Issue 49


Dell domain used for PC backups temporarily controlled by third party

All Dell machines ship with a backup & recovery application that uses a separate domain. They failed to renew that domain and it got snatched up by typosquatter. Fortunately it doesn't seem like it was used for malware delivery during the month it took to get the domain back.


Flaw in Google bug tracker found and fixed

A researcher found a flaw in Google's bug tracking database, which gave him access to all yet unpatched vulnerabilities. This would be horrible in the wrong hands. Google fixed it fast and rewarded the researcher a total of $15.000 in bug bounties. This is similar to the Microsoft incidentreported on a few weeks back. Keep those bug trackers safe everyone.


Slack plugs severe SAML authentication hole

It allowed past users of Slack, who were no longer permitted to access a workspace, to log in anyway. The bug affected mostly enterprise customers, all of which have been notified and patched. The researcher was rewarded a $3000 bounty.


USB stick with security information on Heathrow airport found in the street

The data on there was unencrypted, and held information on CCTV locations, security patrol schedules, maps, etc.


Google to ditch public key pinning in Chrome

HTTP Public Key Pinning (HPKP) is a mechanism to block misused or fraudulent certificates, but it causes more trouble than it does good. It will be replaced with Expect-CT, which allows you to monitor misuse without breaking your site if you misconfigure it. It's discussed further on Hackernews.


Researchers turn LG's vacuum cleaner into a real-time spying device

Researchers exploited the LG smart home platform and were able to take over all managed devices like dishwashers and microwaves, and also a robot vacuum cleaner where they could use its onboard camera to spy in the house. Jeej IoT. Patches have been made available.


Update all the things

I'll try and group noteworthy updates, there are quite a few this week:

  • A high-level vulnerability was found in Chrome's V8 Javascript engine. Google recommends you urgently update to the latest version if you haven't yet: link
  • Apple released iOS 11.1 and updates for other platforms, which include fixes for the KRACK vulnerability: link
  • A critical fix has been released for Wordpress. If you're not on 4.8.3 yet you're urged to update fast: link
  • Oracle released an emergency update for a very critical flaw in Identity Manager, allowing an attacker to take it over remotely without authentication: link
  • Apache OpenOffice patches four flaws, three of which allow for remote code execution: link


Many-faced threats to serverless security

Interesting post that looks through the usual suspects of security problems, and sees how it impacts serverless setups.


FireEye releases open source managed password cracking tool

It allows for the distribution of password cracking tasks over multiple machines, managed from a web interface.


Performing & preventing SSL stripping: a plain-English primer

Good post by Cloudflare where they explain, starting from the basics, how SSL stripping works and how HSTS tries to prevent it.


Personal note: crossed the 1000 subscribers threshold \o/

Less then one year into this we're at 1,248 subscribers at the time of writing, which is awesome :-)
I hope you continue to get value from the newsletter. If you have any feedback, just hit reply and let me know. Thanks!

Dieter Van der Stock



Is your website hackable?

Use the dead accurate Netsparker web application security scanner to do the work for you, including eliminating false positives.