Issue 51

Nearly 700 apps found to hardcode their Twilio API tokens

These tokens can be easily found and retrieved. This gives the attacker access to the underlying Twilio account, and as such to conversations, text messages and meta data.


Apple’s Face ID security fooled by simple face mask

FaceID is under some scrutiny after a research firm created a mask to fool it.
The article also mentions a Youtube video where a son can unlock his mom's phone using his face, although Apple does warn that siblings have a better chance of defeating the lock.


Github introduces security alerts for your dependencies

It looks at your project's dependencies, warns of known vulnerabilities and suggests updates. They currently support Javascript and Ruby.


Cookie consent script drops in-browser cryptocurrency miner

One library that helps to show those cookie warnings was found to host an in-browser Monero miner. It was discovered first on the site of Albert Heijn, the biggest Dutch supermarket chain.


Google study shows users get hacked more as result of phishing than data breaches or key loggers

In large part because most standard phishing kits gather the same data as Gmail uses to verify logins, like geolocation and phone numbers, which can be spoofed. The original paper can be read here.
One fun fact to also come out of the study: 47% of studied phishing kits came from Nigeria, with 11% from the US as runner-up.


MongoDB 3.6 will come as local-networking by default

This is to stop the massive rounds of ransomware attacks on unsecured MongoDB instances. Any new installation will be localhost only. When you enable Internet access, you will still have to enable authentication. They hope that this conscious step helps more engineers to do the right thing.


Update all the things

  • Adobe released patches for Flash and Reader, fixing 56 vulnerabilities, most of which are remote code execution. One wonders if there is any original code left in those applications. link
  • Microsoft releases 53 fixes, 25 of them for remote code execution bugs: link
    It includes a fix for a 17-year old bug that was found in an old Office tool, left in for backwards compatibility. More info on that here.
  • CouchDB has released updates containing critical fixes: link.


The truth about the Intel’s hidden Minix OS and security concerns

There is a lot of security concern on Intel's Management Engine and Minix, the mini-OS that apparently ships with Intel chipsets. I haven't been able to figure out the implications completely, but this article does a decent job of writing up what we know so far.


Bruce Schneier calls for government to regulate IoT security

He makes the all too true point that IoT is essentially in everything these days, even cars, yet most manufacturers have neither the means nor the urgency to handle security properly.


Security breach and spilled secrets have shaken the N.S.A. to its core

Long but interesting read where the NY Times digs into the effect the Shadowbrokers had on the NSA. In short: they still don't know wether it was a hack or an inside job, morale is seriously hurting, and ongoing operations have been severely impacted.




Bypassing web application firewalls

WAFs are a good security measure but the security of your web applications should not solely depend on it. Watch this demo on Paul’s Security Weekly during which a researcher from Netsparker explains and demos how modern web application firewalls can be bypassed.