If your company is looking for security-minded people, then this is your chance to reach about ~6000 of them :-)
Breaches and leaks
- Louisiana declared a state of emergency this week, because of a large wave of ransomware attacks on school systems: link.
- Comodo leaked credentials of one of its employee accounts in a Github repo. A researcher was able to log into their Microsoft Cloud account, which didn't have 2fa enabled. A spammer was there before him: link.
- A North Carolina county lost $1.7 million to phishers who posed as a construction contractor working on a new high school: link.
- An electricity supplier from Johannesburg was infected with ransomware, affecting the electricity supply of an estimated 250.000 people: link.
- Honda had an unsecured Elasticsearch database containing information on all of its internal devices: link.
This made a lot of headlines this week. A hacker, who has since been arrested, gained access to credit card applications of more than 100 million people. It's unclear if she just discovered an open s3 bucket, or if the hack was more sophisticated than that, I saw different articles saying different things. It also seems that she was caught because she uploaded the full archive to her Github account, which isn't exactly stealthy. More to come on this later I bet.
Researchers have uncovered a number of critical flaws, including six remote code execution issues, in VxWorks. It's an OS that's used on an extremely wide range of devices, like routers, firewalls VoIP phones, but also SCADA systems, MRI machines and elevators. Patching against these is going to take forever. The article above is a good overview, this article takes a deeper dive.
If you haven't installed iOS 12.4 yet, you probably want to get on that. Google Zero researchers discovered issues in iMessage which can lead to remote code execution just by receiving a message. Kudos too for responsibly reporting them, because these are worth a lot on the "gray" market.
Apparently, when you see a company sell something to the US government that has a critical security flaw, you can bring it to court. That's what a former Cisco contractor did, and they received $1.8 million for their troubles. It concerned a video surveillance system that had glaring flaws which went unfixed for too long.
This week saw the third anniversary of the No More Ransom project, an initiative of law enforcement agencies and private parties to write decryptors for ransomware strains. It's hard to estimate, but a conservative count puts them at helping over 200.000 victims. Pretty freakin' awesome.
Good news for Marcus, aka 'MalwareTech', of WannaCry-stopping fame. He was arrested in 2017 for creating the Kronos and UPAS malware strains. The judge described him as a "youthful offender", and recognised that he has since used his talents to turn himself around and actually fight cybercrime.
Apparently Amazon Music was caught in a similar situation as Zoom, where their app exposed a local webserver. It was reachable through a domain that mapped to localhost. One problem was that the private key for the TLS certificate was recoverable from the local binary. This post does a great job on explaining how you can do that.