Issue 79

May it be the week of lists

I usually don't like to group items too much, because it cheats the "don't put too many items in one issue" rule I have. But there was just a lot of related news this week to group. So, sorry ^^ There's a few regular items in here too though.

Git security vulnerability allows for remote code execution

The vulnerability can be triggered by cloning a submodule from a malicious parent repository. Both clients and server-side need updates.

GDPR, GDPR everywhere

I meant to include some of these last week, on the 25th (because duh), but pressed submit too early :-/ So here we go:

  • GDPR hall of fame: a long, long list of companies screwing up on GDPR. Worth a look and laugh: link
  • Google and Facebook sued within hours for not adhering to the GDPR: link
  • ICANN has filed a law suit against a German registrar who declined to collect WHOIS info, out of fear of breaching the GDPR. ICANN hopes to use the suit to get clarity on the future of WHOIS: link

Data breaches, leaks and such

Data being stolen, leaked or just managed irresponsibly:

  • Two Canadian banks have had personal information stolen of about 90.000 people, with the attackers demanding ransom or they'll leak it online: link
  • An Apache Airflow instance belonging to Universal Music Group was found unprotected online, showing credentials for FTP, AWS and SQL passwords: link
  • A social services hotline in LA County had an unsecured s3 bucket with 3.5 million logged phone calls, 200.000 call notes with sensitive information and 33.000 social security numbers: link
  • Honda Car India had two public S3 buckets, containing private information and passwords on the 50.000 users of its Honda Connect app: link
  • Coca-Cola reported a data breach of 8.000 employees, which was due to an ex-employee being in possession of a corporate hard drive: link

Remote code execution vulnerability in Windows JScript component

JScript is Windows' custom Javascript implementation. All that is needed is to visit a malicious site, however one still would have to break out of sandbox mode. Details are left out until a fix is available.

Oracle plans to drop Java serialization support

It's been a source of too many security problems. They'll provide a plugin system for when you explicitly need it.

Update all the things \o/

Updates I came across:

  • Google released version 67 of Chrome. It fixes a number of security issues, introduces the WebAuthn API, deprecates HTTP public key pinning, and includes Site Isolation as part of Spectre mitigations: link
  • Apple released a set of security updates in iOS 11.4, WatchOS and iTunes, although it's unclear what they fix: link
  • Huawei patches several vulnerabilities in its servers, smartphones and apps: link
  • If you are running an old Jira server, you might want to check if this vulnerability affects you: link
  • Valve patched a remote code execution vulnerability in its Steam clients a few months back, and the researcher who discovered it has now released his report: link

Arrests and court rulings

Going black hat doesn't (always) pay off:

  • Two French citizens were arrested for the Vevo Youtube hack: link
  • The hacker involved in the 500 million accounts-breach at Yahoo is sentenced to five years and a fine of over $2mil: link
  • Grant West, who performed phishing attacks against a host of large companies, is sentenced to 10 years: link
  • Not a new arrest but related: even though Cobalt's leader was arrested a while back, the group is still active: link

Breach detection with Linux filesystem forensics

Very cool blogpost walking the reader through an example forensic test against a compromised Linux server.


GDPR Article 32: Security of data processing

Article 32 lays out a few legally binding requirements for handling customer data in a secure manner, many of which have long been considered best practice. If you are not yet familiar with Article 32, or you are in the process of achieving GDPR compliance read this article which breaks down some of the most important aspects of Article 32.

New security features to manage your company Macs

Fleetsmith just launched new security features: remote lock and wipe of employees' devices and kernel extension whitelisting. You can also escrow each Mac's FileVault recovery key, and enforce a company policy for password and screen saver settings. I use Fleetsmith every day, much recommended :)