Issue 41

Hackers stole contact info of 6 million Instagram users and are selling it online

Due to a bug in the API the attackers were able to get the phone numbers and e-mails of a lot of high-profile accounts. Now they are selling that information for $10 per account.

helpnetsecurity.com

 

Dragonfly 2.0: Western energy sector targeted by sophisticated attack group

DragonFly is a group that has previously been seen hacking energy companies. Symantec discusses a second wave of attacks, which started late 2015. Europe and North America seem to be the primary targets.

symantec.com

 

465k patients told to visit doctor to patch critical pacemaker vulnerability

There has been quite some commotion in the last year surrounding pacemaker security. Now the FDA has 'recalled' 465k patients to get their pacemaker patched.

arstechnica.com

 

China's cybersecurity law grants government right to vendors' source code

It gives them the power to request the source code or other IP of any vendor that does business in China. It's either that or loose access to a huge market. One of many worries around this is that it gives China the ability to find exploits which they can then use in their own intelligence service.

theregister.co.uk

 

Breaches and leaks

Grouped together to save space :-/

  • The personal information of 2 million customers of electronics retailer CeX have been stolen. (link)
  • The resumes of 9,400 job applications for a private security firm was out in the open in an unsecured s3 bucket. (link)
  • Records of 4 million customers of Time Warner Cable was found in a publicly accessible 600Gb s3 bucket. (link)

Dieter Van der Stock

 

Google posts information on its Titan chip for hardware security

The chip is designed to secure Google's servers on the hardware level. It scans for any tampering with the hardware and will prevent the server from booting if anything out of the ordinary is detected. Hackernews discussion here.

googleblog.com

 

Google Cloud Platform introduces App Engine firewall

It's not a full blown WAF (Web Application Firewall), instead it's more akin to AWS' security groups, i.e. allow or block access based on IP. Seems clean and easy to use.

googleblog.com

 

WikiLeaks official website hacked by OurMine hacking group

They defaced the Wikileaks website, settling some feud they had in the past apparently. It was later made clear that there were no servers hacked, but that Ourmine took control of Wikileaks' DNS records.

hackread.com

 

Session hijacking bug exposed private tokens of GitLab users

The issue has since been patched. More information in the blogpost of the researcher.

threatpost.com

 

Apache Struts serialisation vulnerability

If you use Apache Struts, especially if you have the Struts REST plugin installed, you'll want to update. A remote code execution vulnerability was found in the way it handles XML for data exchange. The article explains the problem nicely.

sophos.com

 

Multiple vulnerabilities in RubyGems

You'll probably want to update RubyGems. Although as the Hackernews thread points out, malicious gems will always be possible. Still, worth a look.

ruby-lang.org

 

Ask HN: How did you get started in Network Security/Penetration Testing?

For those interested, a nice thread on Hackernews with some good information.

ycombinator.com

 

How the GDPR will disrupt Google and Facebook

This isn't directly related to security per se, but I found it one of the more clarifying reads on GDPR so far. Its potential impact on companies like Facebook and Google is interesting to say the least.

pagefair.com