All Dell machines ship with a backup & recovery application that uses a separate domain. They failed to renew that domain and it got snatched up by typosquatter. Fortunately it doesn't seem like it was used for malware delivery during the month it took to get the domain back.
A researcher found a flaw in Google's bug tracking database, which gave him access to all yet unpatched vulnerabilities. This would be horrible in the wrong hands. Google fixed it fast and rewarded the researcher a total of $15.000 in bug bounties. This is similar to the Microsoft incident reported on a few weeks back. Keep those bug trackers safe everyone.
It allowed past users of Slack, who were no longer permitted to access a workspace, to log in anyway. The bug affected mostly enterprise customers, all of which have been notified and patched. The researcher was rewarded a $3000 bounty.
The data on there was unencrypted, and held information on CCTV locations, security patrol schedules, maps, etc.
HTTP Public Key Pinning (HPKP) is a mechanism to block misused or fraudulent certificates, but it causes more trouble than it does good. It will be replaced with Expect-CT, which allows you to monitor misuse without breaking your site if you misconfigure it. It's discussed further on Hackernews.
Researchers exploited the LG smart home platform and were able to take over all managed devices like dishwashers and microwaves, and also a robot vacuum cleaner where they could use its onboard camera to spy in the house. Jeej IoT. Patches have been made available.
Update all the things
I'll try and group noteworthy updates, there are quite a few this week:
- Apple released iOS 11.1 and updates for other platforms, which include fixes for the KRACK vulnerability: link
- A critical fix has been released for Wordpress. If you're not on 4.8.3 yet you're urged to update fast: link
- Oracle released an emergency update for a very critical flaw in Identity Manager, allowing an attacker to take it over remotely without authentication: link
- Apache OpenOffice patches four flaws, three of which allow for remote code execution: link
Interesting post that looks through the usual suspects of security problems, and sees how it impacts serverless setups.
It allows for the distribution of password cracking tasks over multiple machines, managed from a web interface.
Good post by Cloudflare where they explain, starting from the basics, how SSL stripping works and how HSTS tries to prevent it.
Personal note: crossed the 1000 subscribers threshold \o/
Less then one year into this we're at 1,248 subscribers at the time of writing, which is awesome :-)
I hope you continue to get value from the newsletter. If you have any feedback, just hit reply and let me know. Thanks!