Issue 46

Disqus data breach - 17.5 million accounts leaked

The breach happened in 2012. Disqus did not know about it until Troy Hunt found out and notified them this week. About a third of the accounts also include SHA1-hashed passwords (with a salt).
Credit where it's due, they are getting a lot of kudos for handling this breach exemplary, as Troy describes in this post.
disqus.com

 

Latest macOS exposes actual password instead of password hint for disk encryption

Quite a 'woops' moment for Apple. The linked article has a video demonstrating. An update has been pushed out to High Sierra that fixes this.
appleworld.today

 

October Patch Tuesday: 61 bugs and one zero-day fixed

Time to run them Windows updates. The zero day vulnerability affects Office and is being exploited in the wild. Other fixes include a DNS vulnerability that can trigger remote code execution.
helpnetsecurity.com

 

New NIST and DHS standards aim to tackle BGP hijacks

The Border Gateway Protocol is used by large networks to communicate where certain traffic needs to be sent. It is often 'hijacked', where rogue networks announce they want to receive all kinds of traffic that doesn't belong to them. It's a serious problem, and finally NIST and DHS are working to prevent it with an effort called Secure Inter-Domain Routing (SIDR).
bleepingcomputer.com

 

Apple ID password prompt can be too easily faked

Great post by Felix Krause on how it is much too easy to trick iOS users into giving their Apple ID credentials, since all of us are so well trained to enter it at random times anyway. The only way to know it's fake is to press the home button and see if it stays up. He argues these prompts should only be presented in the Settings screen.
krausefx.com

 

Accenture exposed public s3 buckets with customer passwords and internal systems credentials

According to Accenture the logs indicate that it wasn't accessed by anyone apart from the researcher that found it.
helpnetsecurity.com

 

A look at Formbook malware, hitting aerospace firms and defence contractors in the United States and South Korea

It's run as malware-as-a-service. This article looks at how it works and what the malware authors charge.
threatpost.com

 

Inside the CCleaner backdoor attack

Avast researchers are still learning more about the malware campaign surrounding CCleaner (which is owned by Avast). It's a good deep dive for those interested.
threatpost.com

 

The absurdly underestimated dangers of CSV injection

Very interesting articles of how a csv can be abused. The author shows examples on how to launch calc.exe from a csv import to Excel, or pulling in data from other spreadsheets or other sources in Google Sheets.
georgemauer.net