Issue 7

MongoDB attacks jump from hundreds to 28,000 in just days

In the last issue of this newsletter the count was at 3.000 compromised MongoDB installations. In this article, published on the 9th, the count is 28.000. It is thought that a total of 46.000 databases are vulnerable, according to scans with Shodan.
Edit: we're up to 33.000 on Jan 11th (link)


Hello Kitty database leaked to the web, 3.3 million fans affected

Sanrio, the company behind Hello Kitty, has had a data breach. Its MongoDB database holding over 3.3 million user accounts, of which 186.000 belong to children. The passwords were hashed with unsalted SHA-1.


ESEA hacked, 1.5 million records leaked after alleged failed extortion attempt

E-Sports Entertainment Association (ESEA) also had a data breach, exposing the user data of 1.5 million people. The hacker in question demanded $100.000 ransom to not go public, but instead they choose to go public themselves before the hacker could. The user passwords were hashed with bcrypt, which makes them quite secure. Unfortunately, a lot of other personal data was leaked as well.


FTC files complaint against D-Link over router and camera security

The FTC seems to be on a crusade for IoT security. After their announcement of a IoT security challenge last week, they are now suing D-link for neglecting its security, citing "The company included hard-coded credentials in some of its IP cameras’ software, didn’t address known vulnerabilities in its routers, left the login credentials for the D-Link mobile app in plaintext on users’ mobile devices, and the private key used to sign software for some of D-Link’s devices was left exposed on a public website for several months".


Pacemakers patched against potentially lifethreatening hacks

St. Jude Medical, a company that makes pacemakers and other medical devices, has released patches to fix security vulnerabilities that could have an attacker essentially kill someone with a pacemaker remotely. The patches only fix the remote management software though, while the firmware of the device itself remains vulnerable because of very poor authentication (24-bit RSA, no typo). Which begs the question: how does one update the firmware in a pacemaker?


Command execution vulnerability in Ansible

The Dutch company Computest has found a critical vulnerability in Ansible, the IT automation platform. The exploit can be used to compromise the Ansible controller, and through there gain access to its connected machines. Ansible has released a patch on Monday.


Hacker siblings arrested for targeting Italian elite, infecting 20k emails

Two siblings were arrested after developing malware and infecting e-mail accounts, targeting mostly famous personalities. Around 20.000 e-mail accounts were infected, and 2.000 passwords compromised.


Beware phishing scams in Amazon listings

You'll see a super-discounted item, try to add it to your cart and check out, but it won't be available anymore. Then the merchant contacts you by e-mail, saying it's still available somewhere else and give you a very Amazon-like link.


Onion Browser goes free for privacy-conscious iOS users

Mike Tigas is making his Tor browser free to use, feeling that in current times it is more important than ever to protect ones privacy. He invites people to support the project through Patreon or make an anonymous Bitcoin donation.


Ransomware offers free decryption if you learn about cybersecurity

This ransomware will decrypt your files if you read two links that it sends along. One is a Google blogpost on how to be secure online, and the other is a post describing the hacker's more evil "alter ego".


Security conferences list

A useful list of security and hacking conferences all over the world, maintained by @cryptax on Github.