.. No -you- are being cynical.
- Telefonica: a Spanish telecom operator exposed data of millions of customers. One could simply change a number in the URL to view all other people's information.
- Robocall: a political robocall service. It exposed the personal information of hundreds of thousands of US voters in a public AWS bucket.
- Venmo: the p2p payment app. It turns out that all transactions on Venmo are public by default, and visible through its API.
- LabCorp: it's the biggest US bloodtesting network. Its systems were shut down following a breach, which turned out to be a SamSam ransomware infection.
- Sunspire Health: a network of addiction treatment facilities. Several employees were compromised in a phishing attack. The full size of the attack isn't yet known.
This seems to be a trend now. The nmp account of the developer of eslint-scope, a submodule of ESLint, was hacked. A new version was pushed that aimed to gather other npm credentials.
As a precaution, all tokens created during the vulnerable window have been revoked. A post-mortem of the ESLint team can be found here, Hackernews discussion here.
In a paper, aptly named "All your GPS are belong to us", a set of researchers show that using cheap hardware, they could spoof GPS signals and navigation directions on cars and smartphones, without being detected.
It's the kind of attacks where someone pretends to be your CEO, asking to do an urgent wire tranfer. Estimated damages are up to 12 billion dollars now world-wide. That's billion, with a B. The real estate sector seems to be targeted the most.
Quite nifty in its simplicity. Regular sextortion, where a hacker (falsely) claims they have webcam video of the victim browsing porn sites, combined with showing them their password, which was taken from one of the many known breaches.
Quite remarkable how 'easy' it seems to be. There was no zero-day involved, as one might think, just a well known router vulnerability that's been exploited before.
In February this year a host of international law enforcement agencies banded together to stop the usage of Luminosity, which was a widely used RAT (Remote Access Trojan). Its author has now pleaded guilty.
Just a nice reminder for us all to have a protocol for when a colleague loses his or her device :-)
The transcript is just a nice quick read on some key topics in DevSecOps, like employee education, vulnerability management, code analysis, etc.
WAFs are a good security measure but the security of your web applications should not solely depend on it, because they can be bypassed. Watch this demo on Paul’s Security Weekly during which a researcher from Netsparker explains and demos how modern web application firewalls can be defeated.
I use 1Password to securely share passwords and notes with colleagues myself. Can't recommend them enough and I'm super honoured to have them as a sponsor.