Issue 147

Personal note - possible new project

I have often bounced ideas off you, and this is another one of those moments where I can use your input. I'm thinking of building an issue tracker that's made specifically to track and triage security issues. Think Jira, but much more focused. It would:

  • Pull in the list of issues/CVE's from your vulnerability scanners.
  • Provide data about each CVE to help the triaging process . Like descriptions and cvss scores, but also whether your OS has fixed it, any blogposts with more details on the issue, things like that.
  • Allow you to manage whitelisting in the tracker itself so it's not scanner dependant.
  • Generate documentation on each CVE: its information, assets affected, actions taken, for compliance and internal record keeping.

Have you ever been in a spot where this would have made your life better?
If so, I’d be very grateful for a reply with any thoughts you have. I only have my own perspective right now, and I could really use others.

Breaches and leaks

  • Millions of Lion Air passenger records exposed and exchanged on forums: link.
  • Medical images and details of 24.3 million patients left exposed on the Internet: link.
  • Data of 24.3 million Lumin PDF users shared on hacking forum: link.

Database leaks data on most of Ecuador's citizens

This feels like it deserves its own item. An unsecured database was found containing very detailed information on pretty much all the people of Ecuador. It included data on children, family trees, financials, and much more. The data came from the government and from private sources, but it belonged to some analytics company.

Critical bug in Harbor container registry gives admin access

If you run Harbor, make sure you update fast. Anyone can make a call to the /api/users to create a user for themselves with full admin permissions.

Simjacker attack exploited in the wild to track users for at least two years

There's apparently an old set of instructions and applications installed directly on SIM cards, that can be abused by having an attacker send an SMS to get a reply with the target's location. The legacy technology is still active in at least 30 countries. The researchers found that it's actively being exploited. Very interesting read.

LastPass fixes bug that leaks credentials

Good ol' Tavis Ormandy, from Google's Project Zero, found a bug in LastPass that allows a malicious site to capture cached credentials that were used in the previous site you visited. It's not straight forward to exploit, from the sounds of it, but definitely a great find. LastPass extensions for Chrome and Opera were impacted, and have since been updated and fixed.

GitHub security alerts now support PHP projects and becomes CVE numbering authority

Two bits of cool Github news. If your project uses Composer, you can start using Github now to get security alerts for your dependencies. Also, Github has received certification as a CVE numbering authority, which means it will be able to assign CVE numbers on its own. It's only valid for open source projects though, but does mean that project owners can request a CVE for an issue from Github itself instead of through MITRE.

Google discloses vulnerability in Chrome OS 'built-in security key' feature

If you have a Chromebook you have the option to use it as a hardware security token, kind of like a Yubikey. But Google found an issue with the hardware related to that feature that can cause an attacker to obtain your private key. If you use it, you probably want to patch it.

iPhone lockscreen bypass: iOS 13 tricked into showing your contacts

Security researcher José Rodríguez, from many previous lockscreen bypasses fame, strikes again. If someone has physical access to your phone, it can be tricked into disclosing your contacts. It was found in the beta of iOS 13.
It's not a horrible issue, but what does suck is that Apple doesn't seem to want to pay out any kind of bug bounty. Not even the $1 gift card José asked for as a trophy. C'mon Apple. You can do better.

The Air Force will let hackers try to hijack an orbiting satellite

Well that is just plain cool. The end goal of the hacking contest is to take over a satellite, either through the ground station or directly with an emitter, and point its camera from the Earth to the moon. "A literal moon shot". Beautiful.

Seven Docker security vulnerabilities and threats

Nicely detailed list of some things to keep in mind for your Docker infrastructure.


1Password adds Advanced Protection to business accounts

If you have a business account, you'll want to check this out. They've added the ability to manage company-wide master password rules and 2fa settings, and prevent the usage of outdated 1Password versions. You can also block logins from certain countries or IP's, and get reports on failed login attempts.