Issue 98

Breaches and leaks

  • Apollo: analytics service, leaked aggregated data on 200 million people and 10 million companies. The leak also included data "of opportunity" that Apollo's customers uploaded and linked, originating from Salesforce and similar services.
  • Google+: 500.000 user profiles leaked information to third parties that they shouldn't have.
  • Burgerville: credit cards were stolen by the Fin7 Group, it's uncertain how many customers are affected.
  • Navionics: an Italian navigation company, recently acquired by Garmin, exposed a 19GB product and customer database in an open MongoDB instance.


US advanced weaponry is easy to hack, even by low-skilled attackers

Looking over the results of DOD audits, it seems there's a lot of work left to do. It includes such gems as "systems failed just by being port scanned", "admin password guessed within 9 seconds", and the Red Team having fun by showing a pop-up to the pilot "insert two quarters to continue operating". Full PDF report can be found here.
bleepingcomputer.com


WikiLeaks releases Amazon Atlas: locations of AWS datacenters

The exact location of most AWS datacenters was a closely guarded secret. Until, apparently, now :-/ No idea how accurate it is at this point, but it seems newsworthy.
wikileaks.org


Weak default passwords banned in California legislation

The law mandates that each IoT device should come with a unique password (instead of admin/admin as is often the case now), and that the user is prompted with setting a new password upon first access. It's very commendable, in my opinion, but it does come with some criticism. For example the fear that most users will just use the same password everywhere. But hey, step by step.
scmagazine.com


Malicious Chrome extension devs' workaround for the inline install ban

You used to be able to prompt a visitor to install a Chrome extension on your own website, until Google banned that possibility. Now one always has to use the Chrome Web Store. However, this article shows a neat trick that malicious actors now use, showing the web store but minimised to just show the "Add the Chrome" button.
bleepingcomputer.com


Flatpak - a security nightmare

Flatpak is a technology for distributing desktop application on Linux. You can learn more about it here. I don't like the scathing tone of this article, but it does point to some serious security issues with Flatpak that seem worth mentioning. Hackernews discussion here.
flatkill.org


The U.S. Marine Corps bug bounty program resolves nearly 150 vulnerabilities

The "Hack the Marine Corps" event is the sixth in the DoD's "Hack the Pentagon" program. It was a success with over 100 hackers participating, nearly 150 vulnerabilities found and over $150.000 awarded in bounties.
hackerone.com


US government rolls out 2-step verification for .gov domain owners

In the "how was this not a thing yet" department.
zdnet.com


Millions at risk from default webcam passwords

A nice overview of how bad the security is for IoT webcams by Xiongmai, the company that makes most of those cameras and then white-labels them to other companies.
sophos.com


PoC attack escalates MikroTik router vulnerability to 'as bad as it gets'

A previously known medium-level bug is now being elevated to 'critical' because of its discovered use as a remote code execution vector. Microtik has been in the news quite a bit in the last few months :/ If you have one, make sure it's up to date.
threatpost.com


Update all the things \o/

  • Git fixed a remote code execution vulnerability in Git client, Github desktop and Atom.
  • Microsoft patched 50 vulnerabilities, 12 of them being marked as critical.
  • Adobe fixed 11 vulnerabilities, two being critical. None for Flash, surprisingly.
  • Apple fixed two passcode bypasses in iOS 12.0.1, and several critical vulnerabilities in iCloud for Windows.


TLDR Newsletter: daily digest of tech news

The writer of TLDR was kind enough to mention me in a recent issue, so I'd like to return the favour :-) If you're looking for a curated newsletter on tech news, I can recommend it!
tldrnewsletter.com


Sponsorship

1Password for Teams and Business

Simple and secure password management for you and your team. I use it myself every day and wouldn't want to miss it.
1password.com


Application layer security for modern teams

Incredible organisations from startups to some of the worlds largest enterprises trust Templarbit to protect their web applications, APIs and microservices. Run a next-gen WAF or ship a smart Content Security Policy workflow in minutes.
templarbit.com