Issue 97

Brucon - minimal mode

This week I'm at the Brucon security conference (and recovering from a 9-hour timezone difference), so we're in minimal mode again. This means I select news and articles that look interesting, but with less stringent filtering and summarising than usual. Regular service should resume next week.



Breaches and leaks

  • Facebook: well, this was a big one. By abusing the "View as" function the attackers were able to access the accounts of 50 million users.
  • Chegg: not exactly small either. Chegg, a textbook rental service, had a data breach affecting over 40 million customers.


How China used a tiny chip to infiltrate U.S. companies

This bit of news reads like a spy novel. I'm not entirely sure what to make of it. All involved companies released statements completely rejecting everything that was said in the original article. Will no doubt be continued.
bloomberg.com


New Linux kernel bug affects Red Hat, CentOS, and Debian Distributions


thehackernews.com


Security vulnerability in Apple's Device Enrollment Program could allow full access to corporate networks


9to5mac.com


Google adds new rules to end malicious Chrome extensions


bleepingcomputer.com


Updates

  • Adobe fixes 47 critical vulnerabilities in Acrobat and Reader: link
  • Foxit fixed more than a 100(!) vulnerabilities in their PDF reader: link
  • Mozilla patched seven vulnerabilities in Thunderbird, one of them being critical link


Lock screen bypass already discovered for Apple’s iOS 12


sophos.com


Uber to pay $148 million in data breach settlement


techcrunch.com


Do You Really Know CORS?


performantcode.com


Hardening macOS


bejarano.io


Troy Hunt on using a Pi-hole to block ads


troyhunt.com


Sponsorship

1Password for Teams and Business

I use 1Password to securely share passwords and notes with my colleagues. Can't recommend them enough and I'm super honoured to have them as a sponsor.
1password.com


Application layer security for modern teams

Incredible organisations from startups to some of the worlds largest enterprises trust Templarbit to protect their web applications, APIs and microservices. Run a next-gen WAF or ship a smart Content Security Policy workflow in minutes.
templarbit.com