Issue 146

Breaches and leaks

  • Wikipedia suffered downtime due to a large DDoS attack: link.
  • A Toyota Group subsidiary has lost $37 million in a BEC scam: link.
  • DK-Lok, a South Korean industrial manufacturer, has an unsecured e-mail platform, with internal and external e-mails being readable by everyone. The company has so far ignored disclosure: link.
  • An unsecured database containing 198 million records exposed personal details of prospective car buyers: link.
  • An exposed database was found with 17 million e-mails, which turned out to be used in a criminal network to defraud Groupon, Ticketmaster and other sites: link.

NetCAT attack can leak sensitive data from Intel CPU's

Aside from the sheer absurdity of giving your attack the same name as a hugely popular networking tool, this is quite an interesting issue.
Intel processors have a shared cache that network devices can directly access. Researchers were able to leverage this access to listen in on an ongoing SSH session between the Intel server and another device.
I'm not sure how practical it is in the real world, but it's a nice bit of research, and the first network-based CPU side-channel attack. Intel acknowledged the problem and awarded a bounty.

Critical remote code execution flaw found in Exim

If you run Exim servers, used for mail routing, you better patch up. No exploiting has been observed yet, but with 5 million exposed Exim servers that will only be a matter of time.

Metasploit releases exploit module for BlueKeep

The much feared RDP vulnerability now has a module in Metasploit. It will determine wether or not a target is vulnerable, but requires some manual work and proper knowledge for actual exploitation.

Security researchers expose another instance of Chrome patch gapping

Not an easy thing to fix no doubt, but good to be aware of. Patch gapping is making use of the delay between a patch being introduced in an open-source project and it being rolled out. Attackers can research the patch to discover the flaw, and exploit it before the patch makes it to production. To proof that it can be done, a researcher released exploit code for a security issue in Chrome's Javascript engine.

600,000 GPS trackers left exposed online with a default password of '123456'

Avast researchers probed 4 million accounts of the GPS tracker manufacturer, and found 600.000 of them still using the default '123456' password. They point out that not only is this horrible for thecustomers, but also for the company itself, as the default accounts are automatically created during manufacturing. Any competitor can log in to them, change the password, and effectively lock out future buyers.

Microsoft, Hewlett Foundation preparing to launch nonprofit that calls out cyberattacks

Very interesting. It seems that they intend to launch an organisation called the "Cyber Peace Institute". It will investigate and share analytical information on large-scale attacks against civilian targets, assess damages and assist where possible.

Facebook and Microsoft launch $10m deepfake detection contest

With deepfakes set to become a real problem, Facebook, Microsoft and other partners, have launched the Deepfake Detection Challenge (DFDC). It will include a data set and a leaderboard, and offer grants to produce technology that can prevent and detect deepfakes.
Great initiative. It's an arms race that I doubt we'll ever "win", but we'll surely lose if we don't fight.

51 tech CEOs send open letter to Congress asking for a federal data privacy law

Current US privacy laws are a patchwork of regulations, differing by state and industry. In an open letter the CEO's ask Congress for one unified privacy regulation, essentially like the GDPR.


1Password: a password manager worth recommending

After using 1Password Teams for several years, I finally moved my personal password vault to them as well. The UX and support are an order of magnitude better than where I came from.