I usually don't like to group items too much, because it cheats the "don't put too many items in one issue" rule I have. But there was just a lot of related news this week to group. So, sorry ^^ There's a few regular items in here too though.
The vulnerability can be triggered by cloning a submodule from a malicious parent repository. Both clients and server-side need updates.
I meant to include some of these last week, on the 25th (because duh), but pressed submit too early :-/ So here we go:
- GDPR hall of fame: a long, long list of companies screwing up on GDPR. Worth a look and laugh: link
- Google and Facebook sued within hours for not adhering to the GDPR: link
- ICANN has filed a law suit against a German registrar who declined to collect WHOIS info, out of fear of breaching the GDPR. ICANN hopes to use the suit to get clarity on the future of WHOIS: link
Data being stolen, leaked or just managed irresponsibly:
- Two Canadian banks have had personal information stolen of about 90.000 people, with the attackers demanding ransom or they'll leak it online: link
- An Apache Airflow instance belonging to Universal Music Group was found unprotected online, showing credentials for FTP, AWS and SQL passwords: link
- A social services hotline in LA County had an unsecured s3 bucket with 3.5 million logged phone calls, 200.000 call notes with sensitive information and 33.000 social security numbers: link
- Honda Car India had two public S3 buckets, containing private information and passwords on the 50.000 users of its Honda Connect app: link
- Coca-Cola reported a data breach of 8.000 employees, which was due to an ex-employee being in possession of a corporate hard drive: link
It's been a source of too many security problems. They'll provide a plugin system for when you explicitly need it.
Updates I came across:
- Google released version 67 of Chrome. It fixes a number of security issues, introduces the WebAuthn API, deprecates HTTP public key pinning, and includes Site Isolation as part of Spectre mitigations: link
- Apple released a set of security updates in iOS 11.4, WatchOS and iTunes, although it's unclear what they fix: link
- Huawei patches several vulnerabilities in its servers, smartphones and apps: link
- If you are running an old Jira server, you might want to check if this vulnerability affects you: link
- Valve patched a remote code execution vulnerability in its Steam clients a few months back, and the researcher who discovered it has now released his report: link
Going black hat doesn't (always) pay off:
- Two French citizens were arrested for the Vevo Youtube hack: link
- The hacker involved in the 500 million accounts-breach at Yahoo is sentenced to five years and a fine of over $2mil: link
- Grant West, who performed phishing attacks against a host of large companies, is sentenced to 10 years: link
- Not a new arrest but related: even though Cobalt's leader was arrested a while back, the group is still active: link
Very cool blogpost walking the reader through an example forensic test against a compromised Linux server.
Article 32 lays out a few legally binding requirements for handling customer data in a secure manner, many of which have long been considered best practice. If you are not yet familiar with Article 32, or you are in the process of achieving GDPR compliance read this article which breaks down some of the most important aspects of Article 32.
Fleetsmith just launched new security features: remote lock and wipe of employees' devices and kernel extension whitelisting. You can also escrow each Mac's FileVault recovery key, and enforce a company policy for password and screen saver settings. I use Fleetsmith every day, much recommended :)