This is a fun one. Strava published a world-wide map of its fitness tracking data, thereby showing the locations of various secret military bases.
An unfortunate reminder of why ad blockers are a security feature these days, as not even Google has a 100% success rate in detecting malicious ads.
Starting in March Microsoft will remove all utility software that scares or tricks users into upgrading (like the 'PC cleaners' that our parents somehow end up with on their PC's).
All kinds of security issues fixed
It's been a busy week it seems. I could write a full issue on these items alone, but I figured I'd sum them up here as to leave room for some other stuff too.
- A serious vulnerability was fixed in Firefox, allowing for a malicious website to run code on your device at will. Make sure to update. link
- Cisco released a patch for a VPN component of theirs, rated dangerous enough to get a 10/10 severity score. link
- Lenovo issued a fix for its fingerprint readers on Windows 7 and 8, which was weakly encrypted and has a hardcoded password. link
- Several issues were fixed in Zoho's ManageEngine, an IT helpdesk Saas. link
- A critical patch is issued for Oracle's POS system Micros, used by 300,000 companies. link
The Dutch intelligence service AIVD managed to hack a security camera in the hallway leading to Cozy Bear's (the Russian hacking group's) offices years ago, and shared the data with the US.
The attacker created a flawed seed generator that users can use to create a private key, and advertised it. He 'open sourced' it, but used a different version on the live site than seen on Github. Six months later he started transferring all the coins to his wallet, while a suspiciously timed DDoS attack was keeping the IOTA team too busy to notice. More technical detail in this blogpost.
The issue was noticed quickly, and 'only' 500 downloads occurred in that time. Just make sure you weren't one of them.
They essentially had to rebuild their entire infrastructure from scratch in only ten days. From the artcile: "Imagine a company where a ship with 20,000 containers would enter a port every 15 minutes, and for ten days you have no IT.
An short overview of four DNS related attacks: DDoS, typo-squatting, registrar hacking and cache poisoning.
Called 'transduction attacks', these attacks use signals like EM, sound and electric to spoof hardware sensors for temperature, movement, and others.
A short essay by Bruce Schneier on the impact, current and future, of hardware related security problems.
Watch this technical demo by Netsparker's CEO Ferruh Mavituna, during which he explains the blind XSS and second order vulnerabilities and also shows how attackers can exploit them.
Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.