Issue 140

Personal note - jobs section

Alright, after some back and forth I've decided on accepting jobs into the newsletter. Pricing is always tricky, but I've settled on €100 per job posting per issue, and each job stays on the website for 60 days.

Responses are still sparse on the supply side, so we'll just take it as it comes. If your company is looking for security-minded people, then this is your chance to reach about ~6000 of them :-)



Breaches and leaks

  • Louisiana declared a state of emergency this week, because of a large wave of ransomware attacks on school systems: link.
  • Comodo leaked credentials of one of its employee accounts in a Github repo. A researcher was able to log into their Microsoft Cloud account, which didn't have 2fa enabled. A spammer was there before him: link.
  • A North Carolina county lost $1.7 million to phishers who posed as a construction contractor working on a new high school: link.
  • An electricity supplier from Johannesburg was infected with ransomware, affecting the electricity supply of an estimated 250.000 people: link.
  • Honda had an unsecured Elasticsearch database containing information on all of its internal devices: link.


Capital One data theft impacts 106 million people

This made a lot of headlines this week. A hacker, who has since been arrested, gained access to credit card applications of more than 100 million people. It's unclear if she just discovered an open s3 bucket, or if the hack was more sophisticated than that, I saw different articles saying different things. It also seems that she was caught because she uploaded the full archive to her Github account, which isn't exactly stealthy. More to come on this later I bet.
krebsonsecurity.com


‘Urgent/11’ flaws affect 200 million devices – from routers to elevators

Researchers have uncovered a number of critical flaws, including six remote code execution issues, in VxWorks. It's an OS that's used on an extremely wide range of devices, like routers, firewalls VoIP phones, but also SCADA systems, MRI machines and elevators. Patching against these is going to take forever. The article above is a good overview, this article takes a deeper dive.
sophos.com


Google researchers disclose vulnerabilities for 'interactionless' iOS attacks

If you haven't installed iOS 12.4 yet, you probably want to get on that. Google Zero researchers discovered issues in iMessage which can lead to remote code execution just by receiving a message. Kudos too for responsibly reporting them, because these are worth a lot on the "gray" market.
zdnet.com


Cisco to pay $8.6 million for selling vulnerable software to US government

Apparently, when you see a company sell something to the US government that has a critical security flaw, you can bring it to court. That's what a former Cisco contractor did, and they received $1.8 million for their troubles. It concerned a video surveillance system that had glaring flaws which went unfixed for too long.
zdnet.com


No More Ransom: $108+ million saved in ransomware payments

This week saw the third anniversary of the No More Ransom project, an initiative of law enforcement agencies and private parties to write decryptors for ransomware strains. It's hard to estimate, but a conservative count puts them at helping over 200.000 victims. Pretty freakin' awesome.
bleepingcomputer.com


Marcus Hutchins sentenced to supervised release, no jail

Good news for Marcus, aka 'MalwareTech', of WannaCry-stopping fame. He was arrested in 2017 for creating the Kronos and UPAS malware strains. The judge described him as a "youthful offender", and recognised that he has since used his talents to turn himself around and actually fight cybercrime.
techcrunch.com


Underscoring the “private” in private key

Apparently Amazon Music was caught in a similar situation as Zoom, where their app exposed a local webserver. It was reachable through a domain that mapped to localhost. One problem was that the private key for the TLS certificate was recoverable from the local binary. This post does a great job on explaining how you can do that.
koen.io


Sponsorships

1Password for Teams and Business

We use 1Password to share passwords and secure notes at my current job, same as at my last job. I've tried many alternatives, but always found them to be the best option. Especially because of their UX and support,
1password.com