Issue 72

Sears, Delta Airlines and Best Buy suffer card breach through chatbot provider

They all use a company called [24]7.ai, a chatbot provider, which had a malware infection in October last year.
bleepingcomputer.com


New web authentication API accepted by W3C and Fido Alliance

The WebAuthn API will allow websites to easily provide password-less authentication. Google, Microsoft and Mozilla are working on an implementation.
bleepingcomputer.com


Update all the things \o/

A non-inclusive list of updates I came across:

  • Microsoft released an out-of-band update to fix a very serious vulnerability in Defender, where visiting a malicious site could trigger remote code execution: link
  • Microsoft also had its Patch Tuesday, fixing 65 other security issues, 23 of which are rated critical: link
  • the Spring framework has an update fixing another remote code execution issue: link


Exploit found that could heavily influence Google search results

This researcher found a fascinating exploit where he could submit a sitemap for a domain that was not his own. He could rank his site into the top 10 in a matter of days.
He received a bounty of $1337. As this discussion on Hackernews makes clear, he probably should have gotten much more.
tomanthony.co.uk


WannaCry ransomware sinkhole data now available to organizations

WannaCry infections are apparently still going strong. The company that runs the killswitch domain that stops WannaCry from spreading now offers a free service that tells you if an IP in your company tried to phone home to it, meaning you have an infection somewhere.
bleepingcomputer.com


Cloudfront CDN vulnerability: hijacking another domain

When some of your subdomains aren't explicitly listed in Cloudfront's alternate domains list, someone else can create a Cloudfront endpoint for it and your traffic will be redirected there. Worth a read.
disloops.com


The dots do matter: how to scam a Gmail user

Interesting post on how the author was logged into someone else's Netflix account because Google makes john.doe@gmail.com and johndoe@gmail.com go to the same inbox.
jameshfisher.com


Kubernetes security best practices

For those using Kubernetes, here's a sensible list of security measures to take.
github.com


Sponsorship

Securing your company Macs

Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.
fleetsmith.com


Is your website hackable?

Automatically identify cross-site scripting, SQL injection and other vulnerabilities in your web applications before malicious attackers find and exploit them. Use the dead accurate Netsparker web application security scanner to generate accurate reports so you do not have to manually check if the reported issues are real or false positives, and you can concentrate on your job.
netsparker.com