News
Breaches, breaches everywhere
.. No -you- are being cynical.
- Telefonica: a Spanish telecom operator exposed data of millions of customers. One could simply change a number in the URL to view all other people's information.
- Robocall: a political robocall service. It exposed the personal information of hundreds of thousands of US voters in a public AWS bucket.
- Venmo: the p2p payment app. It turns out that all transactions on Venmo are public by default, and visible through its API.
- LabCorp: it's the biggest US bloodtesting network. Its systems were shut down following a breach, which turned out to be a SamSam ransomware infection.
- Sunspire Health: a network of addiction treatment facilities. Several employees were compromised in a phishing attack. The full size of the attack isn't yet known.
Compromised JavaScript package stealing npm credentials
This seems to be a trend now. The nmp account of the developer of eslint-scope, a submodule of ESLint, was hacked. A new version was pushed that aimed to gather other npm credentials.
As a precaution, all tokens created during the vulnerable window have been revoked. A post-mortem of the ESLint team can be found here, Hackernews discussion here.
Road navigation systems can be spoofed using $223 equipment
In a paper, aptly named "All your GPS are belong to us", a set of researchers show that using cheap hardware, they could spoof GPS signals and navigation directions on cars and smartphones, without being detected.
FBI releases updated report on Business E-mail Compromise attacks
It's the kind of attacks where someone pretends to be your CEO, asking to do an urgent wire tranfer. Estimated damages are up to 12 billion dollars now world-wide. That's billion, with a B. The real estate sector seems to be targeted the most.
GitHub security alerts now support Python
It's their built-in service that scans your project's dependencies and warns of vulnerable packages. It's on by default for public projects. Javascript and Ruby were already supported.
Adult site blackmail spammers include victim's password
Quite nifty in its simplicity. Regular sextortion, where a hacker (falsely) claims they have webcam video of the victim browsing porn sites, combined with showing them their password, which was taken from one of the many known breaches.
Malware author builds 18,000-strong botnet in a day
Quite remarkable how 'easy' it seems to be. There was no zero-day involved, as one might think, just a well known router vulnerability that's been exploited before.
Luminosity RAT author pleads guilty to creating & selling hacking tool
In February this year a host of international law enforcement agencies banded together to stop the usage of Luminosity, which was a widely used RAT (Remote Access Trojan). Its author has now pleaded guilty.
26,000 devices are lost per year in London subway and buses
Just a nice reminder for us all to have a protocol for when a colleague loses his or her device :-)
George Gerchow, CSO at Sumo Logic: our DevSecOps strategy
The transcript is just a nice quick read on some key topics in DevSecOps, like employee education, vulnerability management, code analysis, etc.
Sponsorships
Bypassing web application firewalls
WAFs are a good security measure but the security of your web applications should not solely depend on it, because they can be bypassed. Watch this demo on Paul’s Security Weekly during which a researcher from Netsparker explains and demos how modern web application firewalls can be defeated.
1Password for Teams and Business
I use 1Password to securely share passwords and notes with colleagues myself. Can't recommend them enough and I'm super honoured to have them as a sponsor.