Breaches and leaks
- Wikipedia suffered downtime due to a large DDoS attack: link.
- A Toyota Group subsidiary has lost $37 million in a BEC scam: link.
- DK-Lok, a South Korean industrial manufacturer, has an unsecured e-mail platform, with internal and external e-mails being readable by everyone. The company has so far ignored disclosure: link.
- An unsecured database containing 198 million records exposed personal details of prospective car buyers: link.
- An exposed database was found with 17 million e-mails, which turned out to be used in a criminal network to defraud Groupon, Ticketmaster and other sites: link.
Aside from the sheer absurdity of giving your attack the same name as a hugely popular networking tool, this is quite an interesting issue.
Intel processors have a shared cache that network devices can directly access. Researchers were able to leverage this access to listen in on an ongoing SSH session between the Intel server and another device.
I'm not sure how practical it is in the real world, but it's a nice bit of research, and the first network-based CPU side-channel attack. Intel acknowledged the problem and awarded a bounty.
If you run Exim servers, used for mail routing, you better patch up. No exploiting has been observed yet, but with 5 million exposed Exim servers that will only be a matter of time.
The much feared RDP vulnerability now has a module in Metasploit. It will determine wether or not a target is vulnerable, but requires some manual work and proper knowledge for actual exploitation.
Avast researchers probed 4 million accounts of the GPS tracker manufacturer, and found 600.000 of them still using the default '123456' password. They point out that not only is this horrible for thecustomers, but also for the company itself, as the default accounts are automatically created during manufacturing. Any competitor can log in to them, change the password, and effectively lock out future buyers.
Very interesting. It seems that they intend to launch an organisation called the "Cyber Peace Institute". It will investigate and share analytical information on large-scale attacks against civilian targets, assess damages and assist where possible.
With deepfakes set to become a real problem, Facebook, Microsoft and other partners, have launched the Deepfake Detection Challenge (DFDC). It will include a data set and a leaderboard, and offer grants to produce technology that can prevent and detect deepfakes.
Great initiative. It's an arms race that I doubt we'll ever "win", but we'll surely lose if we don't fight.
Current US privacy laws are a patchwork of regulations, differing by state and industry. In an open letter the CEO's ask Congress for one unified privacy regulation, essentially like the GDPR.