Breaches and leaks
- HovaHealth: a Mexican healthcare service company. An unprotected MongoDB instance was found, managed by them, with detailed personal data of 2 million people in it.
- Yale University: they had personal data breached in 2008, but only just found out when testing their servers for vulnerabilities.
- TCM Bank: a company that provides white-labeled credit cards to small banks. Between March 2017 and July 2018 their website exposed personal information of card applicants.
- Salesforce: they have a marketing API where under certain circumstances one could get information from other companies, or write/corrupt the information of others.
It only works when roaming is enabled (being able to switch between access points without losing connection). The new technique means an attacker doesn't need to wait for a user to log in. It gets him/her the password in hashed form, which would still need cracking. The time that takes depends on the strength of the password.
A number of IP ranges of certain payment processors were redirected a total of three times in July, according to Oracle. One short, one for 30 minutes and one for 3 hours. More detail here.
Nice and juicy price tag, good for them! I know Duo mostly for their 2fa solutions, but they do a range of other things too.
Amnesty International shared that one of their staff received a link meant to install the Pegasus malware. It's a sophisticated surveillance tool made by the Israeli NSO Group that is sold to governments. (Although exclusively to "combat terrorism and crime", according to NSO).
Two vulnerabilities were reported through their recently opened bug bounty program. They can be used for remote code execution, so best to update if you're vulnerable.
Meaning they don't need an intermediary anymore to be trusted by all major vendors. They will still use one for the next few years though, because of legacy software and devices.
You can report and alert on new event types for user accounts: password changes, 2fa on or off, and account recovery information changes. Useful to keep an eye on.
Queue the slow, cynical clap.
It's more privacy than security, but it's interesting enough to share anyway. There's still a lot of work to be done on this.
This is pretty awesome. It's named after WebGoat, an intentionally vulnerable web application, only this sets up a vulnerable AWS environment for you to try and exploit. Worth reading through the article to understand the setup.
Nice read on how the UK government is "punishing" teenage hackers with coaching sessions on how to turn their technical skills into well paying, and legal, jobs.