Google Cloud error wiped pension fund data. Buying expired domains to capture sensitive data. Siren maillist for open-source security.  

News

Hi folks!

Here we are with another overview of what happened in the world of cybersecurity this week, and what I personally found the most interesting :-) Enjoy!

Dieter Van der Stock

“Unprecedented” Google Cloud event wipes out pension fund account and its backups

"Ouch" doesn't even begin to cover this. UniSuper, a $135 billion Australian pension fund, saw all of its data in its Google Cloud account deleted because of an error on Google's side. All of it, including geo-replicated assets and backups. Imagine losing all track of who owns what in your pension fund, the impact would be devestating. It's not like they still hold paper records, I'm sure.

Their saving grace was that they had a backup of their data stored at a different cloud provider as well. Massive kudos to the admin(s) who were paranoid and persistent enough to make that happen.

arstechnica.com

When privacy expires: how I got access to tons of sensitive citizen data after buying cheap domains

I'm not including this just because it's about Belgium, I swear :-) It's a great write-up where the author, Inti, bought hundreds of expired domains that were previously used by institutions and municipalities. With those he was able to (re)create email addresses that were still actively sent to, and reset passwords on cloud services, giving him access to a host of sensitive information.

A great reminder of the importance of domains. It's obvious when you think about it, but they really are the keys to our kingdoms and they are way too often forgotten. Fortunately they are pretty cheap and easy to secure. Maybe this helps remind a few people to check the settings on their registrar's accounts, and make sure all domains are on auto-renew :-)

inti.io

New 'Siren' mailing list aims to share threat intelligence for open source projects

This is an initiative of the Open Source Security Foundation (OpenSSF) to fill the communication gap on information sharing around threats and attacks on open source projects. The list is open for viewing to all, you only have to register to post. You can check it out here.

therecord.media

A root-server at the Internet’s core lost touch with its peers. We still don’t know why.

Interesting article on how, for 4 days, the DNS(SEC) c-root server maintained by Cogent lost touch with its 12 peers. It's not something we think a lot about, but it's interesting to be reminded of how some of the base layers of the Internet operate.

arstechnica.com

Cyber Security: a pre-war reality check

I loved this talk (or transcript of a talk, in this case) on how fragile and interconnected our communications and infrastructure have become. For example, on how we (in The Netherlands) replaced an emergency communication system based on very simple technology with a complicated "modern" mess that doesn't work when it should. Or that our telecom isn't actually operated by anyone in our country, and what that means when shit hits the fan. Also our dependence on cloud services, even in emergency networks. The talk is quite NL and EU centric, but the lessons are worth a read for everyone.

berthub.eu

How I upgraded my water heater and discovered how bad smart home security can be

Fun read on how the author tried to get warm water out of the tap quicker, and ended up going down a rabbit hole of appliance cybersecurity. "Could you really control someone's hot water with just an email address?" Apparently, in this case, yes.

arstechnica.com

Quick links

  • Microsoft to start killing off VBScript in second half of 2024: link.
  • Microsoft to start enforcing Azure multi-factor authentication in July: link.
  • Financial institutions have 30 days to disclose breaches under new rules: link.
  • NIST quantum-resistant algorithms to be published within weeks: link.
  • US Cyber Command conducted first ‘hunt forward’ mission in Zambia last year: link.
  • HHS offering $50 million for proposals to improve hospital cybersecurity: link.

Breaches and leaks

  • OmniVision discloses data breach after 2023 ransomware attack: link.
  • Western Sydney University data breach exposed student data: link.
  • Northern Ireland police faces £750k fine after exposing staff info: link.
  • SEC slaps $10 million penalty on owner of NY Stock Exchange over 2021 cyber intrusion: link.
  • WebTPA data breach impacts 2.4 million insurance policyholders: link.
  • American Radio Relay League cyberattack takes Logbook of the World offline: link.

Issues and fixes

  • Veeam warns of critical Backup Enterprise Manager auth bypass bug: link.
  • Critical Fluent Bit flaw impacts all major cloud providers: link.
  • High-severity GitLab flaw lets attackers take over accounts: link.
  • GitHub warns of SAML auth bypass flaw in Enterprise Server: link.
  • QNAP QTS zero-day in Share feature gets public RCE exploit: link.
  • Bitbucket artifact files can leak plaintext authentication secrets: link.
  • Rockwell Automation warns admins to take ICS devices offline: link.
  • JAVS courtroom recording software backdoored in supply chain attack: link.
  • GE HealthCare issues guidance for mitigating 11 security bugs in ultrasound devices: link.

1Password for developers: secrets, SSH keys, and more

I think most developers don't realise how valuable 1Password can be. It doesn't just hold passwords, it also hold your SSH keys, signs your Git commits, injects token and other secrets in CLI scripts when you want, and much more. (Sponsored)

1password.com

No spam, ever. We'll never share your email address and you can opt out at any time.