Issue 69

50 million Facebook profiles harvested by Cambridge Analytica

Easily the headline for this week. In bullet points:

  • Cambridge Analytica had an app called "thisisyourdigitallife" . It was installed by about 300.000 people who gave it access to their data.
  • At the time any Facebook app could also access data from friends of their users. As such they gathered info on 50 million people, mostly US citizens.
  • Later, after that data-from-friends policy was changed, Facebook got wind of the data harvesting that occurred. They 'made' the people responsible delete the data, but apparently they didn't comply.
  • Facebook never disclosed that it knew of the breach/leak, and apparently even lied about it in hearings related to the Russia election meddling investigation.

The above article by the Guardian gives a very good overview.

Mark Zuckerburg wrote a post outlining the story from his point of view here. He also says they will look for similar instances of data harvesting and implement stricter app controls.
theguardian.com

 

AMD confirms vulnerabilities

Patches will be made available in the coming weeks. It's now clear that the vulnerabilities aren't on the same level as Spectre/Meltdown, since one needs admin rights to exploit them. But once exploited the machines are very hard to clean up.
This article explains in plain(er) English what the flaws mean.
bleepingcomputer.com

 

880,000 credit cards leaked in travel company data breach

The company, called Orbitz, disclosed the breach after investigating a legacy system. The breach included payment card information, dates of birth, phone numbers, addresses and more.
sophos.com

 

Hackers target PostgreSQL with coinminer hidden in Scarlett Johannsson image

It sure makes for fun headlines, but it's still interesting. Once in a compromised database they append the coinminer binary to a legit image and download the image, fooling most antivirus software.
Imperva has a good deep dive on the attack.
bleepingcomputer.com

 

G Suite releases improvements on proactive phishing protections

This sound like a very nice update with features such as expanding short URL's to detect malicious links, flag emails with encrypted attachments and embedded scripts, and more. They also improved mobile device management (MDM).
googleblog.com

 

Microsoft launches bug bounty program for Spectre/Meltdown-like attacks

They think there might be more issues out there, and want to stimulate research with bug bounties up to $250.000. The program will run till end of 2018.
threatpost.com

 

Pwn2Own 2018 has wrapped up

A total of $267.000 was paid out, of which $127.000 went to a single researcher :-)
hackread.com

 

Netflix opens public bug bounty program

Their bug bounty program was previously private. They've now opened it up, widened the scope and set the maximum payout per bug to $15.000.
threatpost.com

 

Security checklist for Saas companies (and others)

Pretty great list of security measures to take, divided in sections of 'seed', 'series A' and 'post series A', although the divisions are very debatable. Lots of inspiration to be had though. Good discussion on Hackernews too.
sqreen.io

 

Marcus Hutchins, the gray hat hacker

Nice piece on Marcus Hutchins aka 'MalwareTech', who stopped WannaCry but was also arrested for his alleged role in the Kronos malware.
nymag.com

 

Sponsorship

Is your website hackable?

Use the dead accurate Netsparker web application security scanner to do the work for you, including eliminating false positives.
netsparker.com

Securing your company Macs

Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.
fleetsmith.com