Issue 85

Breaches

Enough breach-related news to warrant a long list:

  • Timehop: a social media app that surfaces old tweets/posts from the same day but from several years ago. 21 million user accounts compromised.
  • DomainFactory: a large German webhosting company. All user data was compromised.
  • Macy's: the departement store noticed unauthorised logins into several customer accounts. It's not clear to me wether they were breached, or if the hacker is using known credentials from other breaches. Some Bloomingdale's accounts also affected.
  • Thomas Cook: not a confirmed breach per se, but leaky data nonetheless. All booking reservations used incremental numbers. You could change the URL easily and see someone else's booking information. Easy to automate and harvest.
  • VSDC: a company that provides free audio and video conversion software. Several download links were replaced by links leading to malicious downloads.
  • The previously reported Ticketmaster breach was actually part of much wider a campaign compromising over 800 e-commerce sites, executed by a hacker group called Magecart : link


Fitness app Polar exposed locations of military personnel

Similar to the Strava incident of a few months ago, the app made it possible to find secret bases, identify individuals and find out where users lived.
zdnet.com


Malware found in Arch Linux package repository

The implicated packages are acroread, balz and minergate. They were found in the User Repository, where anyone can adopt packages that have been abandoned by their creators, which is what happened here.
sophos.com


Hacker breaches Hola VPN Chrome extension to phish MyEtherWallet users

Users who visited MEW on July 9th while using Hola could have been compromised.
This event is similar to a hack from earlier this year, where someone hijacked BGP routes to get MEW users to a phishing site. Such juicy crypto's.
bleepingcomputer.com


Several Internet transit providers start excluding "BGP Hijack Factory"

The nickname refers to a Portuguese ISP called Bitcanal that keeps hijacking BGP routes, which siphons off Internet traffic for malicious reasons. Several high-level Internet providers and exchange points basically agreed to put Bitcanal in their ignore list.
bleepingcomputer.com


You can bypass authentication on HPE iLO4 servers with 29 "A" characters

Yes, apparently doing "curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA" got you inside.
The issue was patched earlier this year. If you haven't updated yet, you might want to hurry up.
bleepingcomputer.com


Hacker selling classified information on MQ-9 Reaper Drone on dark web

Apparently he retrieved the information from a military base where a Netgear router was installed with a default FTP password.
hackread.com


Update all the things \o/

  • Google: fixed 44 vulnerabilities in Android, 11 of which were critical. Five remote code execution (RCE) bugs fixed.
  • Microsoft had its Patch Tuesday, fixing 53 issues, 17 of which were rated critical.
  • Apple released security updates for several components, and included USB restricted mode into the iOS update.
  • Adobe fixed 112 security flaws across its product line. Two of them in Flash, and a whopping 104 in Acrobat and Reader.


Firefox Lockbox: Firefox password manager for iOS

A new experiment from Firefox, adding to the password managers market. You can download an iOS app to access and use the credentials that are stored in your Firefox account, if you have one.
firefox.com


A brief history of iOS mobile device management (MDM)

Just a nice read on how MDM has been rolled out in iOS.
securityintelligence.com


Ballerina: security aware programming language

Interesting post on how Ballerina, a new programming language targeted at HTTP integrations and microservices, takes in security by default. You can, for example, mark incoming data points as untrusted (or 'tainted'), whereby the compiler will return an error if these haven't been explicitly sanitized before being used in sensitive places.
medium.com


Sponsorship

Is your website hackable?

Automatically identify cross-site scripting, SQL injection and other vulnerabilities in your web applications before malicious attackers find and exploit them. Use the dead accurate Netsparker web application security scanner to generate accurate reports.
netsparker.com


New security features to manage your company Macs

Fleetsmith just launched new security features: remote lock and wipe of employees' devices and kernel extension whitelisting. You can also escrow each Mac's FileVault recovery key, and enforce a company policy for password and screen saver settings. I use Fleetsmith every day, much recommended :)
fleetsmith.com