Not much to say this week, and I'm running behind on schedule today so, euhm, enjoy! :-)
Breaches and leaks
- DC Police confirms cyberattack after ransomware gang leaks data. The breached data includes information on police informants. Because sure, let's put those on a networked computer. link.
- DigitalOcean data breach exposes customer billing information: link.
- Experian API exposed credit scores of most Americans: link.
- Codecov starts notifying customers affected by supply-chain attack: link.
- Your stolen ParkMobile data is now free for wannabe scammers: link.
- Reverb discloses data breach exposing musicians' personal info: link.
- Paleohacks data leak exposes customer records and password reset tokens: link.
- Filipino solicitor-general's office breached, leaked legal cases and passwords: link.
- Ransomware gang leaks court and prisoner files from Illinois Attorney General Office: link.
Apple has fixed a zero-day in macOS which is being exploited in the wild. Time to install those patches.
Pretty neat, you can now use HIBP to see if Emotet affected you.
There are notifications rules for certain sectors and/or states, but not on a federal level for all critical US infrastructure. It's interesting as well that this new ruleset might contain some level of immunity to create an incentive to report incidents. It would also run through one centralised agency that collects all reported incidents.
We all know how likely it is that these get patched :/
The 2020 MITRE ATT&CK vendor evaluation results have been released! This is the first time the evaluation has focused on financially motivated criminal groups, in this case Carbanak and FIN7, which heavily target retail and financial services industries. Uptycs was among 30 vendor participants in this round and this blog breaks down the simulation and evaluation process. (Sponsored)
GitHub has asked the infosec community to provide feedback on a series of proposed changes to the site's policies that dictate how its employees will deal with malware and exploit code uploaded to its platform.
Lot's and lot's of work left in this space, my goodness.
Short essay by Bruce Schneier on the implications of AI in general, and on AI hacking network, tax rules, anything really.
1Password is opening up a feature where you can store secrets like API tokens and private certificates, and use them directly in your infrastructure through a private REST API provided by a 1Password Connect server. Worth checking out. (Sponsored)