News
Europol takes down world's largest DDoS-for-hire market
The service had over 136.000 registered users, and carried out over 4 million DDoS attacks. DDoS attacks went down by 60% afterwards, at least for now.
Researchers find way to create hotel masterkey by scanning any other keycard of the hotel
An update is available for the vulnerable version, but it requires a physical firmware update of each individual lock. They didn't open-source the exploit though, and it doesn't seem to have been an easy feat to pull off.
Researchers turned Amazon's Echo into eavesdropping device
They essentially found a way to keep a listening session open for longer than usual, without the usual reprompt that would tip it off to the user. Whatever was said during the session was transcribed and sent to the hacker. Amazon has released a patch for the issue.
Volkswagen and Audi cars vulnerable to remote hacking
Researchers used the car's Wifi connection to gain access to the infotainment system. They got root access, which gave them access to navigation, the microphone of the car kit, and potentially more. Volkswagen fixed the issue for new cars, but it's unclear how existing cars are handled since there is no over-the-air update possibility.
Trivial exploit on widely used IoT camera brand
The camera in question is sold as a white-label by many companies, so it's hard to give a single name. If you access the admin panel with the cookie value 'uid=admin', you get full control. Over 50.000 such cameras are publicly reachable.
Triggering an instant blue-screen-of-death (BSOD) on all recent Windows versions
It might not be a security issue in the strictest sense, as Microsoft argues, but the 'prank' or DoS potential seems evident. It requires physical access to the USB drive but also works on locked machines, which the researcher argues really shouldn't happen.
Starting today Chrome will show warnings for non-logged SSL certificates
Certificate issuers need to publicly log all sites they generate a certificate for, so that mis-issued certs can be detected. Chrome will now show a page-wide warning if it comes across a cert that isn't on the log. Other browsers will follow.
Introducing .app, a more secure home for apps on the web
Google introduced the .app domain, where HTTPS is mandatory. It's all a bit weird to me but hey, it's news. Hackernews discussion here.
So you want to be a security engineer?
Pretty great outline and resource list for anyone who wants to dive into (webapp) security engineering but doesn't know where to start.
Gsuite security - personal project
This is a personal one. I'm building a product that gives you a security rundown of your gsuite account, with items like:
- accounts without 2fa enabled
- recently failed or suspicious logins
- publicly readable groups and documents
- recent oauth approvals
You run it to make sure everything is peachy inside your organisation, and to see where there's work left to be done.
It will probably be self-hosted, so only you have access to your data. Although I'm eager for your feedback on that. If you're interested, let me know right here.
Sponsorships
GDPR Article 32: Security of data processing
Article 32 lays out a few legally binding requirements for handling customer data in a secure manner, many of which have long been considered best practice. If you are not yet familiar with Article 32, or you are in the process of achieving GDPR compliance, read this article which breaks down some of the most important aspects.
Manage and secure 10 Macs for free
Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure. If you sign up today you can manage 10 devices for free, and Fleetsmith's new zero-touch deployment allows you to ship devices without needing IT to set up WiFi and other apps.