Issue 145

Breaches and leaks

  • The XKCD forum was breached, exposing emails and passwords: link.
  • The Twitter account of Jack Dorsey (Twitter's CEO) was hijacked: link.
  • Segment issued a breach notification. One of their employee's accounts was compromised: link.
  • Some of Russia's surveillance equipment has been leaking data: link.

A huge database of Facebook users’ phone numbers found online

This got enough attention to warrant a separate item. Researchers found an unsecured server containing over 419 million records with a user's Facebook ID and their phone number. It's probably not an actual breach, but rather the result of large scale scraping. It's unknown who owned the database.

Security issues in SuperMicro controllers

Researchers found several issues in SuperMicro base motherboard controllers, or BMC's for short. These controllers allow admins remote access to their servers, with the ability to mount virtual USB devices to install a new OS and send keyboard inputs. Unfortunately these BMC's aren't as secure as they should be.
It's also not just an internal network thing, since over 47.000 BMC's were found exposed on the Internet.

Scammers deepfake CEO’s voice to trick employee into $243,000 transfer

I found this important enough to highlight it separate from the breaches section. The ability to fully fake a voice and/or a video image will make phishing and BEC scams much harder to combat than they already are.

Facebook loses control of key used to sign Android app

Facebook again. The key that Facebook used to sign the Free Basics by Facebook app has showed up in unofficial repositories signing non-Facebook apps.

Microsoft Edge will retire Flash by end of 2020

Since the new Edge uses Chromium under the hood, Microsoft decided to follow Google's roadmap for deprecating Flash. It will initially be disabled by default, with the user having to re-enable it on a site-by-site basis, after which it will be completely removed by the end of 2020.

Zerodium offers $2.5 million for Android zero-days

It's the first time that they offer more for an Android zero-day than an iOS one, where the top price paid is now $1 million. Zerodium says it's a reflection of "market trends".

A look inside the highly profitable Sodinokibi ransomware business

An interesting article on the new Sodinokibi ransomware, showing how it's marketed to potential customers and giving an indication of what kind of earnings it generates.

IoT botnet creator pleas guilty to hacking more than 800,000 devices

The 21-year old, together with two others, captured over 800.000 devices in their botnets, and created a DDoS-for-hire service. He even created a new botnet while on supervised release last year, and organised a swatting attack on his co-conspirator. He faces a maximum penalty of 10 years in prison and $250,000 in fines, although his sentence will probably be on the lower end of that.

Six hackers have now earned over $1 million from bug bounty programs

It's no doubt a competitive market, but it sounds like some are doing very well. Interesting to see this space develop.

US Cyber Command strikes at Iran

They deleted a database that Iran reportedly used to plan attacks in the Persian Gulf. They've been throwing punches back and forth for a while now, both in cyberspace and the real world.

NATO cyber-operations center will be leaning on its members for offensive hacks

The article discusses the current status of NATO's Cyberspace Operations Centre. It sounds like it's still in the early stages, especially when it comes to offensive capabilities.


1Password for Teams and Business

As always I'm extremely grateful to 1Password for supporting the newsletter. If you have passwords or secure notes to share with your colleagues, I highly recommend you give them a try.