Issue 88

Reddit had a security breach

An attacker compromised employee accounts on Reddit's cloud provider and source code hosting.
The accounts had 2fa enabled, which was based on SMS, and the text messages were intercepted. Solid reminder that SMS 2fa is -not- good enough anymore if you have other options.
The impact from a customer point of view is mostly limited to a old database backup out of May 2007, and digest emails that were sent in June. Seems like it could have been a lot worse.

Some other breaches/leaks this week

  • Cosco: one of the worlds largest shipping companies, suffered a ransomware attack.
  • Clarkson: another shipping company, had a breach that was disclosed last year, and they've now released more information on what data was breached.
  • Dixons Carphone: electronics retailer. Disclosed a breach two months ago but has now announced that it wasn't 1.2 million customers that were impacted, but 10 million.
  • Fashion Nexus: an e-commerce company, had an unsecured database with personal details of 1.3 million customers. The database included hashed passwords with salted MD5 and SHA-1.

NetSpectre: new variant of Spectre can be used remotely

It sounds very scary, but the attack is hard to execute and limits data extraction to 15-60 bits of data per hour. The researchers say it might be used against high-profile targets, but your average Joe should be safe. The same mitigations that protect against Spectre variant 1 should work here too.

Massive Coinhive cryptojacking campaign on over 200,000 MikroTik routers

Using a zero-day that was discovered in April of this year, the attackers change the router configuration to inject a Coinhive cryptomining script into users' web traffic.

Flaw in Swann smart security cameras allows access to other people's streams

Another day, another crappy IoT camera service. This one allows you to crawl through serial numbers, using nothing but an HTTP proxy, to view other people's streams.

GSuite can alert when it detects a government-backed attack

It's an option you can turn on for your organisation. If Google suspects you are being targeted by a nation-backed attack it will alert you.

How to not get hacked -

Another pretty good overview of things to do to secure your Kubernetes cluster.

Diffy: A triage tool for cloud-centric incident response

Released by the Netflix Security Intelligence and Response Team (SIRT), it takes a baseline host on AWS, compares it to a similar host involved in an incident, and shows security-relevant differences like an unexpected listening port, a strange crontab entry, etc.

Personal note - security officer subscription?

I'm playing with the idea of opening up a "security officer subscription", aimed at companies who can't justify the cost of a full-time security person. For x amount of money you'd get y hours of security work done each month.

Think employee education on 2fa and passwords, taking anti-phishing measures, securing document and e-mail accounts, having backups, working on GDPR, whatever makes sense for the company.

I'm putting out feelers to see if there is any interest in such a thing. If it sounds useful to you or someone you know, please reply to this e-mail :-) Thanks!


A comprehensive guide to application-level denial of service

The availability of web applications is critical nowadays, more than ever. But it's also at risk because of very complex application-level denial of service attacks. Read this guide that highlights the different DoS techniques used so you know what to look for.

1Password for Teams and Business

I use 1Password to securely share passwords and notes with colleagues myself. Can't recommend them enough and I'm super honoured to have them as a sponsor.