News
Fitness tracking app Strava gives away location of secret US army bases
This is a fun one. Strava published a world-wide map of its fitness tracking data, thereby showing the locations of various secret military bases.
YouTube ran ads containing a Coinhive cryptominer
An unfortunate reminder of why ad blockers are a security feature these days, as not even Google has a 100% success rate in detecting malicious ads.
Windows Defender to start removing “optimizer” scareware
Starting in March Microsoft will remove all utility software that scares or tricks users into upgrading (like the 'PC cleaners' that our parents somehow end up with on their PC's).
All kinds of security issues fixed
It's been a busy week it seems. I could write a full issue on these items alone, but I figured I'd sum them up here as to leave room for some other stuff too.
- A serious vulnerability was fixed in Firefox, allowing for a malicious website to run code on your device at will. Make sure to update. link
- Cisco released a patch for a VPN component of theirs, rated dangerous enough to get a 10/10 severity score. link
- Lenovo issued a fix for its fingerprint readers on Windows 7 and 8, which was weakly encrypted and has a hardcoded password. link
- Several issues were fixed in Zoho's ManageEngine, an IT helpdesk Saas. link
- A critical patch is issued for Oracle's POS system Micros, used by 300,000 companies. link
How Dutch intelligence spied on the Russian hackers attacking the DNC
The Dutch intelligence service AIVD managed to hack a security camera in the hallway leading to Cozy Bear's (the Russian hacking group's) offices years ago, and shared the data with the US.
IOTA cryptocurrency users lose $4 million in clever attack set up six months ago
The attacker created a flawed seed generator that users can use to create a private key, and advertised it. He 'open sourced' it, but used a different version on the live site than seen on Github. Six months later he started transferring all the coins to his wallet, while a suspiciously timed DDoS attack was keeping the IOTA team too busy to notice. More technical detail in this blogpost.
Official phpBB download links were compromised temporarily
The issue was noticed quickly, and 'only' 500 downloads occurred in that time. Just make sure you weren't one of them.
Maersk reinstalled 45,000 PCs and 4,000 servers to recover from NotPetya attack
They essentially had to rebuild their entire infrastructure from scratch in only ten days. From the article: "Imagine a company where a ship with 20,000 containers would enter a port every 15 minutes, and for ten days you have no IT.
Most threatening DNS security risks and how to avoid them
An short overview of four DNS related attacks: DDoS, typo-squatting, registrar hacking and cache poisoning.
Researchers warn of potential problems with attacks on sensor hardware
Called 'transduction attacks', these attacks use signals like EM, sound and electric to spoof hardware sensors for temperature, movement, and others.
The effects of the Spectre and Meltdown vulnerabilities
A short essay by Bruce Schneier on the impact, current and future, of hardware related security problems.
Sponsorships
Exploiting blind XSS and second order SQL injection vulnerabilities
Watch this technical demo by Netsparker's CEO Ferruh Mavituna, during which he explains the blind XSS and second order vulnerabilities and also shows how attackers can exploit them.
Securing your company Macs
Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.