Issue 86

Breaches, breaches everywhere

.. No -you- are being cynical.

  • Telefonica: a Spanish telecom operator exposed data of millions of customers. One could simply change a number in the URL to view all other people's information.
  • Robocall: a political robocall service. It exposed the personal information of hundreds of thousands of US voters in a public AWS bucket.
  • Venmo: the p2p payment app. It turns out that all transactions on Venmo are public by default, and visible through its API.
  • LabCorp: it's the biggest US bloodtesting network. Its systems were shut down following a breach, which turned out to be a SamSam ransomware infection.
  • Sunspire Health: a network of addiction treatment facilities. Several employees were compromised in a phishing attack. The full size of the attack isn't yet known.

Compromised JavaScript package stealing npm credentials

This seems to be a trend now. The nmp account of the developer of eslint-scope, a submodule of ESLint, was hacked. A new version was pushed that aimed to gather other npm credentials.
As a precaution, all tokens created during the vulnerable window have been revoked. A post-mortem of the ESLint team can be found here, Hackernews discussion here.

Road navigation systems can be spoofed using $223 equipment

In a paper, aptly named "All your GPS are belong to us", a set of researchers show that using cheap hardware, they could spoof GPS signals and navigation directions on cars and smartphones, without being detected.

FBI releases updated report on Business E-mail Compromise attacks

It's the kind of attacks where someone pretends to be your CEO, asking to do an urgent wire tranfer. Estimated damages are up to 12 billion dollars now world-wide. That's billion, with a B. The real estate sector seems to be targeted the most.

GitHub security alerts now support Python

It's their built-in service that scans your project's dependencies and warns of vulnerable packages. It's on by default for public projects. Javascript and Ruby were already supported.

Adult site blackmail spammers include victim's password

Quite nifty in its simplicity. Regular sextortion, where a hacker (falsely) claims they have webcam video of the victim browsing porn sites, combined with showing them their password, which was taken from one of the many known breaches.

Malware author builds 18,000-strong botnet in a day

Quite remarkable how 'easy' it seems to be. There was no zero-day involved, as one might think, just a well known router vulnerability that's been exploited before.

Luminosity RAT author pleads guilty to creating & selling hacking tool

In February this year a host of international law enforcement agencies banded together to stop the usage of Luminosity, which was a widely used RAT (Remote Access Trojan). Its author has now pleaded guilty.

26,000 devices are lost per year in London subway and buses

Just a nice reminder for us all to have a protocol for when a colleague loses his or her device :-)

George Gerchow, CSO at Sumo Logic: our DevSecOps strategy

The transcript is just a nice quick read on some key topics in DevSecOps, like employee education, vulnerability management, code analysis, etc.


Bypassing web application firewalls

WAFs are a good security measure but the security of your web applications should not solely depend on it, because they can be bypassed. Watch this demo on Paul’s Security Weekly during which a researcher from Netsparker explains and demos how modern web application firewalls can be defeated.

1Password for Teams and Business

I use 1Password to securely share passwords and notes with colleagues myself. Can't recommend them enough and I'm super honoured to have them as a sponsor.