To my RSS peeps out there: I forgot to publish last week's issue, apparently. My apoligies!
MyHeritage is a DNA testing and family genealogy site. The breach was discovered by a researcher who found the data dump on a third party server. Fortunately only usernames and hashed passwords were in the breach, no DNA results or payment data.
Ticketfly, a ticket/event service, had its website hacked and defaced. The hacker tried to ransom the data he got, but after being rejected he put all personal data online, including home addresses and phone numbers.
When unzipping a file with directory traversal (../..) characters in the name, one can place that file elsewhere in the filesystem and have it execute. The issue by itself is known already, but researchers from Snyk point out that it is very widespread in various open source tools and code examples where filenames of archives aren't validated.
It's been in the news before, but it has resurfaced after a security company found over 9000 organisations who had group discussions set to public. Google released a post explaining how to watch for this.
Great post by researcher Troy Mursch on how over 115.000 Drupal sites are still vulnerable to Drupalgeddon 2, with some examples of compromised sites (including the website of a police department in my homeland of Belgium).
Not a super surprise, but better make sure yours is neither open nor infected. About 10.000 Redis servers were found open, and most of those were compromised. They could tell by trying to connect with SSH keys known to be used by botnets. Imperva's blogpost digs a little deeper: link.
They could have made the post a bit easier to read, but this might be important for those of us running Office 365. It includes metrics like malware stopped, spam received, etc. And quite a few other added security features.
- iOS 12 and MacOS 10.14 (Mojave) were announced, with quite a few privacy and security related additions: link
- Google released patches for Android, fixing 57 vulnerabilities of which 11 are rated critical: link
Nice light article where Troy Hunt shows some examples of how the HaveIBeenPwned API is being used to detect known passwords.
Couldn't help but laugh out loud when I read this. The meditation app Calm included a reading of GDPR excerpts to help people fall asleep. Well played Calm, well played.
Automatically identify cross-site scripting, SQL injection and other vulnerabilities in your web applications before malicious attackers find and exploit them. Use the dead accurate Netsparker web application security scanner to generate accurate reports.
Fleetsmith just released a new feature that allows you to remote lock and wipe your employee's devices if they get lost or stolen. They also let you manage your first 10 devices free, it integrates fully with G Suite, and is used by yours truly every day.