News
MyHeritage hacked, 92 million user accounts exposed
MyHeritage is a DNA testing and family genealogy site. The breach was discovered by a researcher who found the data dump on a third party server. Fortunately only usernames and hashed passwords were in the breach, no DNA results or payment data.
Ticketfly website hacked, personal data of 26 million people exposed
Ticketfly, a ticket/event service, had its website hacked and defaced. The hacker tried to ransom the data he got, but after being rejected he put all personal data online, including home addresses and phone numbers.
Zip Slip vulnerability - unzipping files that place themselves elsewhere
When unzipping a file with directory traversal (../..) characters in the name, one can place that file elsewhere in the filesystem and have it execute. The issue by itself is known already, but researchers from Snyk point out that it is very widespread in various open source tools and code examples where filenames of archives aren't validated.
Making sure your Google Groups aren't publicly accessible
It's been in the news before, but it has resurfaced after a security company found over 9000 organisations who had group discussions set to public. Google released a post explaining how to watch for this.
Over 100,000 Drupal websites still vulnerable to Drupalgeddon 2
Great post by researcher Troy Mursch on how over 115.000 Drupal sites are still vulnerable to Drupalgeddon 2, with some examples of compromised sites (including the website of a police department in my homeland of Belgium).
Around 75% of open Redis servers are infected with malware
Not a super surprise, but better make sure yours is neither open nor infected. About 10.000 Redis servers were found open, and most of those were compromised. They could tell by trying to connect with SSH keys known to be used by botnets. Imperva's blogpost digs a little deeper: link.
Office 365 announces threat intelligence reporting
They could have made the post a bit easier to read, but this might be important for those of us running Office 365. It includes metrics like malware stopped, spam received, etc. And quite a few other added security features.
Mozilla shares Project Fusion: merge Tor browser with standard Firefox
It's an experiment, but it would be an interesting privacy/security development for sure. More information on their wiki here, and a discussion on Hackernews here.
Pwned Passwords in practice: real world examples
Nice light article where Troy Hunt shows some examples of how the HaveIBeenPwned API is being used to detect known passwords.
Fall asleep in seconds by listening to the GDPR legislation
Couldn't help but laugh out loud when I read this. The meditation app Calm included a reading of GDPR excerpts to help people fall asleep. Well played Calm, well played.
Sponsorships
Is your website hackable?
Automatically identify cross-site scripting, SQL injection and other vulnerabilities in your web applications before malicious attackers find and exploit them. Use the dead accurate Netsparker web application security scanner to generate accurate reports.
Remote lock & wipe your company's devices
Fleetsmith just released a new feature that allows you to remote lock and wipe your employee's devices if they get lost or stolen. They also let you manage your first 10 devices free, it integrates fully with G Suite, and is used by yours truly every day.