Two hackers got in to a Github account, found AWS credentials in a repo (big no-no), logged into AWS and found an archive with e-mail addresses, names and phone numbers of 57 million customers and drivers, and 600,000 driver's license numbers. The hackers wanted money from Uber, who gave them $100,000. However, Uber is obligated to disclose such breaches but didn't.
To re-iterate from last week: Intel's ME is a sort of CPU in a CPU, running its own OS, Minix.
Once it's existence became known there have been several vulnerabilities discovered. The security of this component is hugely important, because if you hack the ME you completely bypass the operating system, malware scanners, etc. You essentially have an undetectable foothold. And you can even hack that computer when it's turned off to the user, because the ME draws its own power.
Amazon Key allows a delivery driver to unlock your door and deliver a package, with a camera recording every movement. However, researchers showed that when you kick the camera off the network (with a de-auth attack), it freezes frame, so you can re-enter and the home-owner wouldn't know. The video explains it well. Amazon is sending out a firmware patch soon.
Once those credentials were accidentally published on Github, someone spun up 244 rogue VM's, costing the company a total of $64.000. Good reminder to never put credentials in your versioning system.
The name was given because of the similarity with Heartbleed. Essentially you can trigger the affected Oracle products to release a big set of memory, possibly containing sensitive data. Oracle urges everyone affected to update fast.
You're vulnerable if you run an Android version that's not the latest one (Oreo). Apparently any app can ask for the 'MediaProjection' service to be run, which can record your screen and audio. There's a pop-up shown when it starts, but attackers can hide that with another pop-up. There will be an icon in the notification bar though. Google doesn't seem to be patching it for older Android versions.
The same researcher was rewarded another $100.000 a year ago. Lucrative work :-)
This time it was for an impressive set of exploits that together allowed an attacker to remotely own the system through a web page.
For the devops peeps among us, this is a great overview of security considerations in a container-driven environment.
Speaking of Troy Hunt, he has been asked to testify in front of the US Congress (even though he's Australian ^^) about data breaches and how it relates to identity verification. He's openly asking for input on what to discuss. Hackernews thread here.
Under the category of "things you never really think about", here's a post explaining how one can perform all kinds of mischief with container ships, by playing around with how they balance weight. No exploits or anything, just a provoking thought experiment.
And yes, it's perfectly ok to now be replaying the "Row, row, row your boat" scene from Hackers in your head.
It's not quite security, but so important that I include it anyway. If you are in the US, you have three weeks left to dig in your heels (again) for the battle against Net Neutrality.
Watch this technical demo by Netsparker's CEO Ferruh Mavituna, during which he explains the blind XSS and second order vulnerabilities and also shows how attackers can exploit them.