Issue 87

Breaches and leaks

  • SingHealth: Singapore's healthcare system. 1.5 million people had their personal information stolen. The attackers also specifically targeted the country's Prime Minister's records.
  • Level One Robotics: an engineering service provider for the automotive industry. A whopping 157 gigabytes of information was exposed from top companies as GM, Tesla, Ford and many more. The data was exposed through an unsecured rsync server.
  • ComplyRight: an HR and tax service company. It had a data breach exposing customer information of over 600.000 people.

New Bluetooth flaw lets attackers monitor traffic

It exploits a problem with the initial key exchange between Bluetooth devices. If successfully exploited one can intercept traffic or do a man-in-the-middle attack. All major vendors have pushed out updates so bring yourself up to date if you haven't yet.

Chrome now shows 'Not Secure' on HTTP pages

It's been talked about for ages, and we've had plenty of warning. Chrome 68, released this week, also has some other cool security features: not allowing iframes to redirect you to another page, and blocking the 'tab-under' behavior. That last is where when you click a link, a new tab opens but the old tab remains and redirects to ads.

Microsoft, Google, Facebook, Twitter Announce "Data Transfer Project"

A very cool open-source project meant to enable service-to-service data transfer when a customer wants to move out of one company and in to another. The prototype currently supports photos, e-mail, contacts, calendar and tasks.

Google starts selling its own 2fa hardware key

They've had great success using Yubikeys for their own employees, and have now started rolling out there own alternative, dubbed the "Titan Security Key".

Senator asks US government to remove Flash from federal sites and computers

Well that's nice. He wants all departments to stop deploying Flash-based content within 60 days, and remove Flash completely from all sites and government devices by August 1st 2019.

GSuite security center adds investigation tool

GSuite has announced a very cool looking "investigation tool", where you can query for public documents, delete malicious e-mail, monitor file sharing, and more. It's available under the Early Adopter Program.

GSuite update: choose the regions where your data is stored

GSuite Business and Enterprise users can now choose where, geographically, their data should be stored: globally distributed, the US, or the EU.

Kubernetes security journey slide

Probably the shortest 'read' I have linked to yet: a single slide that shows how to mature your Kubernetes security in a few common sense steps. More informative that most blogs I've read on the subject ^^

Ask HN: What are the best resources for learning security and pen testing?

Great thread on Hackernews with links to books, tools, training and CTF (Capture The Flag) games.


Vulnerable web applications allow hackers to bypass corporate firewalls

A detailed technical article which explains how malicious attackers can target vulnerable web applications running on developers' workstations to bypass corporate firewalls. This might sound far fetched, but it is very typical for developers to run vulnerable (still being developed) web applications on their computers.

1Password for Teams and Business

Simple and secure password management for you and your team. I use it myself every day and wouldn't want to miss it.