Issue 144

Personal note

Back from vacation!
Getting right back to work, catching up on all the things :-) Enjoy!



Breaches and leaks

  • Hosting provider Hostinger breached, affecting 14 million customers: link.
  • Company behind Foxit PDF Reader announces security breach: link.
  • Mastercard reports data breach to German and Belgian DPA's: link.
  • New York school district infected by ransomware, paid $100.000: link.


Google fixes high-severity browser engine flaw

It could lead to remote code execution. No exploit has been seen yet though, and I think you'd still have to get through the sandbox? But still, better make sure you have the latest.
threatpost.com


Cisco IOS XE routers vulnerable to rare 10/10-severity security flaw

It allows anyone on the internet to bypass the login for an IOS XE device without the correct password. Patch em if you got em.
zdnet.com


Protocol used by 630,000 devices can be abused for devastating DDoS attacks

Researchers warn that the WS-Discovery protocol can readily be abused for DDoS attacks, which are in fact already a weekly occurrence. It seems it has the potential for an amplification factor of over 300.
zdnet.com


Avast and French police take over malware botnet and disinfect 850,000 computers

They took control of the command & control servers of the Retadup botnet, ordering the malware to delete itself from over 850.000 Windows systems. Kudos.
zdnet.com


Google Chrome to warn if logins are found in a data breach

They couldn't let Firefox have all the glory right? :-)
bleepingcomputer.com


Windows 7 end of life: months from patch cut-off, millions still haven't upgraded

The deadline is January 14, 2020. Better start looking into this if you're still on Windows 7.
zdnet.com


Python 2 scheduled to be end-of-life soon, update to Python 3

More EOL news! The deadline here is January 1st, 2020. Good to keep on your radar.
zdnet.com


Starbucks left subdomain open to hijacking

Good reminder to check your records for orphaned entries.
bleepingcomputer.com


Blocking newly-registered domains as a security measure?

I mean, it obviously has issues. But depending on the company I can see it making sense. Simple and rather effective.
tripwire.com


Employees connect nuclear plant to the internet to mine cryptocurrency

facepalm
zdnet.com


Sponsorships

1Password for Teams and Business

We use 1Password to share passwords and secure notes at my current job, same as at my last job. I've tried many alternatives, but always found them to be the best option. Especially because of their UX and support,
1password.com