Related to but not the same as "Drupalgeddon2". Make sure you patch ASAP, since only five hours after the announcement the first exploit attempts were already seen. Meanwhile there are several botnets racing to attack as many Drupal sites as possible with the Drupalgeddon2 exploit: link
It's quite a hefty attack: they hijacked BGP routes to redirect DNS traffic going to Amazon's Route53. Then they man-in-the-middled all traffic for MyEtherWallet to their own phishing site to trick users into giving their private keys. Cloudflare explains more on the BGP leak here.
They're a bit odd in my eyes, but there you go. You've got self-destruction emails, password-lockable emails, and the ability to restrict forwarding, downloading or printing.
One of the fixes tackles the QR code spoofing bug that made some news the last few weeks.
Autofill is a feature that third-party website can integrate to allows users to quickly fill forms with a single click. This researcher discovered however that any site can trick that feature to activate and as such receive personal information from those visitors. It was disclosed to LinkedIn and fixed.
A lot of people found e-mails sent by them, to them, in their Gmail folders, making them to think their account was hacked. It turns out it's a nifty, but 'regular' spam trick, no accounts were compromised.
Altaba, the parts of Yahoo that Verizon didn't buy, was charged with failing to disclose the massive 2014 cybersecurity and has agreed to pay up. At the same time, one of the four hackers arrested for that breach might receive eight years in prison.
It allows a website to enable a setting where their cookies are never forwarded at the request of another site, essentially stopping CSRF attacks. Chrome has this feature too, others are still to follow. This post from Scott Helme explains it well.
Yet another tale of the glorious world of electronic health implants. Belgian researchers showed the possibility of hacking neurostimulators, which are used to treat Parkinson symptoms.
Very good read on how the author handles internal security training at PagerDuty for non-engineering teams.
From the creator of other Mac security tools, like OverSight and Ransomwhere, comes Do Not Disturb. An interesting app that notifies you when the lid of your Macbook is opened. You can find it here.
WAFs are a good security measure but the security of your web applications should not solely depend on it, because they can be bypassed. Watch this demo on Paul’s Security Weekly during which a researcher from Netsparker explains and demos how modern web application firewalls can be defeated.
Fleetsmith just released a new feature that allows you to remote lock and wipe your employee's devices if they get lost or stolen. They also let you manage your first 10 devices free, integrates fully with G Suite, and is used by yours truly every day.