DC police data breach. DigitalOcean billing data breach. Apple fixes actively used zero-day.  

News

Hi everyone,

Not much to say this week, and I'm running behind on schedule today so, euhm, enjoy! :-)

Dieter Van der Stock

Breaches and leaks

  • DC Police confirms cyberattack after ransomware gang leaks data. The breached data includes information on police informants. Because sure, let's put those on a networked computer. link.
  • DigitalOcean data breach exposes customer billing information: link.
  • Experian API exposed credit scores of most Americans: link.
  • Codecov starts notifying customers affected by supply-chain attack: link.
  • Your stolen ParkMobile data is now free for wannabe scammers: link.
  • Reverb discloses data breach exposing musicians' personal info: link.
  • Paleohacks data leak exposes customer records and password reset tokens: link.
  • Filipino solicitor-general's office breached, leaked legal cases and passwords: link.
  • Ransomware gang leaks court and prisoner files from Illinois Attorney General Office: link.
Dieter Van der Stock

Apple fixes macOS zero-day bug exploited by Shlayer malware

Apple has fixed a zero-day in macOS which is being exploited in the wild. Time to install those patches.

bleepingcomputer.com

FBI shares 4 million email addresses used by Emotet with Have I Been Pwned

Pretty neat, you can now use HIBP to see if Emotet affected you.

bleepingcomputer.com

Lawmakers start a push for new breach notification rules after SolarWinds attack

There are notifications rules for certain sectors and/or states, but not on a federal level for all critical US infrastructure. It's interesting as well that this new ruleset might contain some level of immunity to create an incentive to report incidents. It would also run through one centralised agency that collects all reported incidents.

therecord.media

Microsoft finds critical code execution bugs in IoT devices and industrial systems

We all know how likely it is that these get patched :/

bleepingcomputer.com

Going on the ATT&CK versus FIN7 and Carbanak

The 2020 MITRE ATT&CK vendor evaluation results have been released! This is the first time the evaluation has focused on financially motivated criminal groups, in this case Carbanak and FIN7, which heavily target retail and financial services industries. Uptycs was among 30 vendor participants in this round and this blog breaks down the simulation and evaluation process. (Sponsored)

uptycs.com

GitHub to review its exploit-hosting policy in light of recent scandal

GitHub has asked the infosec community to provide feedback on a series of proposed changes to the site's policies that dictate how its employees will deal with malware and exploit code uploaded to its platform.

therecord.media

Experian’s credit freeze security is still a joke

Lot's and lot's of work left in this space, my goodness.

krebsonsecurity.com

When AI's start hacking

Short essay by Bruce Schneier on the implications of AI in general, and on AI hacking network, tax rules, anything really.

schneier.com

1Password for infrastructure secrets

1Password is opening up a feature where you can store secrets like API tokens and private certificates, and use them directly in your infrastructure through a private REST API provided by a 1Password Connect server. Worth checking out. (Sponsored)

1password.com

No spam, ever. We'll never share your email address and you can opt out at any time.