Issue 71

Leaks and breaches

There were a few, so I'm grouping them here:

  • 150 million MyFitnessPal accounts have been compromised. Most passwords were hashed with bcrypt, but unfortunately some with SHA-1. The company does get kudos for a quick and clear disclosure process: link
  • Panera Bread, a food chain with over 2000 stores, gets less kudos for having all their customer names, physical addresses and four digits of their credit cards exposed on their website for eight months before fixing it: link
  • The US retail stores Saks and Lord & Taylor reported that 5 million credit card records where stolen: link

Cloudflare announced privacy-first DNS service

Similar to Google's and IBM's Quad-9. But with the explicit promise of privacy, audited by KPMG. Kudos to Cloudflare, it's a really cool project.

Critical vulnerability opens Cisco switches to remote attack

You'll want to update fast. It's a remote code execution vulnerability in the Smart Install system, getting a severity rating (CVSS) of 9.8/10. It seems to boil down to: if you have a Cisco device that is listening on port 4786, you're a target. At least 250.000 vulnerable devices are already found to be publicly accessible.

Vulnerability in iOS built-in QR code scanner

The built-in QR code scanner can make it seem like you're about to open one page, but actually take you to another, because of incorrect URL parsing. Apple hasn't provided a fix yet.

Over 1000 Magento stores compromised in targeted campaign

There's a campaign underway to brute-force Magento stores, with at least 1000 stores already compromised. If you run one, make sure to check up on it.

Italian football club tricked into wiring €2 million to wrong account

Or how lucrative a single targeted phishing attack can be. The attackers claimed they represented Feyenoord and asked for release of funds related to a player transfer.

U.S. Department of Defense opens up new bug bounty program

The program will run through the month of April, and targets the Defense Travel Systems responsible for all travel-related logistics in the DoD.

Apple security and privacy updates

Apple released updates across their products, fixing a number of security issues. For example: fixing a problem where a thief could disable your Find My iPhone feature without needing an iCloud password. They also include privacy-related features explaining what data is collected and why.

Invisibly inserting usernames into text with zero-width characters

Interesting concept: fingerprinting documents with invisible characters so you can identify data leaks. There's also a Chrome extension that detects when this happens.

The 30 cybersecurity stats that matter most

I usually try and shield you guys from 'stats articles', i.e. "x% of companies has had a ransomware attack", because they're not very actionable nor very educational. But this is a pretty impressive roundup of various statistics that's easy to read. So have at it :-)

Have I Been Pwned is now partnering with 1Password

When you have indeed been pwned, 1Password will be shown as a recommendation on what to do next. Troy explains his reasoning for the partnership very well in the article. Pro's and cons are discussed on Hackernews here.


Bypassing web application firewalls

WAFs are a good security measure but the security of your web applications should not solely depend on it. Watch this demo on Paul’s Security Weekly during which a researcher from Netsparker explains and demos how modern web application firewalls can be bypassed.

Securing your company Macs

Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.