News
Hi folks,
Thanks for the feedback that was given after last week's question on the format. It wasn't unanimous but most people seem to prefer the shorter version, and so do I, so for now I'm going with that. I'll aim for about 10 items each week.
Thanks!
Subaru Starlink flaw let hackers hijack cars in US and Canada
Sigh. The vulnerability, which didn't seem all that complex to exploit, allowed you to start, stop and unlock any Subaru, see in detail where it has been for the last year, access PII, and more. It reads like an application that has never been properly pentested before these researchers came along. One would expect more from a system that remotely controls cars.
Backdoor found in two healthcare patient monitors, linked to IP in China
Good Lord. CISA warns that, when starting up the device, it connects to an IP in China and starts sending through patient records. It also allows for remotely changing the software. The manufacturer sent several "fixed" firmware versions, but none of them actually fixed the issue. More fuel on the fire for the "do we allow Chinese electronics and software" debate. Which, in case anyone cares, I'm more and more leaning to a definite "no".
DeepSeek database left open, exposing sensitive info
Making a competent AI apparently doesn't mean the company is solid at the basics. Researchers found the online database to be completely open, no authentication at all, which means all conversation with the online DeepSeek chatbot were accessible from the Internet with no password required.
Apple chips can be hacked to leak secrets from Gmail, iCloud, and more
It's both a speculative attack and a side channel attack, yet it sounds more practical to exploit than most. I'm still not sure how much of a real-world threat it is though, and Apple seems to indicate that it isn't. Still, a good write-up of a complex topic.
Semgrep SAST tool forks into Opengrep
Semgrep, a popular static application security testing (SAST) tool, changed its license to keep rival Saas platforms from using their tool in their own services. Which makes sense if you're a for-profit company really, I can't be too mad at them for that. Still, lot's of companies depend on the tool now, and over 10 of them have now banded together to create the fork Opengrep, which should remain open source and will one day transition to its own non-profit to keep it that way.
Quick links
- Data breach hitting PowerSchool looks very, very bad: link.
- UnitedHealth now says 190 million impacted by 2024 data breach: link.
- FBI seizes Cracked.io, Nulled.to hacking forums in Operation Talent: link.
- Trump pauses on grants and aid leaves federal cyber programs in state of confusion: link.
- Laravel admin package Voyager vulnerable to one-click RCE flaw: link.
1Password for developers: secrets, SSH keys, and more
I don't think most developers realise how valuable 1Password can be. It doesn't just hold passwords, it also holds your SSH keys, signs your Git commits, injects token and other secrets in CLI scripts when you want, and much more. (Sponsored)