Issue 102

Breaches and leaks

It's not so bad this week!
Or, maybe I missed some? I was lying sick in bed most of the week. But still, jeej positive thoughts \o/

  • HSBC Bank: about 1% of customers might have been breached, showing account details, transaction history, etc. It was most likely a credential stuffing attack, using logins obtained from other breaches.
  • FIFA: they were hacked again, and they are gearing up for another round of confidential documents to come out and raise scandals.


Portsmash: side-channel attack on Intel CPU's

Interesting kind of attack, where one thread can extract information about the other thread running on the same CPU. The proof of concept was able to steal an OpenSSL private key from a TLS server. Shared hosting environments could be the biggest victim. It's unclear right now if AMD is affected too.
sophos.com


Cisco security appliances under attack, still no patch available

There's a vulnerability in the Session Initiation Protocol (SIP) inspection engine which can be used to trigger a DoS attack. It's being exploited in the wild, but no patch is available. If you run Cisco devices, maybe check if you need to take some mitigating actions.
helpnetsecurity.com


Many CMS plugins and PHP libraries are disabling TLS certificate validation

Many plugins use cURL to make connections to payment gateways and the likes, but disable certificate validation because it generates scary security notices. This leaves them open to man-in-the-middle attacks among other problems.
The notices happen because cURL can't find a list of known Certificate Authorities. You might want to check your own codebase to see if you're impacted, and maybe use the library that the researcher made available to give cURL the list it needs.
zdnet.com


30 spies dead after Iran cracked CIA comms network with Google search

This is about as horrible as opsec gets. A double agent showed Iran a site that the CIA used to communicate to their agents. Using Google they found similar sites and used them to intercept communications and identify agents.
theregister.co.uk


VirtualBox zero-day vulnerability and exploit published

There's a vulnerability present where an attacker can break out of the guest OS and into the host OS, although with low privileges. But coupled with a privilege escalation exploit it could do definite damage. The researcher published the zero day out of frustration with Oracle's "responsible disclosure" process.
bleepingcomputer.com


iOS 12.1 passcode bypass hack discovered

It only took a few hours after its release, and was discovered by the same researcher who discovered the last few. It can make the contact list and contact information readable to the attacker. No patch available yet.
hackread.com


Vulnerabilities' CVSS scores soon to be assigned by AI

The workload for researchers at NIST who assign CVSS scores is getting too much. They've teamed up with Watson, and results seem promising. It does very well in scoring common vulnerabilities, but has issues on more novel or complex ones.
helpnetsecurity.com


Microsoft is porting Sysinternals tools to Linux

I haven't done any Windows work in my career, but even I know of Sysinternals. Although, maybe that's because Mark Russinovich, its creator, also became a great fiction writer whom I've read :)
Anyway, Microsoft is starting to port Sysinternals to Linux, starting with the ProcDump utility, which allows you to create core dumps of processes based on criteria like high CPU utilization, memory usage and time intervals.
bleepingcomputer.com


Netflix releases desktop versions of device security app Stethoscope

Stethoscope checks your device for things like firewall settings, disk encryption and more. The desktop version works as a standalone checklist, it doesn't even need an Internet connection. Pretty useful to help employees self-check on their security.
helpnetsecurity.com


API Security newsletter

It's a newsletter kind of like this one, but targeted specific to API security. Check it out! (But also please stay subscribed to this one.)
apisecurity.io


Gophish - open source phishing framework

Very cool project, aiming to make it free and easy to test your employee's resilience against phishing attacks.
getgophish.com


Sponsorship

1Password for Teams and Business

We use 1Password to share passwords and secure notes at my current job, same as at my last job. I've tried many alternatives, but always ended up with them. By far the best UX and support I've seen.
1password.com


TLDR newsletter: daily e-mail with technology news

I've been reading this one ever since I found out about it. The news is interesting, and the summaries are very well written.
tldrnewsletter.com