Issue 94

Minimal mode

Unfortunately I couldn't spend as much time on this issue as usual, because my wife and daughter fell ill this week. It's all hands on deck here, family comes first :-)

I included the most interesting links, but with less filtering and summarizing than usual. I hope you still get value out of it!

Breaches and leaks

  • British Airways: personal and payment information of 380.000 customers was stolen. Likely executed by the Magecart group, through a malicious Javascript include. More details here.
  • Feedify: customer engagement service. It seems that the Javascript they ask their customers to include was infected with credit card stealing code, again by the Magecart group.
  • Veeam: data management and disaster recovery firm (ow, the irony). Exposed more than 440 million names and e-mails of a marketing database.
  • US government site that deals with data transparency requests. After a site upgrade it started showing sensitive personal data, like social security numbers, that were previously masked.
  • mSpy: another spyware maker, leaking millions of call logs, screenshots, location information and what have you.
  • Schneider Electric: shipped USB's infected with malware with some of its products.
  • NPower: energy company, sent personal and payment information of 5.000 customers to the wrong people.

No. 1 paid utility in Mac App Store steals browser history, sends it to Chinese server

Researcher finds open .git directories on 390.000 sites

Apple's Safari falls for new address bar spoofing trick

Malicious Kodi add-ons install Windows & Linux coin mining trojans


  • Microsoft had its Patch Tuesday, fixing 61 vulnerabilities, 17 of which are critical remote-code execution bugs.
  • Cisco released a host of fixes for critical vulnerabilities.
  • Adobe pushed security updates for Flash and Coldfusion.
  • Mozilla patched nine security issues in Firefox 62, including one arbitrary code execution bug.

Hackers can steal a Tesla Model S in seconds by cloning its key fob

Businesses can now pay to extend Windows 7 security updates beyond 2020

Thousands of unsecured 3D printers discovered online

I am Bruce Schneier, AMA


Bypassing web application firewalls

WAFs are a good security measure but the security of your web applications should not solely depend on it, because they can be bypassed. Watch this demo on Paul’s Security Weekly during which a researcher from Netsparker explains and demos how modern web application firewalls can be defeated.

1Password for Teams and Business

Simple and secure password management for you and your team. I use it myself every day and wouldn't want to miss it.