Issue 74

Drupal releases patch for another high-level vulnerability

Related to but not the same as "Drupalgeddon2". Make sure you patch ASAP, since only five hours after the announcement the first exploit attempts were already seen. Meanwhile there are several botnets racing to attack as many Drupal sites as possible with the Drupalgeddon2 exploit: link
bleepingcomputer.com


Hacker hijacks DNS traffic of MyEtherWallet to steal $160,000

It's quite a hefty attack: they hijacked BGP routes to redirect DNS traffic going to Amazon's Route53. Then they man-in-the-middled all traffic for MyEtherWallet to their own phishing site to trick users into giving their private keys. Cloudflare explains more on the BGP leak here.
helpnetsecurity.com


Gmail releases new data protection features

They're a bit odd in my eyes, but there you go. You've got self-destruction emails, password-lockable emails, and the ability to restrict forwarding, downloading or printing.
helpnetsecurity.com


Apple releases several security fixes

One of the fixes tackles the QR code spoofing bug that made some news the last few weeks.
helpnetsecurity.com


LinkedIn AutoFill exposed visitor name and email to third-party websites

Autofill is a feature that third-party website can integrate to allows users to quickly fill forms with a single click. This researcher discovered however that any site can trick that feature to activate and as such receive personal information from those visitors. It was disclosed to LinkedIn and fixed.
lightningsecurity.io


NIST releases Cybersecurity Framework 1.1

Their framework gets used quite a lot as a blueprint for securing critical infrastructure, and also serves as inspiration for large and small enterprises. Direct link here.
helpnetsecurity.com


Google spam messages in your Sent folder

A lot of people found e-mails sent by them, to them, in their Gmail folders, making them to think their account was hacked. It turns out it's a nifty, but 'regular' spam trick, no accounts were compromised.
techrepublic.com


Altaba, formerly known as Yahoo to pay $35 million for 2014 data breach

Altaba, the parts of Yahoo that Verizon didn't buy, was charged with failing to disclose the massive 2014 cybersecurity and has agreed to pay up. At the same time, one of the four hackers arrested for that breach might receive eight years in prison.
sec.gov


Firefox starts supporting same-site cookies

It allows a website to enable a setting where their cookies are never forwarded at the request of another site, essentially stopping CSRF attacks. Chrome has this feature too, others are still to follow. This post from Scott Helme explains it well.
mozilla.org


Hacking brain implants

Yet another tale of the glorious world of electronic health implants. Belgian researchers showed the possibility of hacking neurostimulators, which are used to treat Parkinson symptoms.
hackread.com


Our approach to employee security training

Very good read on how the author handles internal security training at PagerDuty for non-engineering teams.
pagerduty.com


The 'Do Not Disturb' app protects your Mac from evil maid attacks

From the creator of other Mac security tools, like OverSight and Ransomwhere, comes Do Not Disturb. An interesting app that notifies you when the lid of your Macbook is opened. You can find it here.
wired.com


Sponsorship

Bypassing web application firewalls

WAFs are a good security measure but the security of your web applications should not solely depend on it, because they can be bypassed. Watch this demo on Paul’s Security Weekly during which a researcher from Netsparker explains and demos how modern web application firewalls can be defeated.
netsparker.com


Remote lock & wipe your company's devices

Fleetsmith just released a new feature that allows you to remote lock and wipe your employee's devices if they get lost or stolen. They also let you manage your first 10 devices free, integrates fully with G Suite, and is used by yours truly every day.
fleetsmith.com