Issue 95

Breaches and leaks

  • Adhaar: India's biometric database, holding over a billion people, seems to be trivially spoofable/accessible.
  • Newegg, a large online technology retailer, had credit card information leeched, again by Magecart. It's unknown at this point how many people were affected.
  • GovPayNow: an online payment service of the US government, where things like traffic tickets and even bail can be paid, exposed all receipts. You could simply change the ID in the URL (yes, this again, ffs) and see the other receipts.
  • US State Department: its "unclassified e-mail system" was breached, exposing personal information of a "small number" of employees.
  • Bristol Airport had a ransomware infection and had to resort to writing flight schedules on whiteboards for a bit before recovering.
  • Medcall Healthcare Advisors: healthcare provider, had 7 gigs of medical information in an exposed s3 bucket.
  • Unknown: an unprotected MongoDB database was found with just under 11 million personal records. The researcher is not certain who it belongs to, although there are suspicions.


A new CSS-based web attack will crash and restart your iPhone

It doesn't seem capable of exploiting anything, but there's also no real way yet of stopping it. The code, which is safe to view, is here. Hackernews discussion here. The researcher has another attack ready that takes MacOS into a crash loop, but won't release that one yet.
bleepingcomputer.com


Windows systems vulnerable to FragmentSmack DoS bug

Similar to Linux a few months back (link), a number of Windows versions can be rendered unresponsive by it. A fix was included in this month's Patch Tuesday.
bleepingcomputer.com


Researchers describe cold-boot attack that works on all laptops

We all know that once an attacker gets physical access to your device it's much harder to defend yourself. This bypasses disk encryption though, and even firmware passwords if the device is in sleep mode. It's a bit hard to make out if anything can be done, but how I understand it is that one can only make it as hard as possible by using disk encryption, a firmware password and always shut down or hibernate your device.
threatpost.com


Remote code execution in Alpine Linux

There's a vulnerability in apk, the default package manager. It can be exploited through a malicious package or a man-in-the-middle (MiTM) attack. Lot's of Docker images are based in Alpine, so check your own.
justi.cz


iOS 12 is here: these are the security features you need to know about

Automatic updates, USB restricted mode and password management improvements.
sophos.com


Critical out-of-band patch for Adobe Acrobat Reader

This seems to have missed the window of their regular patch cycle last week. It fixes seven vulnerabilities, one of which can trigger remote code execution.
threatpost.com


Equifax IT staff had to rerun hackers' database queries to work out what was nicked

Article on the internal process after the Equifax hack. Not exactly heartwarming. Hackernews discussion here.
theregister.co.uk


Breachroom: A collection of recent cyber attacks and data breaches

Nice project from Templarbit, gathering all information on high-level breaches.
templarbit.com


GitHub - OWASP/NodeGoat:

Very cool project. It provides an environment to learn about how the OWASP Top 10 security risks apply to Node.js applications and teaches how to mitigate them.
github.com


The effectiveness of publicly shaming bad security

It's a sad fact that many companies only seem to change their insecure practices when they are publicly shamed about them. Troy Hunt makes his position on this very clear with a bunch of examples.
troyhunt.com


Extended Validation certificates are dead

Another one of Troy's. I must admit that I don't know how CA's are going to stay alive with Let's Encrypt being a pretty awesome thing.
troyhunt.com


Sponsorship

Vulnerable web applications allow hackers to bypass corporate firewalls

A detailed technical article which explains how malicious attackers can target vulnerable web applications running on developers' workstations.
netsparker.com


1Password for Teams and Business

I use 1Password to securely share passwords and notes with my colleagues. Can't recommend them enough and I'm super honoured to have them as a sponsor.
1password.com