News
Hi folks,
Another week, another wrap-up. I know, the week isn't quite over yet, but the timing works out better for me right now to do this on a Thursday :-) Enjoy the read, and have a good end of the week!
Cheers,
New OpenSSH flaws expose SSH servers to MiTM and DoS attacks
The MitM vulnerability was introduced in 2014, and depends on a setting that is usually not enabled by default (except on FreeBSD systems between 2013 en 2023), and the DoS issue can be triggered before authentication. Both are probably serious enough to warrant a patch cycle.
Phishing attack hides JavaScript using invisible Unicode trick
Just a few months back, in October, a researcher showed a method of making Javascript code essentially invisible by hiding binary values in certain Unicode characters that are rendered as whitespace. It's now already being used in the wild, and will probably be used more often in the near future.
Fintech giant Finastra notifies victims of October data breach
The breach itself is nothing to scoff at, since Finastra writes software applications for more than 8,100 financial institutions, including 45 of the world's top 50 banks. But I'm including it to show how not to respond to a breach, and how that response tells you a lot about the company.
In this case, an SFTP server was breached, accessed several times and had files stolen. Finastra's response, and I quote: "Finastra has no indication the unauthorized third party further copied, retained, or shared any of the data. We have no reason to suspect your information has or will be misused. As a result, we believe the risk to individuals whose personal data was involved is low."
In other words "we don't see them doing anything out in the open with your data, so it's probably fine", which is worthy of a facepalm emoji if I had one. If you ever have to deal with a breach yourself, please don't communicate about it in this manner.
Notes from the Munich Cyber Security conferences 2025
Nice short summaries of various talks at the conference, interesting to read through.
Quick links
- PostgreSQL flaw exploited as zero-day in BeyondTrust breach: link.
- PirateFi game on Steam caught installing password-stealing malware: link.
- Australian fertility services giant Genea hit by security breach: link.
- What is device code phishing, and why are Russian spies so successful at it : link.
- Microsoft warns that the powerful XCSSET macOS malware is back with new tricks: link.
1Password: the password manager with (to me) the best UX
I'm not going to write a long marketing-heavy paragraph on this one. I just love using 1Password. The UX, the support, the integrations, it all works wonderfully. Highly recommended. (Sponsored)