Two very related items this week:
- Github notified a small subset of users that their passwords were visible in internal logs: link
- Twitter asks for a password reset after discovering a similar issue: link
An update is available for the vulnerable version, but it requires a physical firmware update of each individual lock. They didn't open-source the exploit though, and it doesn't seem to have been an easy feat to pull off.
They essentially found a way to keep a listening session open for longer than usual, without the usual reprompt that would tip it off to the user. Whatever was said during the session was transcribed and sent to the hacker. Amazon has released a patch for the issue.
Researchers used the car's Wifi connection to gain access to the infotainment system. They got root access, which gave them access to navigation, the microphone of the car kit, and potentially more. Volkswagen fixed the issue for new cars, but it's unclear how existing cars are handled since there is no over-the-air update possibility.
The camera in question is sold as a white-label by many companies, so it's hard to give a single name. If you access the admin panel with the cookie value 'uid=admin', you get full control. Over 50.000 such cameras are publicly reachable.
It might not be a security issue in the strictest sense, as Microsoft argues, but the 'prank' or DoS potential seems evident. It requires physical access to the USB drive but also works on locked machines, which the researcher argues really shouldn't happen.
Certificate issuers need to publicly log all sites they generate a certificate for, so that mis-issued certs can be detected. Chrome will now show a page-wide warning if it comes across a cert that isn't on the log. Other browsers will follow.
Pretty great outline and resource list for anyone who wants to dive into (webapp) security engineering but doesn't know where to start.
This is a personal one. I'm building a product that gives you a security rundown of your gsuite account, with items like:
- accounts without 2fa enabled
- recently failed or suspicious logins
- publicly readable groups and documents
- recent oauth approvals
You run it to make sure everything is peachy inside your organisation, and to see where there's work left to be done.
It will probably be self-hosted, so only you have access to your data. Although I'm eager for your feedback on that. If you're interested, let me know right here.
Article 32 lays out a few legally binding requirements for handling customer data in a secure manner, many of which have long been considered best practice. If you are not yet familiar with Article 32, or you are in the process of achieving GDPR compliance, read this article which breaks down some of the most important aspects.
Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure. If you sign up today you can manage 10 devices for free, and Fleetsmith's new zero-touch deployment allows you to ship devices without needing IT to set up WiFi and other apps.