Issue 141

Personal note

There was -so much- interesting security news this week, probably related to the fact that Blackhat and DEFCON are all happening at the same time.
I've done my very best to be selective, but still ended up going over my usual limit of articles, I'm sorry :-) I hope you enjoy the result though!

Breaches and leaks

  • Monzo, the UK-based digital bank, had a big "woops" moment when it discovered that it had customer PIN codes in its logs, exposing it to around 100 internal engineers. About 20% of customers are affected: link.
  • The Bank of Cardiff, based in California, exposed an s3 bucket with one million phone calls to customers: link.
  • StockX, a "fashion and sneaker trading platform" (that's a thing?) was breached. They've fumbled the disclosure process, but at seems that 6.8 million records were stolen with personal information: link.
  • CafePress, a t-shirt and merchandising site, had a breach impacted 23 million users. Half of the passwords were hashed with the inadequate SHA-1: link.
  • State Farm Insurance suffered a credential stuffing attack. It's unclear how many customers were affected: link.

Kubernetes reports the results of its open-source security audit

The audit was scoped to the eight most-used components, and found 34 significant vulnerabilities and a lot to be improved. The worst have already been fixed in the latest versions, it's worth checking out. Kudos to CNCF for doing this and being so transparent about it.

One misconfig (JIRA) to leak them all

In this blogpost a security researcher explains how he found exposed information on a ton of companies, including NASA and Google, through Jira, the issue tracker. It's a bit hard to read, but if you use Jira at your place it's probably a good idea to go through it and double check your own settings.

New Spectre variant, referred to as SWAPGS

It was reported by Bitdefender in August 2018, and is now being publicly disclosed. All major OS vendors have already released updates to mitigate the issue. While the disclosure says that it affects all modern CPU's, AMD says that they are not vulnerable to this variant.

New Dragonblood vulnerabilities found in WiFi WPA3 standard

Mathy Vanhoef (who discovered the KRACK attack) and Eyal Ronen have discovered flaws in the current WPA3 version. They were able to get the WiFi password twice, once through a flaw in the recommended key exchange algorithm, Brainpool, and once in the EAP-pwd authentication of FreeRADIUS devices. The discoveries might lead to a WPA 3.1.

AT&T employees took bribes to plant malware on the company's network

Fascinating story. The attackers first bribed employees to unlock phones, but then got employees to deploy malware on the AT&T infrastructure, meant to automate much of the unlocking process. One employee got over $400.000 in bribes.

Microsoft Lab offers $300.000 for Azure exploits

Microsoft announced at Black Hat that they are launching a separate cloud testing environment, dubbed Azure Security Lab, where researchers can wreck havoc without being afraid of impacting customers. There's a bounty of up to $300.000 for those who do. They are also upping their regular bug bounties, to $40.000 maximum.

Apple expands bug bounty to macOS, raises bug rewards

More bug bounty news: Apple has increased their maximum bounty to a whopping $1 million. Their program now also includes pretty much their entire OS range, is open to all researchers, and interestingly gives you a 50% bonus on your bounty if you discovered the issue in a pre-release build.

What we can learn from the Capital One hack

Brian Krebs tries to piece together what we know about the hack. It sounds like they had a WAF that was misconfigured, both in that it could redirect requests to inside the perimeter, and that it had access to read-all S3 permissions. I can' t fully make it out yet though. The comments are an interesting read too.

What Capital One's cybersecurity team did (and did not) get right

Another one on Capital One, but I liked this article because it takes a step back from all the finger pointing, and instead describes what they did right, and how impossible it is, realistically, to prevent these issues in any company of that size.

Broadcom buys Symantec's enterprise security portfolio for $10.7 billion

Symantec is essentially being split in two, with its enterprise portfolio and brand name going to Broadcom. They will retain their consumer-facing products, like Norton Antivirus.

Critical RCE bug found in Avaya VoIP phones

The Avaya 9600 series, used by 90% of Fortune 100 companies, runs an old DHCP client which is vulnerable to remote code execution. The bug itself was reported in 2009, but up till now it wasn't known that it affected these phones. Avaya released a fix which you'll want to implement if you use these.

How the Army’s cyber school is changing

Interested read on how the US Army is trying to tackle training around the ever-changing field of cybersecurity. Must be a big challenge, no doubt.

Warshipping: hiding device in packages to attack corporate networks

The attacks themselves aren't anything new, but it certainly is a delivery method I never thought about before, and nicely scalable: package deliveries. The researchers include a small 3G-equipped device in a package that they send to their target, track and control it remotely, and use it to attack the local WiFi network.


1Password for Teams and Business

As always I'm extremely grateful to 1Password for supporting the newsletter. If you have passwords or secure notes to share with your colleagues, I highly recommend you give them a try.