News
MacOS bug lets you bypass password pop-up with 'root' and an empty password
In case you somehow missed this, yes, it's as insane as it sounds. Fortunately, Apple has released an update. If you're on High Sierra, install it asap.
Imgur 2014 breach of 1.7 million e-mails and passwords
They found out just now through security researcher Troy Hunt, who received the data dump. He says he's impressed with how Imgur is handling this.
The leaked passwords are hashed with SHA-256, which isn't great (although they upgraded to bcrypt since then). No other personal information was included because Imgur never asked for that. Imgur's announcement can be read here
Leaky s3 bucket with military data (again)
Sigh. This particular lootbox holds about 100GB of data marked 'Top Secret' with regards to a military cloud initiative called Red Disk, a virtual drive, some private keys, and hashed passwords.
Researcher finds way to delete any image on Facebook
When creating a poll, adding an image and then deleting the poll, the image was also removed. After disclosing the researcher received a $10,000 bug bounty.
Two critical exploits in Exim mail transfer agent
Nothing most of us mortals have to worry about directly. But it does affect half of the globe's e-mail servers. So if you run an Exim mail server, better patch up.
FBI identifies and charges HBO hacker
We don't know how he was identified, but the FBI seems pretty sure, having added the Iranian man to its Most Wanted list. However, considering he lives in Iran, there's no real chance of getting him in front of a US court any time soon.
US indicts three Chinese nationals for alleged cyberattacks
The three people are part of a security firm believed to have strong ties with the Chinese government. They broke in to Siemens, Moody's and Trimble. Due to the nature of geopolitics however, there's not a lot that happens now. Presumably it's mostly a warning of sorts.
Bitsquatting NPM packages
Fascinating post on bitsquatting, a technique where domains with only one bit different are registered, counting on the fact that computers will randomly flip a bit sometimes. In the case of NPM packages, this happens an estimated 500 times per day. One package was found that might have counted on this, installing a Coinhive miner instance.
Golden SAML: newly discovered attack technique forges authentication to cloud apps
This is a very technical one, but my attempt to a TL;DR: if an attacker has access to an Active Directory Federation Services account, they can elevate themselves to get SSO access on any cloud application in its federation. There is no fix, one can only monitor and try to rotate keys often. If you rely heavily on SAML, check it out.
5-year-old boy hacks dad's Xbox account
It doesn't always have to be serious. This five-year old figured out that he could log into his dad's account by spamming spacebar in the password screen (hey kinda like Apple). He got a "bug bounty" from Microsoft of $50, four games and a year's subscription to XBoX live :)
This newsletter is one year old \o/
Well, it will be Saturday. The first issue of this newsletter was published on December 2nd, 2016. Over the first year we've gained just under 1600 subscribers, and had only about 40 people unsubscribe. Which makes me quite happy :-) Thanks everyone!
Sponsorships
Discover security flaws in your website before attackers exploit them
Attackers only need to find and exploit one vulnerability in your web application to create havoc.