News
Winter Olympics was hit by cyber-attack
The games experienced various issues as a result, from Internet and television services going down to the website being unreachable. They don't want to comment on who did it, although Russia and North Korea are prime candidates. The attacks work through a piece of malware dubbed 'Olympic Destroyer'. Here's an overview of what it does.
Cryptomining script poisons government websites
Several government sites were compromised with a Coinhive mining script this week. The attack happened through a piece of Javascript they all shared called 'Browsaloud', an accessibility service that converts the website's text to speech.
New iOS bug can crash iPhones and disable access to apps and iMessages
A new bug was discovered where if you send a certain sequence of characters for an Indian language called Telugu, you crash your phone. Apple will release a fix. For a much deeper dive on why this might happen check out this Hackernews post and comments.
Microsoft Patch Tuesday happened - time to run them updates
The update fixes 50 vulnerabilities, of which 14 are rated critical. A particularly bad one is a fix for Outlook where just previewing a malicious email can compromise your system.
Breaches
Time to group them up again so there's a bit more room for other news.
- a legacy Fedex service still had an unsecured bucket with the personal details of thousands of customers, including ID cards and drivers licenses: link
- data on 800.000 Swisscom customers leaked through an external partner: link
- a few weeks old but still: a French marketing agency had an unsecured s3 bucket with personal details on 12.000 'influencers': link
Researcher uses macOS app screenshot feature to steal sensitive data
A researcher points out that there is nothing blocking any app on MacOS from using the builtin screenshot API. It's available to all and doesn't require any permission. Add some phone-home code and OCR and you can sneak out pretty much anything.
Chrome's new ad blocker functionality and settings
Since ad blockers are related to security, I figure it's useful to show clearly what Chrome's built-in ad blocker does, starting February 15th.
In short it blocks obnoxious ads and sites, but is no substitute for the likes of uBlock Origin from a security point of view.
Common approaches to securing Linux servers and what runs on them
Fantastic overview of various security measures to take and suggested tools to implement them.
Application security in a DevOps environment
Very interesting read on how Lyft tries to work security in the development cycle with a high degree of respect for the engineers' time and responsibilities.
Part 2: How to stop me harvesting credit card numbers and passwords from your site
A few issues back we saw a thought provoking article on how to steal credit card information through third-party packages. I can certainly recommend it if you haven't read it yet.
This article is part 2, where the author explores what you can do about it. None of the options are an easy fix, but worth a read for sure.
ReelPhish: a real-time two-factor phishing tool
Real-time phishing, while difficult to pull off, can defeat 2fa protection by proxying the two-factor response to the attacker. These researchers released a tool on Github based on Selenium and Python that communicates between the phishing site and the attacker's session.
Would you have spotted this skimmer?
Cool little video showing a skimmer sliding a keypad over a payment terminal in an Aldi store. It only takes him about a second.
Sponsorships
Is your website hackable?
Use the dead accurate Netsparker web application security scanner to do the work for you, including eliminating false positives.
Securing your company Macs
Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.