Copy
View this email in your browser
Application security

ImmuniWeb subjected the hundred largest airports in the world to several application security, compliance and privacy tests. The results are very worrying as 97% of them have, often serious, security risks. Only Amsterdam, Helsinki and Dublin airport passed all the tests. Only a quarter of all tested websites is compliant with GDPR and PCI DSS. Read more

The Apple WebKit team published a proposal to standardize the format of one-time SMS codes. It looks promising both from security and user experience perspective. The SMS will contain both the login URL and the one-time code such that browsers that support this new format can automatically fill the code for the specified URL and users no longer have to enter them manually. This also means that browsers are in control and can prevent users from being phished. Read more

All major browser clients plan to disable TLS 1.0 and TLS 1.1, starting with Chrome and Firefox in March. SSL Labs already anticipated and now caps the grade for a website's TLS implementation to B when it has TLS 1.0 and 1.1 enabled. It's time to disable these two legacy versions of the TLS protocol on your servers. Read more
 
A security researcher has found serious security vulnerabilities on Social Captain, a website to get more Instagram followers. The site requires users to enter their Instagram username and password. By inspecting the source code of the web page users could see their username and password. But because the site also had an Insecure Direct Object Refererence risk, unauthorized users could see other people's credentials by simply incrementing a number in the URL. Social Captain might have even more problems because Instagram said they breached its terms of service by improperly storing login credentials. Read more

Privacy

Motherboard and PCMag found that Avast, an antivirus program used by 435+ million people, has been collecting and secretly selling users' internet browsing data for millions of dollars to clients like Google, Microsoft, Pepsi and many others. Jumpshot, a subsidiary of Avast, repackaged the data collected by the Avast antivirus software which were then sold. As a reaction to this scandal, Avast's CEO reacted. Avast has stopped the data collection and winded down Jumpshot's operations, leaving hundreds of people unemployed. Read more

Hacks and data breaches

The United Nations have been hacked. The attack started in July 2019 but the news became only known this week because, believe it or not, the UN tried to keep the attack under wraps. The attackers managed to compromise a server via a Microsoft SharePoint vulnerability which was patched 5 months earlier by Microsoft and subsequently exploited in the wild. The UN tries to downplay it, but the impact is massive. The attackers compromised core infrastructure components and could access sensitive data. In the report you can find more info, and when you read it you'll understand that this was bound to happen. I hope they have learned their lesson now. Read more

Online crime

KPN researchers published interesting results from the REvil/Sodinokibi ransomware research they did. It gives insight in how the attackers operate and the scale of the attacks. The cheapest ransom demand KPN researchers discovered is $777, the most expensive $3,000,000. The average demand is $260,000. Also noteworthy, the average ransom demand for network only attacks ($470,000) is almost a tenfold of computer based attacks ($48,000). Read more

Three Indonesian men suspected of being part of a Magecart hacking gang have been arrested. Magecart is javascript malware that's injected on webshops to steal payment card information from online shoppers. It seems that not all gang members have been caught as there is still activity on the servers of the hacking group since the three are arrested
. Read more

Five years after Ashley Madison, a site for having extramarital affairs, got breached some victims are extorted by criminals. The extortion emails include a lot of personal and financial information of the victims and even their sexual preferences in a password-protected PDF attachment. This PDF also contains a QR code that can be scanned to pay the ransom, this is done by the criminals to avoid detection by URL scanning or sandboxing techniques. Read more

Network security

EFF published a good article about the real risk of connecting to a public Wi-Fi. Until a few years ago the risk of man-in-the-middle attacks was quite high, because most web traffic was over the insecure HTTP protocol. Nowadays most pages are loaded over HTTPS and the risk has become very low. Read more

Updates

If you use FortiSIEM, it's time to install the latest patches. Fortinet released an update that removes two backdoors in its SIEM offering. A SSH backdoor which could give an unauthorized user access to a restricted shell and a database backdoor via which attackers, that have already access to a company's internal network, could gain access to the device's database. Read more

Magento released updates to resolve critical remote code execution vulnerabilities in Magento Commerce, Magento Open Source, Magento Enterprise Edition en Magento Community Edition. If you're running one of the affected versions update immediately. Read more

Mobile security

Since 1 February WhatsApp no longer works on smartphones that run iOS 8 or earlier or Android 2.3.7 Gingerbread or earlier. This is a logical move to protect WhatsApp users' security but it might be inconvenient for people that can't upgrade the mobile OS because it's not supported on their dated smartphone. Read more

Security awareness

Lisa Forte sent me a tweet about a hilarious interview from John Oliver with Edward Snowden about password security. Although it's from 2015, it's still worth watching and good material to use in awareness sessions. Watch video

Tip of the week

I read a tweet this week from someone who couldn't access the iPhone of a deceased relative. It might be not the most funny job, but you should make sure that your beloved ones can still access your phone(s) and accounts when you're no longer able to. In this blog you find some useful tips. Read more
Copyright © 2020 John Opdenakker, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp