Issue 97

Brucon - minimal mode

This week I'm at the Brucon security conference (and recovering from a 9-hour timezone difference), so we're in minimal mode again. This means I select news and articles that look interesting, but with less stringent filtering and summarising than usual. Regular service should resume next week.

Breaches and leaks

  • Facebook: well, this was a big one. By abusing the "View as" function the attackers were able to access the accounts of 50 million users.
  • Chegg: not exactly small either. Chegg, a textbook rental service, had a data breach affecting over 40 million customers.

How China used a tiny chip to infiltrate U.S. companies

This bit of news reads like a spy novel. I'm not entirely sure what to make of it. All involved companies released statements completely rejecting everything that was said in the original article. Will no doubt be continued.

New Linux kernel bug affects Red Hat, CentOS, and Debian Distributions

Security vulnerability in Apple's Device Enrollment Program could allow full access to corporate networks

Google adds new rules to end malicious Chrome extensions


  • Adobe fixes 47 critical vulnerabilities in Acrobat and Reader: link
  • Foxit fixed more than a 100(!) vulnerabilities in their PDF reader: link
  • Mozilla patched seven vulnerabilities in Thunderbird, one of them being critical link

Lock screen bypass already discovered for Apple’s iOS 12

Uber to pay $148 million in data breach settlement

Do You Really Know CORS?

Hardening macOS

Troy Hunt on using a Pi-hole to block ads


1Password for Teams and Business

I use 1Password to securely share passwords and notes with my colleagues. Can't recommend them enough and I'm super honoured to have them as a sponsor.

Application layer security for modern teams

Incredible organisations from startups to some of the worlds largest enterprises trust Templarbit to protect their web applications, APIs and microservices. Run a next-gen WAF or ship a smart Content Security Policy workflow in minutes.