Issue 91

Breaches and leaks

  • Twitch: the streaming service had an issue where message archives that users could ask contained messages that belonged to other users.
  • UK government: they had a number of public Trello boards exposing sensitive information.
  • GOMO: a Chinese mobile app developer, exposed data of over 50 million users, many of whom are children.
  • Augusta University Health: a phishing attack, which happened in 2017, is now known to have exposed information of over 400.000 students and patients.
  • Sitter: a babysitting-app. They had an unsecured MongoDB server exposing user data and messages.
  • SuperProf: facepalm time on this one. The tutoring site migrated users from a recently acquired company, resetting all passwords to 'super' + their first name. Making it pretty damn easy to guess what everyone's new password was.


L1TF aka Foreshadow: new Intel speculative execution flaws

One variant gives the ability to read data from Intel's Secure Enclave memory called SGX, and another allows a malicious VM to read memory from other VM's on the same machine. Some deeper explanations here.
threatpost.com


New major vulnerability in Ghostscript/ImageMagick

By our beloved Tavis Ormandy. Ghostscript handles PDF-based documents in various software tools, of which ImageMagick is the best known. The vulnerability allows for remote code execution just by uploading a malicious PDF. No update is available yet, but there are ways to mitigate the problem.
bleepingcomputer.com


Microsoft ADFS flaw allows for multi-factor authentication bypass

It's a pretty serious flaw in Microsoft’s Active Directory Federation Services (ADFS), where one valid second factor could be used for all accounts in the enterprise. A patch has been released.
threatpost.com


JavaScript web apps and servers vulnerable to ReDoS attacks

I hadn't heard of ReDos before, it's pretty interesting. It's where input to an app is crafted to make the regex-based validation take so long as to slow down or crash the whole system.
bleepingcomputer.com


Apple hacked by 16-year-old who “dreamed” of working for firm

The teenager apparently exfiltrated 90GB worth of files, and had access to Apple's systems for over a year. He hid his access well, but it seems they were able to determine the serial number of the machine he used and found him that way.
bitdefender.com


Microsoft disrupts APT28 hacking campaign aimed at US midterm elections

Microsoft announced that they got control over six domains that were made to look like legitimate sites related to the elections.
bleepingcomputer.com


Unprotected Traefik dashboards can show TLS private keys

Traefik is a load balancer / reverse proxy. In the same trend as unauthenticated Kubernetes clusters and the likes, there are apparently a few thousands of them open to the public. One can query their API to get private keys of your certificates. Check it if you got one.
bleepingcomputer.com


Update all the things \o/

  • Linux kernel: two vulnerabilities that could trigger DoS attacks, dubbed "SegmentSmack" and "FragmentSmack", were fixed.
  • Microsoft has its Patch Tuesday, fixing 60 vulnerabilities, including 2 zero-days.
  • Adobe fixes things in Flash, Acrobat and Reader.
  • Airmail 3 for Mac: A vulnerability where files and e-mail could be exfiltrated just by sending a malicious e-mail. The article says otherwise, but looking at the site a fix seems to have been pushed out.


The security changes you can expect in iOS 12

Automatic iOS updates, credential auto-fill support for third party password managers, improvements to the built-in password manager, convenience feature to copy-paste 2fa SMS codes, and blocking social network trackers.
sophos.com


Georgia Tech creates cybersecurity Master’s degree online for less than $10,000

Nice initiative for an online Master's degree in cybersecurity, in collaboration with edX.
gatech.edu


Password and credential management in 2018

Very nice article about how to handle passwords, that goes beyond just "use bcrypt or something similar". Including interesting things I hadn't considered before like hashing the password client-side first, and AES encrypting your Argon2/bcrypt hash before storing it.
medium.com


Sponsorship

Vulnerable web applications allow hackers to bypass corporate firewalls

A detailed technical article which explains how malicious attackers can target vulnerable web applications running on developers' workstations.
netsparker.com


1Password for Teams and Business

Simple and secure password management for you and your team. I use it myself every day and wouldn't want to miss it.
1password.com