Issue 29

Looking at the malware that took down Ukraine's power grid

Researchers show that the malware, dubbed "Industroyer" or "Crash Override" (someone likes their Hacker movies), actually causes physical damage to energy plants. That is something that only happened once before, with Stuxnet.

wired.com

Microsoft latest Patch Tuesday is a big one

If you haven't yet, time to patch those Windows computers. The latest Patch Tuesday fixes no less than 95 vulnerabilities, including 27 remote executions and two vulnerabilities being currently exploited in the wild.

threatpost.com

Estonia establishes world′s first data embassy in Luxemburg

Estonia will essentially set up an 'offsite' backup facility of all their country-critical data, under similar protections as a regular embassy. The idea would be that in case of a massive cyberattack, military strike or natural disaster, the country doesn't lose all its records and can keep functioning digitally.

dw.com

Google game teaches kids about online safety

Google launched a program called "Be Internet Awesome". It's a game meant to teach kids about several aspects of online safety, like which information to share, how to deal with online bullies, and picking passwords. 
You can check out the project here.

helpnetsecurity.com

Malware uses Instagram comments to find its C&C servers

Quite original: this malware looks at the comments on an Instagram picture from Britney Spears. It finds a specific comment based on a hash and parses it into a bit.ly URL which leads to its command & control server.

arstechnica.com

Microsoft’s radical idea for dishing out cyberblame

Microsoft proposes to create a neutral party in the form of an NGO who's sole job it is to look at a cyber incident and say who did it. The chances for making this work are small but hey, at least it's an original idea.

sophos.com

How to make $80,000 per month on the Apple App Store

Apparently there are quite a few scam apps abusing Apple's new ad program for the App Store. One app is described here as asking $99.99 per -week- in subscription. And it's right there in the list of top grossing productivity apps.

medium.com

XSS attacks: the next wave

Interesting article looking at XSS trends and seeing a resurgence of this attack vector, even though many of us feel that it's a pretty 'old-school' thing.

snyk.io

The Common Sense Security Framework

I have to say this appeals to me: a pragmatic straight forward set of questions around seven topics to determine your security posture.

helpnetsecurity.com

The junior dev who deleted the production database

A nice cautionary tale. This junior developer was setting up his local dev environment on his first day. Using the credentials that were in the documentation, he accidentally wiped the production database, after which he got fired instantly.
Everyone reading this probably knows that that's insane, but it's a good wake-up call to separate dev and prod, have working backups, and don't put passwords in documentation.

thenewstack.io

When sysadmins attack: how to delete an entire company

Another cautionary tale, this time on having a solid off-boarding process. A Dutch hosting company had an ex-IT admin come in and delete all customer data and wipe all servers.

sophos.com

Sponsorship

Full Stack Fest 2017: Barcelona, 4-8 Sept.

Week-long conference based in the amazing city of Barcelona that peeks into the web of tomorrow. Serverless, blockchain, WebVR, distributed web, progressive web apps, and more. Use the code SECNEWS for a 10% discount.

fullstackfest.com