Issue 128

Personal note - over 5000 subscribers!

\o/ This was a huge milestone for me. I’m over the moon on this, and also quite proud if i'm honest. Thank you for reading this newsletter, and for your kindness when sharing feedback. I hope to provide this service to you for a long long time.

Breaches and leaks

  • Citycomp: provides internet infrastructure to large brands like Airbus, Volkswagen, Oracle and others. The attackers claim to have over 500GB of financial and private data, and are asking CityComp for a ransom.
  • Binance: the crypto exchange was breached, and attackers got away with over $40 million in Bitcoins.
  • Freedom Mobile: large Canadian telco provider, had an unsecured database containing personal information, credit card numbers and subscription details of (their estimate) 15.000 customers.
  • PrismWeb: e-commerce software was hijacked by Magecart credit card stealing malware, impacting over 200 college campus stores.
  • BurgerKing: had an unsecured Elasticsearch containing personal information of 37.000 customers of their Kool King Shop product, an online shop tailored to be used by kids.

Alpine Linux Docker images ship a root account with no password

Well, that ain't good. Although from what I find it's not quite as horrible as it sounds. You can't just get into any Alpine container out of the box. Instead, it needs an exposed service that uses the shadow file (where Linux user passwords are stored) as an authentication base. Maybe SSH in certain configurations? Warrants a deeper dive if you run Alpine. Hackernews discussion here.

A hacker is wiping Git repositories and asking for a ransom

Several hundreds of repositories in Github, Bitbucket and Gitlab were being 'wiped' and replaced with a ransom note. The attacker got access through credentials retrieved from exposed /.git/config files. However, since it's Git, I doubt anyone actually lost anything? For one, you probably have a copy somewhere locally. If not, this seems to be the way to roll back what the attacker did.

Firefox armagg-add-on: Lapsed security cert kills all browser extensions

This must have been painful for Mozilla engineers :-/ An intermediate certificate expired causing all Firefox extensions to stop working. More from Mozilla themselves in this blogpost.

Mozilla will disable Firefox add-ons that contain obfuscated code

There's also good news on the Firefox add-on front. Most malicious extensions have obfuscated code in them, and they will now be blocked. There will be a soft block and a hard block, with soft meaning that the user can override the sanction and use the extension anyway. Chrome has this feature too, since October last year.

WordPress 5.2 update comes with several security enhancements

Most important of which are cryptographically-signed updates to prevent supply-chain attacks and a new crypto library.

Several security enhancements coming to new Android version

New Android versions will have several security improvements, including certain core modules that can receive updates without having to reboot the device, support for TLS3, MAC address randomization, and increased control over location data.

Your JavaScript can reveal your secrets

A short and sweet introduction into how Javascript can leak information and credentials for your app if you're not being careful.

Google's Web Packaging standard arises as a new tool for privacy enthusiasts

It seems like a technology that bundles up a website for delivery, keeping everything intact like HTTPS, but can be delivered through anyone else instead of through the origin server. Sounds promising for privacy and against censorship. It works only in Chrome Canary right now, and non-Chromium browsers seem to be against the idea. I can image there being quite a few implications in this that I'm not grasping yet.

A critical look on bug bounty programs

There's a lot to say on the subject, but this article focuses mostly on the EU’s commitment of €1 million in bug bounties for open source software. The writers (quite rightfully in my view) lament the fact that that money might be better served supporting the actual maintainers of the software. Since most are already overworked, handing them a bunch of security bugs to fix, while noble, might hurt them more than help.


1Password for Teams and Business

We use 1Password to share passwords and secure notes at my current job, same as at my last job. I've tried many alternatives, but always ended up with them. By far the best UX and support I've seen.