Issue 83

WPA3 WiFi standard officially released

There are quite a few improvements included:

  • It's resistant to offline brute-force attacks.
  • It uses forward secrecy so that old traffic can't be decrypted even if you learn the password later.
  • There's 'Wifi Easy Connect' to connect IoT devices that don't have a screen.
  • It uses 'Opportunistic Wireless Encryption' (OWE) to secure connections on public Wifi.

Github repository of Gentoo Linux hacked, malicious code inserted

The attacker apparently introduced malware aimed at deleting files. The Github repo is only a mirror of the 'real' source code though, but if you used any code from the Github version you better rebuild.

EFF announces STARTTLS Everywhere: securing email delivery

STARTTLS is an addition to SMTP, used by e-mail servers to transmit e-mails over an encrypted connection. The STARTTLS Everywhere software configures e-mail servers to use STARTTLS and provisions certificates using Let's Encrypt.

Marketing firm Exactis leaked a personal info database with 340 million records

It was stored on an unsecured Elasticsearch instance, found by a researcher using Shodan. Meaning it was pretty easy to find for any malicious actor too. It includes detailed data on about 230 million consumers and 110 million businesses.

Flight tracker service Flightradar24 suffers data breach

The attacker got access to 230.000 e-mails with hashed passwords, although they don't specify which hashing algorithm was used.

Hotel booking software provider suffers data breach

FastBooking, a vendor for hotel management software, had a data breach where personal and payment data got loose. It's unclear how much exactly, but they manage over 4.000 hotels in 100 countries, so we might see a flurry of data breach notifications from the individual hotels.

Unpatched flaw disclosed in WordPress CMS Core

It's not super bad, because one needs Author privileges to execute. But once they do, they can change or hijack the entire website, locking everyone else out. Wordpress themselves have no fix yet, but the people from RIPS released their own hotfix.

Microsoft enables multi-factor authentication by default on Azure AD admin accounts

You can opt-out if you really want. Good move though. They also introduced the ability to check passwords of AD users against a list of known passwords, and lock out bad actors who are trying to brute force accounts. More info on that here.

Europol arrest 95 criminals involved in fraudulent webshops

They created webshops with heavily discounted prices to lure customers, but paid for the inventory with stolen credit cards and sold the card details of their buyers on the black market. Quite a setup.

Firefox announces Firefox Monitor, a breach notification tool

It uses Troy Hunt's HaveIBeenPwned service under the hood, with the added advantage of (hopefully) reaching a much wider audience. They're testing it out with 250.000 users next week, and will roll it out further if successful.

Reverse shell from an OpenVPN configuration file

Interesting bit of research showing that you shouldn't just use any OpenVPN config file you come across, since it can contain arbitrary commands to be run.

Twitter starts supporting hardware security keys

I.e. Yubikey and similar U2F devices. Good news!


Vulnerable web applications allow hackers to bypass corporate firewalls

A detailed technical article which explains how malicious attackers can target vulnerable web applications running on developers' workstations to bypass corporate firewalls. This might sound far fetched, but it is very typical for developers to run vulnerable (still being developed) web applications on their computers.

Remote lock & wipe your company's devices

Fleetsmith just released a new feature that allows you to remote lock and wipe your employee's devices if they get lost or stolen. They also let you manage your first 10 devices free, it integrates fully with G Suite, and is used by yours truly every day.