Issue 52

Uber covered up data breach containing personal information on 57 million people

Two hackers got in to a Github account, found AWS credentials in a repo (big no-no), logged into AWS and found an archive with e-mail addresses, names and phone numbers of 57 million customers and drivers, and 600,000 driver's license numbers. The hackers wanted money from Uber, who gave them $100,000. However, Uber is obligated to disclose such breaches but didn't.


Intel releases firmware updates fixing several vulnerabilities in its Management Engine

To re-iterate from last week: Intel's ME is a sort of CPU in a CPU, running its own OS, Minix.
Once it's existence became known there have been several vulnerabilities discovered. The security of this component is hugely important, because if you hack the ME you completely bypass the operating system, malware scanners, etc. You essentially have an undetectable foothold. And you can even hack that computer when it's turned off to the user, because the ME draws its own power.


Amazon Key flaw disables camera image so re-entry is undetected

Amazon Key allows a delivery driver to unlock your door and deliver a package, with a camera recording every movement. However, researchers showed that when you kick the camera off the network (with a de-auth attack), it freezes frame, so you can re-enter and the home-owner wouldn't know. The video explains it well. Amazon is sending out a firmware patch soon.


Company leaks AWS private keys on GitHub, costing them $64.000

Once those credentials were accidentally published on Github, someone spun up 244 rogue VM's, costing the company a total of $64.000. Good reminder to never put credentials in your versioning system.


Oracle issues emergency patches for 'JoltandBleed' vulnerabilities

The name was given because of the similarity with Heartbleed. Essentially you can trigger the affected Oracle products to release a big set of memory, possibly containing sensitive data. Oracle urges everyone affected to update fast.


Android flaw lets any app record your screen and audio

You're vulnerable if you run an Android version that's not the latest one (Oreo). Apparently any app can ask for the 'MediaProjection' service to be run, which can record your screen and audio. There's a pop-up shown when it starts, but attackers can hide that with another pop-up. There will be an icon in the notification bar though. Google doesn't seem to be patching it for older Android versions.


Chromebook exploit earns researcher second $100k bounty

The same researcher was rewarded another $100.000 a year ago. Lucrative work :-)
This time it was for an impressive set of exploits that together allowed an attacker to remotely own the system through a web page.


10 layers of Linux container security

For the devops peeps among us, this is a great overview of security considerations in a container-driven environment.


Firefox will warn users when visiting sites that suffered a data breach

It's currently being developed as a prototype in the form of an add-on, to later be brought in to Firefox. It will use data from Troy Hunt's HaveIBeenPwned service.


Troy Hunt: I'm testifying in front of Congress about data breaches - What should I say

Speaking of Troy Hunt, he has been asked to testify in front of the US Congress (even though he's Australian ^^) about data breaches and how it relates to identity verification. He's openly asking for input on what to discuss. Hackernews thread here.


Sinking container ships by hacking load plan software

Under the category of "things you never really think about", here's a post explaining how one can perform all kinds of mischief with container ships, by playing around with how they balance weight. No exploits or anything, just a provoking thought experiment.
And yes, it's perfectly ok to now be replaying the "Row, row, row your boat" scene from Hackers in your head.


Join the battle for Net Neutrality

It's not quite security, but so important that I include it anyway. If you are in the US, you have three weeks left to dig in your heels (again) for the battle against Net Neutrality.



Exploiting blind XSS and second order SQL injection vulnerabilities

Watch this technical demo by Netsparker's CEO Ferruh Mavituna, during which he explains the blind XSS and second order vulnerabilities and also shows how attackers can exploit them.