Issue 80

To my RSS peeps out there: I forgot to publish last week's issue, apparently. My apoligies!

MyHeritage hacked, 92 million user accounts exposed

MyHeritage is a DNA testing and family genealogy site. The breach was discovered by a researcher who found the data dump on a third party server. Fortunately only usernames and hashed passwords were in the breach, no DNA results or payment data.
bleepingcomputer.com


Ticketfly website hacked, personal data of 26 million people exposed

Ticketfly, a ticket/event service, had its website hacked and defaced. The hacker tried to ransom the data he got, but after being rejected he put all personal data online, including home addresses and phone numbers.
vice.com


Zip Slip vulnerability - unzipping files that place themselves elsewhere

When unzipping a file with directory traversal (../..) characters in the name, one can place that file elsewhere in the filesystem and have it execute. The issue by itself is known already, but researchers from Snyk point out that it is very widespread in various open source tools and code examples where filenames of archives aren't validated.
snyk.io


Making sure your Google Groups aren't publicly accessible

It's been in the news before, but it has resurfaced after a security company found over 9000 organisations who had group discussions set to public. Google released a post explaining how to watch for this.
krebsonsecurity.com


Over 100,000 Drupal websites still vulnerable to Drupalgeddon 2

Great post by researcher Troy Mursch on how over 115.000 Drupal sites are still vulnerable to Drupalgeddon 2, with some examples of compromised sites (including the website of a police department in my homeland of Belgium).
badpackets.net


Around 75% of open Redis servers are infected with malware

Not a super surprise, but better make sure yours is neither open nor infected. About 10.000 Redis servers were found open, and most of those were compromised. They could tell by trying to connect with SSH keys known to be used by botnets. Imperva's blogpost digs a little deeper: link.
bleepingcomputer.com


Office 365 announces threat intelligence reporting

They could have made the post a bit easier to read, but this might be important for those of us running Office 365. It includes metrics like malware stopped, spam received, etc. And quite a few other added security features.
microsoft.com


Update all the things \o/

  • iOS 12 and MacOS 10.14 (Mojave) were announced, with quite a few privacy and security related additions: link
  • Google released patches for Android, fixing 57 vulnerabilities of which 11 are rated critical: link


Mozilla shares Project Fusion: merge Tor browser with standard Firefox

It's an experiment, but it would be an interesting privacy/security development for sure. More information on their wiki here, and a discussion on Hackernews here.
torproject.org


Pwned Passwords in practice: real world examples

Nice light article where Troy Hunt shows some examples of how the HaveIBeenPwned API is being used to detect known passwords.
troyhunt.com


Fall asleep in seconds by listening to the GDPR legislation

Couldn't help but laugh out loud when I read this. The meditation app Calm included a reading of GDPR excerpts to help people fall asleep. Well played Calm, well played.
theverge.com


Sponsorship

Is your website hackable?

Automatically identify cross-site scripting, SQL injection and other vulnerabilities in your web applications before malicious attackers find and exploit them. Use the dead accurate Netsparker web application security scanner to generate accurate reports.
netsparker.com


Remote lock & wipe your company's devices

Fleetsmith just released a new feature that allows you to remote lock and wipe your employee's devices if they get lost or stolen. They also let you manage your first 10 devices free, it integrates fully with G Suite, and is used by yours truly every day.
fleetsmith.com