Issue 89

Breaches and leaks

  • HovaHealth: a Mexican healthcare service company. An unprotected MongoDB instance was found, managed by them, with detailed personal data of 2 million people in it.
  • Yale University: they had personal data breached in 2008, but only just found out when testing their servers for vulnerabilities.
  • TCM Bank: a company that provides white-labeled credit cards to small banks. Between March 2017 and July 2018 their website exposed personal information of card applicants.
  • Salesforce: they have a marketing API where under certain circumstances one could get information from other companies, or write/corrupt the information of others.


New method simplifies cracking WPA/WPA2 passwords

It only works when roaming is enabled (being able to switch between access points without losing connection). The new technique means an attacker doesn't need to wait for a user to log in. It gets him/her the password in hashed form, which would still need cracking. The time that takes depends on the strength of the password.
bleepingcomputer.com


U.S. payment processing services targeted by BGP hijacking attacks

A number of IP ranges of certain payment processors were redirected a total of three times in July, according to Oracle. One short, one for 30 minutes and one for 3 hours. More detail here.
bleepingcomputer.com


Cisco plans to acquire cybersecurity firm Duo Security for $2.35 billion

Nice and juicy price tag, good for them! I know Duo mostly for their 2fa solutions, but they do a range of other things too.
cnbc.com


Amnesty International staff targeted with malicious spyware

Amnesty International shared that one of their staff received a link meant to install the Pegasus malware. It's a sophisticated surveillance tool made by the Israeli NSO Group that is sold to governments. (Although exclusively to "combat terrorism and crime", according to NSO).
amnesty.org


HP reports critical vulnerabilities in several product lines

Two vulnerabilities were reported through their recently opened bug bounty program. They can be used for remote code execution, so best to update if you're vulnerable.
bitdefender.com


Let's Encrypt root trusted by all major root programs

Meaning they don't need an intermediary anymore to be trusted by all major vendors. They will still use one for the next few years though, because of legacy software and devices.
letsencrypt.org


G Suite updates: New user account security alerts

You can report and alert on new event types for user accounts: password changes, 2fa on or off, and account recovery information changes. Useful to keep an eye on.
googleblog.com


Pentagon bans soldiers from using GPS apps and devices

Queue the slow, cynical clap.
threatpost.com


DNA analysis companies working together on privacy guidelines

It's more privacy than security, but it's interesting enough to share anyway. There's still a lot of work to be done on this.
sophos.com


CloudGoat: The ‘Vulnerable-by-Design’ AWS environment

This is pretty awesome. It's named after WebGoat, an intentionally vulnerable web application, only this sets up a vulnerable AWS environment for you to try and exploit. Worth reading through the article to understand the setup.
rhinosecuritylabs.com


Inside the bootcamp reforming teenage hackers

Nice read on how the UK government is "punishing" teenage hackers with coaching sessions on how to turn their technical skills into well paying, and legal, jobs.
cnet.com


Sponsorship

Is your website hackable?

Automatically identify cross-site scripting, SQL injection and other vulnerabilities in your web applications before malicious attackers find and exploit them. Use the dead accurate Netsparker web application security scanner to generate accurate reports.
netsparker.com


1Password for Teams and Business

Simple and secure password management for you and your team. I use it myself every day and wouldn't want to miss it.
1password.com