Breaches and leaks
- Adhaar: India's biometric database, holding over a billion people, seems to be trivially spoofable/accessible.
- Newegg, a large online technology retailer, had credit card information leeched, again by Magecart. It's unknown at this point how many people were affected.
- GovPayNow: an online payment service of the US government, where things like traffic tickets and even bail can be paid, exposed all receipts. You could simply change the ID in the URL (yes, this again, ffs) and see the other receipts.
- US State Department: its "unclassified e-mail system" was breached, exposing personal information of a "small number" of employees.
- Bristol Airport had a ransomware infection and had to resort to writing flight schedules on whiteboards for a bit before recovering.
- Medcall Healthcare Advisors: healthcare provider, had 7 gigs of medical information in an exposed s3 bucket.
- Unknown: an unprotected MongoDB database was found with just under 11 million personal records. The researcher is not certain who it belongs to, although there are suspicions.
It doesn't seem capable of exploiting anything, but there's also no real way yet of stopping it. The code, which is safe to view, is here. Hackernews discussion here. The researcher has another attack ready that takes MacOS into a crash loop, but won't release that one yet.
Similar to Linux a few months back (link), a number of Windows versions can be rendered unresponsive by it. A fix was included in this month's Patch Tuesday.
We all know that once an attacker gets physical access to your device it's much harder to defend yourself. This bypasses disk encryption though, and even firmware passwords if the device is in sleep mode. It's a bit hard to make out if anything can be done, but how I understand it is that one can only make it as hard as possible by using disk encryption, a firmware password and always shut down or hibernate your device.
There's a vulnerability in apk, the default package manager. It can be exploited through a malicious package or a man-in-the-middle (MiTM) attack. Lot's of Docker images are based in Alpine, so check your own.
Automatic updates, USB restricted mode and password management improvements.
This seems to have missed the window of their regular patch cycle last week. It fixes seven vulnerabilities, one of which can trigger remote code execution.
Article on the internal process after the Equifax hack. Not exactly heartwarming. Hackernews discussion here.
Nice project from Templarbit, gathering all information on high-level breaches.
Very cool project. It provides an environment to learn about how the OWASP Top 10 security risks apply to Node.js applications and teaches how to mitigate them.
It's a sad fact that many companies only seem to change their insecure practices when they are publicly shamed about them. Troy Hunt makes his position on this very clear with a bunch of examples.
Another one of Troy's. I must admit that I don't know how CA's are going to stay alive with Let's Encrypt being a pretty awesome thing.