Issue 143

Hey everyone!

I'm still enjoying my vacation, but did manage to keep up with security news this week :-) Enjoy!

Breaches and leaks

  • Ransomware disrupts 22 Texas government departments: link.
  • Adoption agency exposed children's medical data: link.
  • MoviePass exposed thousands of unencrypted customer card numbers: link.
  • Adult website Luscious exposed personal data of 1 million users: link.
  • Supermarket chain Hy-Vee had its point-of-sale systems breached: link.
  • ECB shuts down one of its websites after hacker attack: link.

Backdoor code found in 11 Ruby libraries

The most notable is the rest-client gem. The author used an old password on his RubyGems account and it was hijacked. He takes full responsibility in this Hackernews thread. The other libraries are duplicates of existing ones with malicious code inserted.

Second Steam zero day impacts over 96 million Windows users

After being banned from Valve’s bug bounty program for disclosing last week’s vulnerability, the researcher now disclosed a second one. It sounds like Valve has some explaining to do.

Apple, Google, and Mozilla block Kazakhstan's HTTPS intercepting certificate

Recently millions of Kazakh citizens where forced to install a government root certificate, which was used to monitor web activity. The interception of traffic has since stopped, but the certificate is still installed on all those devices. This move stops it from silently being used again later.

Multiple HTTP/2 DoS flaws found by Netflix

Netflix researchers identified a whole list of DoS vulnerabilities in various HTTP2 implementations. It's an interesting read, and it sounds like it'll be a challenge to get all of them fixed.

Backdoor found in Webmin, admin utility for Linux and Unix

What was initially reported as a critical zero-day in the administration tool, turned out to be a backdoor planted about a year ago. If you use Webmin you'll want to make sure you're updated.

Google wants to reduce lifespan for HTTPS certificates to one year

The current lifetime is two years, which Google would want to shorten to one year. This could be beneficial in making certificate revocation a bit more effective, but it can also be argued that it’s a burden on CA customers. No vote or decision has been made yet.

Intel, IBM, Google, Microsoft & others create 'confidential computing' industry group

It will focus on improving the adoption of 'trusted execution environments' (TEE's), also known as secure enclaves. These enclaves are private regions in a CPU which only certain apps can access, and which are protected from access by other software running on the same system.

Yubico launches key with both USB-C and Lightening connector

This isn't a sponsorship message, I'm just excited by this and look forward to trying it out :-)

NIST report on IoT security open for comments

NIST is drawing up a list of security features that IoT vendors might want to adopt, and the draft is now open for comments. You can find the report itself here (pdf).

Relying on bug bounties 'not appropriate risk management'

When Katie Moussouris talks bug bounties, one tends to pay attention. She ran the Hack the Army and Hack The Pentagon programs. She warns about the costs of paying bounties for 'low hanging fruit' that you should be detecting yourself, and that you better have a solid process on vulnerability disclosure and remediation first.


1Password: awesome UX and support

If you're not using a password manager yet, please start using one.
And if you are, but it's not 1Password, I'd recommend taking a look at what they offer. I've moved over to them because the UX is just so much better than where I came from. Despite my fears, the entire migration took less than 10 minutes and worked flawlessly.