I'm still enjoying my vacation, but did manage to keep up with security news this week :-) Enjoy!
Breaches and leaks
- Ransomware disrupts 22 Texas government departments: link.
- Adoption agency exposed children's medical data: link.
- MoviePass exposed thousands of unencrypted customer card numbers: link.
- Adult website Luscious exposed personal data of 1 million users: link.
- Supermarket chain Hy-Vee had its point-of-sale systems breached: link.
- ECB shuts down one of its websites after hacker attack: link.
The most notable is the rest-client gem. The author used an old password on his RubyGems account and it was hijacked. He takes full responsibility in this Hackernews thread. The other libraries are duplicates of existing ones with malicious code inserted.
After being banned from Valve’s bug bounty program for disclosing last week’s vulnerability, the researcher now disclosed a second one. It sounds like Valve has some explaining to do.
Recently millions of Kazakh citizens where forced to install a government root certificate, which was used to monitor web activity. The interception of traffic has since stopped, but the certificate is still installed on all those devices. This move stops it from silently being used again later.
Netflix researchers identified a whole list of DoS vulnerabilities in various HTTP2 implementations. It's an interesting read, and it sounds like it'll be a challenge to get all of them fixed.
What was initially reported as a critical zero-day in the administration tool, turned out to be a backdoor planted about a year ago. If you use Webmin you'll want to make sure you're updated.
The current lifetime is two years, which Google would want to shorten to one year. This could be beneficial in making certificate revocation a bit more effective, but it can also be argued that it’s a burden on CA customers. No vote or decision has been made yet.
It will focus on improving the adoption of 'trusted execution environments' (TEE's), also known as secure enclaves. These enclaves are private regions in a CPU which only certain apps can access, and which are protected from access by other software running on the same system.
This isn't a sponsorship message, I'm just excited by this and look forward to trying it out :-)
NIST is drawing up a list of security features that IoT vendors might want to adopt, and the draft is now open for comments. You can find the report itself here (pdf).
When Katie Moussouris talks bug bounties, one tends to pay attention. She ran the Hack the Army and Hack The Pentagon programs. She warns about the costs of paying bounties for 'low hanging fruit' that you should be detecting yourself, and that you better have a solid process on vulnerability disclosure and remediation first.