Issue 44

SEC admits data breach of its filing system in 2016

The target was EDGAR, the SEC's filing system where public-traded companies upload their information. Insider trading seems a very reasonable motive.

zdnet.com

 

Deloitte internal systems breached

The breach happened in the fall of 2016 and affected all company email and internal admin accounts.

krebsonsecurity.com

 

The CCleaner malware targeted at least 18 specific tech firms

On further investigation of the CCleaner infection it was discovered that the actual goal was to infect a range of tech companies, like Google, Intel, Microsoft, Cisco and more, presumably for the purpose of industrial espionage.

wired.com

 

FedEx attributes $300 million loss to NotPetya ransomware attack

Facts like there are always useful when you're talking to your managers about the security budget ;-)

cyberscoop.com

 

How I hacked hundreds of companies through their helpdesk

This one is very much worth a read. You know when for certain features you get an @company.com address assigned, like for support tickets or thread replies. You can use that in turn to sign in to services like Slack which can have an option to allow anyone with an @company.com address to join their workspace. It gets even cleverer further down.

freecodecamp.org

 

Leaks (aka the golden goose that is unsecured s3):

  • Viacom, owner of Comedy Central, MTV and more, had an unsecured s3 bucket containing over a gig of credentials and configuration settings, apparently used for a Puppet deployment. (link)
  • SVR, a company that sells vehicle tracking products, had an unsecured s3 bucket with over 500,000 customer records with passwords and vehicle information. (link)
  • Verizon had an unsecured s3 bucket, which was reportedly private-owned by a Verizon engineer, with internal credentials. (link)

Dieter Van der Stock

 

High Sierra automatically checks EFI firmware each week

Interesting new feature where the OS checks the firmware for changes that shouldn't be there. You can't do much about it yet besides reporting, but it might be a first step towards better firmware integrity.

eclecticlight.co

 

Using security cameras and infrared light to extract data from air-gapped networks

Fun bit of research where infrared LED's of security cameras are used to send out data, assuming you were able to compromise the air-gapped network in the first place.

helpnetsecurity.com

 

High-level approaches for finding vulnerabilities

Great article where a security researcher explains his process on how to find vulnerabilities in web- and desktop applications.

thuraisamy.me