Enough breach-related news to warrant a long list:
- Timehop: a social media app that surfaces old tweets/posts from the same day but from several years ago. 21 million user accounts compromised.
- DomainFactory: a large German webhosting company. All user data was compromised.
- Macy's: the departement store noticed unauthorised logins into several customer accounts. It's not clear to me wether they were breached, or if the hacker is using known credentials from other breaches. Some Bloomingdale's accounts also affected.
- Thomas Cook: not a confirmed breach per se, but leaky data nonetheless. All booking reservations used incremental numbers. You could change the URL easily and see someone else's booking information. Easy to automate and harvest.
- VSDC: a company that provides free audio and video conversion software. Several download links were replaced by links leading to malicious downloads.
- The previously reported Ticketmaster breach was actually part of much wider a campaign compromising over 800 e-commerce sites, executed by a hacker group called Magecart : link
Similar to the Strava incident of a few months ago, the app made it possible to find secret bases, identify individuals and find out where users lived.
The implicated packages are acroread, balz and minergate. They were found in the User Repository, where anyone can adopt packages that have been abandoned by their creators, which is what happened here.
Users who visited MEW on July 9th while using Hola could have been compromised.
This event is similar to a hack from earlier this year, where someone hijacked BGP routes to get MEW users to a phishing site. Such juicy crypto's.
The nickname refers to a Portuguese ISP called Bitcanal that keeps hijacking BGP routes, which siphons off Internet traffic for malicious reasons. Several high-level Internet providers and exchange points basically agreed to put Bitcanal in their ignore list.
Yes, apparently doing "curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA" got you inside.
The issue was patched earlier this year. If you haven't updated yet, you might want to hurry up.
Apparently he retrieved the information from a military base where a Netgear router was installed with a default FTP password.
Update all the things \o/
- Google: fixed 44 vulnerabilities in Android, 11 of which were critical. Five remote code execution (RCE) bugs fixed.
- Microsoft had its Patch Tuesday, fixing 53 issues, 17 of which were rated critical.
- Apple released security updates for several components, and included USB restricted mode into the iOS update.
- Adobe fixed 112 security flaws across its product line. Two of them in Flash, and a whopping 104 in Acrobat and Reader.
A new experiment from Firefox, adding to the password managers market. You can download an iOS app to access and use the credentials that are stored in your Firefox account, if you have one.
Just a nice read on how MDM has been rolled out in iOS.
Interesting post on how Ballerina, a new programming language targeted at HTTP integrations and microservices, takes in security by default. You can, for example, mark incoming data points as untrusted (or 'tainted'), whereby the compiler will return an error if these haven't been explicitly sanitized before being used in sensitive places.