News
Hey friends!
I should have kept my mouth shut last week about the lack of breaches. After I sent out the newsletter a bunch of them popped up. Sorry for jinxing it ;-)
Apart from that there was plenty of security news to go through and curate, I hope you like the result. Thank you for reading, and as always, thanks to 1Password and SecAlerts for their support!
Cheers!
Breaches and leaks
- Shields Health, a medical imaging firm, was breached and leaked sensitive info on 2.3 million people: link.
- The Indian ICICI bank had a misconfigured Digital Ocean storage bucket exposing over 3 million sensitive records like bank statements, resumes, passports and credit card numbers: link.
- The Canadian Yellow Pages group fell victim to ransomware: link.
- Several US universities and a bunch of other sites running MediaWiki and Twiki were breached: link.
- The American Bar Association (ABA) was breached with older credentials of over 1.4 million members taken: link.
- Not a breach technically but still interesting: European traffic control was under DDOS attack from a pro-Russian group. Flights were unaffected. link.
Google Authenticator now backs up your 2FA codes to the cloud
It is about effin time. You might, however, still want to be careful using this new feature, because it turns out that the sync data isn't encrypted before it gets sent to your Google account. Google says they will fix this in a future iteration: link.
Thousands of Apache Superset servers exposed to RCE attacks
Apache Superset is an open-source data visualization tool. Researchers found that it shipped with a default secret key, allowing attackers to forge session cookies. It sounds pretty trivial to exploit so if you are running this, make sure to act accordingly.
Secalerts: receive vulnerability alerts specific to your software stack by e-mail
SecAlerts matches vulnerabilities to your software. Choose the frequency and severity of the vulnerability alerts you wish to receive, even get news matched to your software, and it's all sent in one easy-to-understand email. (Sponsored)
New DDoS amplification vector found with factor 2,200x in SLP protocol
Service Location Protocol (SLP) is an old protocol meant for LAN communication but many places expose it to the public. And an amplification attack is where a small amount of traffic can get amplified and sent towards the DDoS target. This new method has an amplification factor of 2200x, which can transform a tiny 29-byte request into a massive 65,000-byte response directed at the target. It's serious enough that CISA is reaching out proactively to exposed SLP services to warn them of the potential misuse.
VirusTotal now has an AI-powered malware analysis feature
I've always been extremely sceptical of "AI" in security products, mostly because it's usually been blatant marketing with nothing behind it. With the recent advances though, I'm starting to be intrigued. I still don't think it can ever triage incidents by itself, but it can sure help provide context. This is the latest example, where VirusTotal announced the launch of a new artificial intelligence-based code analysis feature named Code Insight. Will be interesting to see how this evolves.
Europe spins up algorithm research and investigation hub
The European Union has established the European Centre for Algorithmic Transparency (ECAT), a new agency that will investigate how large tech companies use algorithms on their platforms. Good.
Google report on App Store security measures taken in 2022
Google released a report on App Store security measures taken, which is always an interesting read. They blocked 1.43 million apps, banned 173,000 developer accounts, and halted $2 billion in fraudulent transactions. Must be quite the effort to stay on top of all of that.
Brief overview of SANS panel answer on top attack techniques to watch out for in 2023
Interesting and quick read. The list, in short, was SEO-aided attacks, developer targeting, and malicious use of AI to craft exploits and social engineering communication.
Knowledge base of incident response techniques
I came across this project last week and instantly bookmarked it. It gives a great overview of what kind of incident response techniques you want to have in your toolbox, think ATT&CK framework but for IR. Great to map what capabilities you already have and which you might still want to develop. Just to give some examples: you want to be able to isolate an instance, block domains, analyse a URL, block process by hash, and so forth.
Push, pull, and sign your Git commits with SSH keys in 1Password
You probably use SSH to push code to GitHub, access servers, and more. So why is it such a pain to set up new keys? Well, fret no longer. You can now easily generate, store, and use SSH Keys directly from 1Password 8 and the built-in SSH agent. Securely sync your keys across devices, authenticate SSH workflows, and even sign code commits. (Sponsored)