Issue 75

Plaintext passwords in internal logs at Twitter and Github

Two very related items this week:

  • Github notified a small subset of users that their passwords were visible in internal logs: link
  • Twitter asks for a password reset after discovering a similar issue: link


Europol takes down world's largest DDoS-for-hire market

The service had over 136.000 registered users, and carried out over 4 million DDoS attacks. DDoS attacks went down by 60% afterwards, at least for now.
threatpost.com


Researchers find way to create hotel masterkey by scanning any other keycard of the hotel

An update is available for the vulnerable version, but it requires a physical firmware update of each individual lock. They didn't open-source the exploit though, and it doesn't seem to have been an easy feat to pull off.
wired.com


Researchers turned Amazon's Echo into eavesdropping device

They essentially found a way to keep a listening session open for longer than usual, without the usual reprompt that would tip it off to the user. Whatever was said during the session was transcribed and sent to the hacker. Amazon has released a patch for the issue.
threatpost.com


Volkswagen and Audi cars vulnerable to remote hacking

Researchers used the car's Wifi connection to gain access to the infotainment system. They got root access, which gave them access to navigation, the microphone of the car kit, and potentially more. Volkswagen fixed the issue for new cars, but it's unclear how existing cars are handled since there is no over-the-air update possibility.
bleepingcomputer.com


Trivial exploit on widely used IoT camera brand

The camera in question is sold as a white-label by many companies, so it's hard to give a single name. If you access the admin panel with the cookie value 'uid=admin', you get full control. Over 50.000 such cameras are publicly reachable.
bleepingcomputer.com


Triggering an instant blue-screen-of-death (BSOD) on all recent Windows versions

It might not be a security issue in the strictest sense, as Microsoft argues, but the 'prank' or DoS potential seems evident. It requires physical access to the USB drive but also works on locked machines, which the researcher argues really shouldn't happen.
bleepingcomputer.com


Starting today Chrome will show warnings for non-logged SSL certificates

Certificate issuers need to publicly log all sites they generate a certificate for, so that mis-issued certs can be detected. Chrome will now show a page-wide warning if it comes across a cert that isn't on the log. Other browsers will follow.
bleepingcomputer.com


Introducing .app, a more secure home for apps on the web

Google introduced the .app domain, where HTTPS is mandatory. It's all a bit weird to me but hey, it's news. Hackernews discussion here.
blog.google


So you want to be a security engineer?

Pretty great outline and resource list for anyone who wants to dive into (webapp) security engineering but doesn't know where to start.
medium.com


Gsuite security - personal project

This is a personal one. I'm building a product that gives you a security rundown of your gsuite account, with items like:

  • accounts without 2fa enabled
  • recently failed or suspicious logins
  • publicly readable groups and documents
  • recent oauth approvals

You run it to make sure everything is peachy inside your organisation, and to see where there's work left to be done.

It will probably be self-hosted, so only you have access to your data. Although I'm eager for your feedback on that. If you're interested, let me know right here.



Sponsorship

GDPR Article 32: Security of data processing

Article 32 lays out a few legally binding requirements for handling customer data in a secure manner, many of which have long been considered best practice. If you are not yet familiar with Article 32, or you are in the process of achieving GDPR compliance, read this article which breaks down some of the most important aspects.
netsparker.com


Manage and secure 10 Macs for free

Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure. If you sign up today you can manage 10 devices for free, and Fleetsmith's new zero-touch deployment allows you to ship devices without needing IT to set up WiFi and other apps.
fleetsmith.com