Issue 64

Winter Olympics was hit by cyber-attack

The games experienced various issues as a result, from Internet and television services going down to the website being unreachable. They don't want to comment on who did it, although Russia and North Korea are prime candidates. The attacks work through a piece of malware dubbed 'Olympic Destroyer'. Here's an overview of what it does.
theguardian.com

 

Cryptomining script poisons government websites

Several government sites were compromised with a Coinhive mining script this week. The attack happened through a piece of Javascript they all shared called 'Browsaloud', an accessibility service that converts the website's text to speech.
sophos.com

 

New iOS bug can crash iPhones and disable access to apps and iMessages

A new bug was discovered where if you send a certain sequence of characters for an Indian language called Telugu, you crash your phone. Apple will release a fix. For a much deeper dive on why this might happen check out this Hackernews post and comments.
theverge.com

 

Microsoft Patch Tuesday happened - time to run them updates

The update fixes 50 vulnerabilities, of which 14 are rated critical. A particularly bad one is a fix for Outlook where just previewing a malicious email can compromise your system.
threatpost.com

 

Breaches

Time to group them up again so there's a bit more room for other news.

  • a legacy Fedex service still had an unsecured bucket with the personal details of thousands of customers, including ID cards and drivers licenses: link
  • data on 800.000 Swisscom customers leaked through an external partner: link
  • a few weeks old but still: a French marketing agency had an unsecured s3 bucket with personal details on 12.000 'influencers': link

 

Researcher uses macOS app screenshot feature to steal sensitive data

A researcher points out that there is nothing blocking any app on MacOS from using the builtin screenshot API. It's available to all and doesn't require any permission. Add some phone-home code and OCR and you can sneak out pretty much anything.
bleepingcomputer.com

 

Chrome's new ad blocker functionality and settings

Since ad blockers are related to security, I figure it's useful to show clearly what Chrome's built-in ad blocker does, starting February 15th.
In short it blocks obnoxious ads and sites, but is no substitute for the likes of uBlock Origin from a security point of view.
bleepingcomputer.com

 

Common approaches to securing Linux servers and what runs on them

Fantastic overview of various security measures to take and suggested tools to implement them.
medium.com

 

Application security in a DevOps environment

Very interesting read on how Lyft tries to work security in the development cycle with a high degree of respect for the engineers' time and responsibilities.
lyft.com

 

Part 2: How to stop me harvesting credit card numbers and passwords from your site

A few issues back we saw a thought provoking article on how to steal credit card information through third-party packages. I can certainly recommend it if you haven't read it yet.
This article is part 2, where the author explores what you can do about it. None of the options are an easy fix, but worth a read for sure.
hackernoon.com

 

ReelPhish: a real-time two-factor phishing tool

Real-time phishing, while difficult to pull off, can defeat 2fa protection by proxying the two-factor response to the attacker. These researchers released a tool on Github based on Selenium and Python that communicates between the phishing site and the attacker's session.
fireeye.com

 

Would you have spotted this skimmer?

Cool little video showing a skimmer sliding a keypad over a payment terminal in an Aldi store. It only takes him about a second.
krebsonsecurity.com

 

Sponsorship

 

Is your website hackable?

Use the dead accurate Netsparker web application security scanner to do the work for you, including eliminating false positives.
netsparker.com

 

Securing your company Macs

Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.
fleetsmith.com