News
Hi folks,
I hope you're either still having a wonderful time off, or have been succesful is slowly getting back up to speed :-) Maybe this issue will help you to make sure you didn't miss out on anything big.
I'm very happy to share that 1Password has decided to sponsor the newsletter for another whole year! Their support has been amazing, and has made it possible for me to spend time on this newsletter for many years now. Thank you, 1Password!
Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts
A while back there was an article detailing how some malware groups claimed to have the ability to revive Google session cookies. There's now confirmation that this actually works, and more detail on how.
The short version is that it uses an undocumented "MultiLogin" endpoint that Google uses to sync authenticated sessions in Chrome across different services like Youtube, Gmail, etc. The article itself goes into more technical detail.
Google is aware of the issue, as some effort to mitigate the exploit has been rolled out, but malware groups are already working around that. Google says that these kind of attacks are not new, and clearly states that despite news saying otherwise, the stolen session tokens can definitely be revoked by signing out of the affected browser or remotely revoke tokens through the user's device page.
'everything' npm package blocks devs from removing their own packages
This was an interesting "prank". Over the holidays, the npm package registry was flooded with more than 3,000 packages, including one called "everything". If you were to installed the "everything" package, it would gradually start downloading -all- npm packages until your hard drive runs out. It did this by requiring all existing packages, albeit in "chunks" (those were those other 3000 packages).
The thing is, it also meant that no one could remove a package from the registry as long as the "everything" package existed. Once an npm package is mentioned as a dependency somewhere, you can't just pull it. This is a security measure implemented after the "left pad" incident in 2016 where a developer pulled their much-used package, breaking a huge set of dependencies. What a world.
23andMe blames "negligent" breach victims, says it’s their own fault
My favorite genetic company is still at it, digging that hole just a little deeper. 23andMe has responded in a letter to data breach victims that they were to blame for re-using passwords.
But, as 23andMe well knows, only a fraction of users impacted were through credential re-use, the rest happened through their own app functionality.
More importantly to me, and I'll repeat this again: credential re-use is a big mistake, yes. But you can actually mitigate that risk by pro-actively preventing the use of known passwords, enforce 2fa, and much more. And I'd argue that it's your responsibility to do so if you hold freakin' genetics data. Although to be fair, I'm sure 23andMe's security team knows all about this, it's much more likely that this is a matter of resources made available to them.
In case you're curious about preventing credential stuffing, I'll link to the relevant OWASP page. Worth reading up on!
Discover what scanning +1.5k endpoints reveals about GraphQL security
GraphQL’s becoming a go-to choice for modern API design. Explore key vulnerabilities, trends, and security best practices identified by Escape through scanning over 1.5k endpoints. (Sponsored)
Russian agents hack webcams to guide missile attacks on Kyiv
That's definitely something I hadn't thought of before. The incident prompted Ukraine's security service to ask webcam operators in the country to stop live broadcasts, and block the operation of around 10,000 IP camera's.
LastPass now requires 12-character master passwords for better security
Good. They will also start checking new or updated master passwords against a database of credentials previously leaked on the dark web to ensure that they don't match already compromised accounts.
FTC soliciting contest submissions to help tackle voice cloning technology
The challenge is an effort by the FTC to monitor and stop scammers from exploiting voice cloning technology. Rightfully so, I don't think we're ready for what voice (and video) cloning is going to do to us. Submissions are due January 12, the winner will receive $25,000.
Breaches and leaks
- Cyberattack on Massachusetts hospital disrupted records system, emergency services: link.
- Data breach at healthcare tech firm impacts 4.5 million patients: link.
- Hacker hijacks Orange Spain RIPE account to cause BGP havoc: link.
- Mandiant’s account on X hacked to push cryptocurrency scam: link.
- First American Financial confirms threat actors stole and encrypted data: link.
- Xerox discloses a subsidiary’s breach following ransomware claim of data theft: link.
- ‘Large-scale’ cyberattack hits French township, all local services down: link.
- Online museum collections down after cyberattack on service provider: link.
- Korean National Police Agency investigating $81 million crypto theft from Orbit Chain: link.
- Hackers breach Australian court hearing database: link.
- Swedish supermarket chain Coop responds to cyberattack: link.
Issues and fixes
- CISA warns of actively exploited bugs in Chrome and Excel parsing library: link.
- Nearly 11 million SSH servers vulnerable to new Terrapin attacks: link.
- Google patches six vulnerabilities with first Chrome update of 2024: link.
- Ivanti warns critical EPM bug lets hackers hijack enrolled devices: link.
Implement passwordless logins into your app in seconds
Solid security shouldn't have to come at the expense of a great user experience. That's why Passage by 1Password is building a passwordless auth service that allows you to implement passkey logins in your app or website with just a few lines of code. (Sponsored)