In the last issue of this newsletter the count was at 3.000 compromised MongoDB installations. In this article, published on the 9th, the count is 28.000. It is thought that a total of 46.000 databases are vulnerable, according to scans with Shodan.
Edit: we're up to 33.000 on Jan 11th (link)
Sanrio, the company behind Hello Kitty, has had a data breach. Its MongoDB database holding over 3.3 million user accounts, of which 186.000 belong to children. The passwords were hashed with unsalted SHA-1.
E-Sports Entertainment Association (ESEA) also had a data breach, exposing the user data of 1.5 million people. The hacker in question demanded $100.000 ransom to not go public, but instead they choose to go public themselves before the hacker could.
The user passwords were hashed with bcrypt, which makes them quite secure. Unfortunately, a lot of other personal data was leaked as well.
The FTC seems to be on a crusade for IoT security. After their announcement of a IoT security challenge last week, they are now suing D-link for neglecting its security, citing "The company included hard-coded credentials in some of its IP cameras’ software, didn’t address known vulnerabilities in its routers, left the login credentials for the D-Link mobile app in plaintext on users’ mobile devices, and the private key used to sign software for some of D-Link’s devices was left exposed on a public website for several months".
St. Jude Medical, a company that makes pacemakers and other medical devices, has released patches to fix security vulnerabilities that could have an attacker essentially kill someone with a pacemaker remotely. The patches only fix the remote management software though, while the firmware of the device itself remains vulnerable because of very poor authentication (24-bit RSA, no typo). Which begs the question: how does one update the firmware in a pacemaker?
The Dutch company Computest has found a critical vulnerability in Ansible, the IT automation platform. The exploit can be used to compromise the Ansible controller, and through there gain access to its connected machines. Ansible has released a patch on Monday.
Two siblings were arrested after developing malware and infecting e-mail accounts, targeting mostly famous personalities. Around 20.000 e-mail accounts were infected, and 2.000 passwords compromised.
You'll see a super-discounted item, try to add it to your cart and check out, but it won't be available anymore. Then the merchant contacts you by e-mail, saying it's still available somewhere else and give you a very Amazon-like link.
Mike Tigas is making his Tor browser free to use, feeling that in current times it is more important than ever to protect ones privacy. He invites people to support the project through Patreon or make an anonymous Bitcoin donation.
This ransomware will decrypt your files if you read two links that it sends along. One is a Google blogpost on how to be secure online, and the other is a post describing the hacker's more evil "alter ego".
A useful list of security and hacking conferences all over the world, maintained by @cryptax on Github.