Issue 70

 

Critical vulnerability in Drupal

I'll echo the sentiment across the webs - if you have a Drupal setup: update now.
An attacker need only visit a specific URL to get full access. The vulnerability seems related to (the lack of) input validation, as this diff shows.
ttias.be

 

IETF approves TLS 1.3 standard

A new TLS (formerly known as SSL) version has been formally approved. Harder, better, faster, stronger.
bleepingcomputer.com

 

Several Google related security improvements

Google has been busy, so I'm grouping it all here:

  • Gsuite admins can now set how long a session can stay active before having to authenticate, and determine if a user has to redo his 2fa at every login or not: link
  • They announced several new security features for the Google Cloud Platform (GCP). Among which a 'cloud security command center', new audit capabilities, a data-loss prevention API and more: link
  • The above announcement also included 'Google Cloud Armor', providing protection against DOS and web app attacks. The product page is here, an explanation blogpost here and a Hackernews discussion (mostly on how it compares to Cloudflare) here.
  • Gsuite will block 'uncertified' Android devices from accessing Gsuite during setup, although custom roms will still have access by registering their device: link

 

City of Atlanta hit by ransomware

They have been experiencing problems for a few days now. They haven't decided yet if they'll pay the $51.000 ransom.
gizmodo.com

 

Flaw found in Ledger crypto wallet

It makes it possible for third-party suppliers to tamper with the device before you get it. A firmware patch has been released. Big kudos to the 15-year old Saleem Rachid who discovered the flaw and wrote an impressive report and proof-of-concept code.
krebsonsecurity.com

 

Head of Cobalt cybercrime gang arrested

The gang stole millions from bank ATM's in over 40 countries by letting them spit out money at predetermined times, all initiated through phishing e-mails to bank employees.
welivesecurity.com

 

Microsoft Meltdown patch made some windows systems less secure

If you haven't installed the March patches yet on your Windows 7 and Server 2008 R2 machines, you might want to get on that. On those systems the January Meltdown patch accidentally allowed any process to read and write memory at will.
threatpost.com

 

Encrypting Apple APFS disks might expose encryption password in logs

This made some headlines, although it's not as bad (luckily) as some previous Apple security problems.
sophos.com

 

Types of firewalls

A nice refresher on the various types of firewalls, like web app firewalls, 'next gen' firewalls and 'Unified Threat Management' firewalls.
esecurityplanet.com

 

Who and what Is Coinhive?

Interesting research from Brian Krebs on who might be behind the Coinhive service. There doesn't seem to be a definitive answer yet though.
krebsonsecurity.com

 

Sponsorship

Automated vulnerability scans of web applications in the SDLC

Integration of web application security in the SDLC has become really important. Businesses are pushing new code to production multiple times in a day, so it is vital that security flaws are identified at source. Listen to Paul’s Security Weekly podcast discussing this, scaling up web application security, time management for penetration testers and more.
netsparker.com

Securing your company Macs

Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.
fleetsmith.com