Issue 62

Fitness tracking app Strava gives away location of secret US army bases

This is a fun one. Strava published a world-wide map of its fitness tracking data, thereby showing the locations of various secret military bases.
theguardian.com

 

YouTube ran ads containing a Coinhive cryptominer

An unfortunate reminder of why ad blockers are a security feature these days, as not even Google has a 100% success rate in detecting malicious ads.
arstechnica.com

 

Windows Defender to start removing “optimizer” scareware

Starting in March Microsoft will remove all utility software that scares or tricks users into upgrading (like the 'PC cleaners' that our parents somehow end up with on their PC's).
arstechnica.com

 

All kinds of security issues fixed

It's been a busy week it seems. I could write a full issue on these items alone, but I figured I'd sum them up here as to leave room for some other stuff too.

  • A serious vulnerability was fixed in Firefox, allowing for a malicious website to run code on your device at will. Make sure to update. link
  • Cisco released a patch for a VPN component of theirs, rated dangerous enough to get a 10/10 severity score. link
  • Lenovo issued a fix for its fingerprint readers on Windows 7 and 8, which was weakly encrypted and has a hardcoded password. link
  • Several issues were fixed in Zoho's ManageEngine, an IT helpdesk Saas. link
  • A critical patch is issued for Oracle's POS system Micros, used by 300,000 companies. link

 

How Dutch intelligence spied on the Russian hackers attacking the DNC

The Dutch intelligence service AIVD managed to hack a security camera in the hallway leading to Cozy Bear's (the Russian hacking group's) offices years ago, and shared the data with the US.
grahamcluley.com

 

IOTA cryptocurrency users lose $4 million in clever attack set up six months ago

The attacker created a flawed seed generator that users can use to create a private key, and advertised it. He 'open sourced' it, but used a different version on the live site than seen on Github. Six months later he started transferring all the coins to his wallet, while a suspiciously timed DDoS attack was keeping the IOTA team too busy to notice. More technical detail in this blogpost.
bleepingcomputer.com

 

Official phpBB download links were compromised temporarily

The issue was noticed quickly, and 'only' 500 downloads occurred in that time. Just make sure you weren't one of them.
bleepingcomputer.com

 

Maersk reinstalled 45,000 PCs and 4,000 servers to recover from NotPetya attack

They essentially had to rebuild their entire infrastructure from scratch in only ten days. From the artcile: "Imagine a company where a ship with 20,000 containers would enter a port every 15 minutes, and for ten days you have no IT.
bleepingcomputer.com

 

Most threatening DNS security risks and how to avoid them

An short overview of four DNS related attacks: DDoS, typo-squatting, registrar hacking and cache poisoning.
hackread.com

 

Researchers warn of potential problems with attacks on sensor hardware

Called 'transduction attacks', these attacks use signals like EM, sound and electric to spoof hardware sensors for temperature, movement, and others.
bleepingcomputer.com

 

The effects of the Spectre and Meltdown vulnerabilities

A short essay by Bruce Schneier on the impact, current and future, of hardware related security problems.
schneier.com

 

Sponsorship

Exploiting blind XSS and second order SQL injection vulnerabilities

Watch this technical demo by Netsparker's CEO Ferruh Mavituna, during which he explains the blind XSS and second order vulnerabilities and also shows how attackers can exploit them.
netsparker.com

 

Securing your company Macs

Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.
fleetsmith.com