Issue 148

Breaches and leaks

  • Doordash confirmed that they were breached, impacting 4.9 million customers and employees: link.
  • Mattress company Verlo Mattress leaks data of 387.000 customers in an unsecured database: link.
  • Payment card details stolen from eight US cities through the Click2Gov software: link.
  • Lot's of Youtube creators falling victim to phishing, even with 2fa enabled: link.
  • Cafepress have finally acknowledged that over 23 million emails and passwords were stolen from them: link.


Critical vBulletin zero-day is being actively exploited

Someone publicly shared a remote code execution exploit for the forum software vBulletin. It's being actively exploited, with over 10.000 servers found to be vulnerable.
arstechnica.com


Microsoft urges Windows users to install emergency security patch

There's a critical remote code execution vulnerability in Internet Explorer 9, 10 and 11, causing Microsoft to push this out of band patch. Make sure you have the latest updates on your Windows machines.
techcrunch.com


Facebook suspended tens of thousands of apps from 400 developers

It's a result of Facebook's promise to investigate apps that have access to large amounts of user data. Not all of those apps were in production, and some just didn't respond to the audit request. Some companies are being sued by Facebook as a result of what they found.
zdnet.com


DDoS attack takes down South African ISP for an entire day

DDoS attacks aren't unusual, unfortunately, but this article contained a bit of infosec jargon that I didn't know yet: "carpet-bombing DDoS", where amplified DDoS traffic is sent to random IP's in an ISP's network to circumvent regular DoS protection systems.
zdnet.com


Finnish government releases guide on securing Microsoft Office 365

I don't know much about Office 365 but it looks like a great guide of sensible security measures, which might be worth diving into. You can find the pdf itself here.
bleepingcomputer.com


Cleaning up bad bots (and the climate)

Cloudflare showing once again why I like em so much. (No they aren't a sponsor, I wish).
The blogpost details a new "Bot fighter" feature, where they not only detect and block bots, but also try and "tarpit" it by challenging it with a CPU-intensive roadblock. And quite surprisingly, they'll then plant trees to compensate for the CO2 emissions of those extra CPU cycles.
cloudflare.com


Analysis of an exploited NPM package by Jarrod Overson

Really good and detailed talk about the hack involving the NPM package eventstream of a few months back, which got hijacked to capture private keys from online Bitcoin wallets.
youtube.com


The untold story of NotPetya, the most devastating cyberattack in history

Long but great read on the NotPetya attack and its aftermath. It really brings home some of the real-world implications of a cyberattack of that scale, the massive costs, and the interconnectedness of our world. A single vulnerability in some Ukrainian accounting software affected world-wide shipping capabilities, supplies of medicine, and so much more, in a single day.
wired.com


Sponsorships

1Password adds Advanced Protection to business accounts

If you have a business account, you'll want to check this out. They've added the ability to manage company-wide master password rules and 2fa settings, and prevent the usage of outdated 1Password versions. You can also block logins from certain countries or IP's, and get reports on failed login attempts.
1password.com