News
Nearly 700 apps found to hardcode their Twilio API tokens
These tokens can be easily found and retrieved. This gives the attacker access to the underlying Twilio account, and as such to conversations, text messages and meta data.
Apple’s Face ID security fooled by simple face mask
FaceID is under some scrutiny after a research firm created a mask to fool it.
The article also mentions a Youtube video where a son can unlock his mom's phone using his face, although Apple does warn that siblings have a better chance of defeating the lock.
Github introduces security alerts for your dependencies
It looks at your project's dependencies, warns of known vulnerabilities and suggests updates. They currently support Javascript and Ruby.
Cookie consent script drops in-browser cryptocurrency miner
One library that helps to show those cookie warnings was found to host an in-browser Monero miner. It was discovered first on the site of Albert Heijn, the biggest Dutch supermarket chain.
Google study shows users get hacked more as result of phishing than data breaches or key loggers
In large part because most standard phishing kits gather the same data as Gmail uses to verify logins, like geolocation and phone numbers, which can be spoofed. The original paper can be read here.
One fun fact to also come out of the study: 47% of studied phishing kits came from Nigeria, with 11% from the US as runner-up.
MongoDB 3.6 will come as local-networking by default
This is to stop the massive rounds of ransomware attacks on unsecured MongoDB instances. Any new installation will be localhost only. When you enable Internet access, you will still have to enable authentication. They hope that this conscious step helps more engineers to do the right thing.
Update all the things
- Adobe released patches for Flash and Reader, fixing 56 vulnerabilities, most of which are remote code execution. One wonders if there is any original code left in those applications. link
- Microsoft releases 53 fixes, 25 of them for remote code execution bugs: link.
It includes a fix for a 17-year old bug that was found in an old Office tool, left in for backwards compatibility. More info on that here. - CouchDB has released updates containing critical fixes: link.
The truth about the Intel’s hidden Minix OS and security concerns
There is a lot of security concern on Intel's Management Engine and Minix, the mini-OS that apparently ships with Intel chipsets. I haven't been able to figure out the implications completely, but this article does a decent job of writing up what we know so far.
Bruce Schneier calls for government to regulate IoT security
He makes the all too true point that IoT is essentially in everything these days, even cars, yet most manufacturers have neither the means nor the urgency to handle security properly.
Security breach and spilled secrets have shaken the N.S.A. to its core
Long but interesting read where the NY Times digs into the effect the Shadowbrokers had on the NSA. In short: they still don't know wether it was a hack or an inside job, morale is seriously hurting, and ongoing operations have been severely impacted.
Sponsorships
Bypassing web application firewalls
WAFs are a good security measure but the security of your web applications should not solely depend on it. Watch this demo on Paul’s Security Weekly during which a researcher from Netsparker explains and demos how modern web application firewalls can be bypassed.