- Apollo: analytics service, leaked aggregated data on 200 million people and 10 million companies. The leak also included data "of opportunity" that Apollo's customers uploaded and linked, originating from Salesforce and similar services.
- Google+: 500.000 user profiles leaked information to third parties that they shouldn't have.
- Burgerville: credit cards were stolen by the Fin7 Group, it's uncertain how many customers are affected.
- Navionics: an Italian navigation company, recently acquired by Garmin, exposed a 19GB product and customer database in an open MongoDB instance.
Looking over the results of DOD audits, it seems there's a lot of work left to do. It includes such gems as "systems failed just by being port scanned", "admin password guessed within 9 seconds", and the Red Team having fun by showing a pop-up to the pilot "insert two quarters to continue operating". Full PDF report can be found here.
The exact location of most AWS datacenters was a closely guarded secret. Until, apparently, now :-/ No idea how accurate it is at this point, but it seems newsworthy.
The law mandates that each IoT device should come with a unique password (instead of admin/admin as is often the case now), and that the user is prompted with setting a new password upon first access. It's very commendable, in my opinion, but it does come with some criticism. For example the fear that most users will just use the same password everywhere. But hey, step by step.
You used to be able to prompt a visitor to install a Chrome extension on your own website, until Google banned that possibility. Now one always has to use the Chrome Web Store. However, this article shows a neat trick that malicious actors now use, showing the web store but minimised to just show the "Add the Chrome" button.
Flatpak is a technology for distributing desktop application on Linux. You can learn more about it here. I don't like the scathing tone of this article, but it does point to some serious security issues with Flatpak that seem worth mentioning. Hackernews discussion here.
The "Hack the Marine Corps" event is the sixth in the DoD's "Hack the Pentagon" program. It was a success with over 100 hackers participating, nearly 150 vulnerabilities found and over $150.000 awarded in bounties.
In the "how was this not a thing yet" department.
A nice overview of how bad the security is for IoT webcams by Xiongmai, the company that makes most of those cameras and then white-labels them to other companies.
A previously known medium-level bug is now being elevated to 'critical' because of its discovered use as a remote code execution vector. Microtik has been in the news quite a bit in the last few months :/ If you have one, make sure it's up to date.
- Git fixed a remote code execution vulnerability in Git client, Github desktop and Atom.
- Microsoft patched 50 vulnerabilities, 12 of them being marked as critical.
- Adobe fixed 11 vulnerabilities, two being critical. None for Flash, surprisingly.
- Apple fixed two passcode bypasses in iOS 12.0.1, and several critical vulnerabilities in iCloud for Windows.
The writer of TLDR was kind enough to mention me in a recent issue, so I'd like to return the favour :-) If you're looking for a curated newsletter on tech news, I can recommend it!
Simple and secure password management for you and your team. I use it myself every day and wouldn't want to miss it.
Incredible organisations from startups to some of the worlds largest enterprises trust Templarbit to protect their web applications, APIs and microservices. Run a next-gen WAF or ship a smart Content Security Policy workflow in minutes.