Git remote code execution vulnerability found and fixed. Quite a few items on GDPR, data breaches and more.  1st June 2018

May it be the week of lists

I usually don't like to group items too much, because it cheats the "don't put too many items in one issue" rule I have. But there was just a lot of related news this week to group. So, sorry ^^ There's a few regular items in here too though.

GDPR, GDPR everywhere

I meant to include some of these last week, on the 25th (because duh), but pressed submit too early :-/ So here we go:

• GDPR hall of fame: a long, long list of companies screwing up on GDPR. Worth a look and laugh: link
• Google and Facebook sued within hours for not adhering to the GDPR: link
• ICANN has filed a law suit against a German registrar who declined to collect WHOIS info, out of fear of breaching the GDPR. ICANN hopes to use the suit to get clarity on the future of WHOIS: link

Data breaches, leaks and such

Data being stolen, leaked or just managed irresponsibly:

• Two Canadian banks have had personal information stolen of about 90.000 people, with the attackers demanding ransom or they'll leak it online: link
• An Apache Airflow instance belonging to Universal Music Group was found unprotected online, showing credentials for FTP, AWS and SQL passwords: link
• A social services hotline in LA County had an unsecured s3 bucket with 3.5 million logged phone calls, 200.000 call notes with sensitive information and 33.000 social security numbers: link
• Honda Car India had two public S3 buckets, containing private information and passwords on the 50.000 users of its Honda Connect app: link
• Coca-Cola reported a data breach of 8.000 employees, which was due to an ex-employee being in possession of a corporate hard drive: link

Update all the things \o/

Updates I came across:

• Google released version 67 of Chrome. It fixes a number of security issues, introduces the WebAuthn API, deprecates HTTP public key pinning, and includes Site Isolation as part of Spectre mitigations: link
• Apple released a set of security updates in iOS 11.4, WatchOS and iTunes, although it's unclear what they fix: link
• Huawei patches several vulnerabilities in its servers, smartphones and apps: link
• If you are running an old Jira server, you might want to check if this vulnerability affects you: link
• Valve patched a remote code execution vulnerability in its Steam clients a few months back, and the researcher who discovered it has now released his report: link

Arrests and court rulings

Going black hat doesn't (always) pay off:

• Two French citizens were arrested for the Vevo Youtube hack: link
• The hacker involved in the 500 million accounts-breach at Yahoo is sentenced to five years and a fine of over $2mil: link
• Grant West, who performed phishing attacks against a host of large companies, is sentenced to 10 years: link
• Not a new arrest but related: even though Cobalt's leader was arrested a while back, the group is still active: link