Hello and welcome to TSD, your regular blog post with top of mind security issues! TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.
Check back here every Tuesday for more TSD or sign up below to stay in the loop!
Please reach out to us directly, via firstname.lastname@example.org or on Twitter at @dant24 if you have any questions, concerns, tips or anything else!
- If you have a Netgear router, you may want to patch it ASAP if and when patches do come out as 2 researchers have found a flaw impacting 79 models and 758 firmware versions going back to 2007. The flaw impacts the web server, so first and foremost make sure it’s not exposed to the Internet to help mitigate this vulnerability and as a best practice. Read more about the issue and see what models are affected at ZDNet.
- Zoom has reversed course and has announced on their blog that they will be offering end-to-end encryption (E2EE) “as an advanced add-on feature for all of our users around the globe – free and paid”. There are caveats though, as E2EE isn’t possible with standard phone lines or certain conference room systems. Hosts will have the ability to toggle the feature on a per-meeting basis.
- If you’re protesting, they may not need facial surveillance that we mentioned last week in TSD-13 as the FBI can run OSINT too. A woman has been charged in Philadelphia, “based on an aerial video taken the day of the protests, an Instagram picture, photos taken by an amateur photographer, and—crucially—a forearm tattoo and an Etsy t-shirt”. More info at Vice.
- KrebsOnSecurity is reporting that a web services company responsible for hosting law enforcement related sites has been hacked and is responsible for a nearly 270GB data collection known as “BlueLeaks”. Distributed Denial of Secrets, the site hosting the collection, announced on Twittter that the data collection contains “Ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources. Among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more.” In an interview with Wired, DDOSecrets says the files came from Anonymous.
Owl fun and facts:
New research just published from “observations of nests show that elder barn owlets offer their food to their younger siblings in exchange for grooming…Such cooperative behavior has been reported in adult nonhuman primates and birds, but rarely among young”. More info at Science News
A Shout Out:
Ajin Abraham has just released v4 of nodejsscan. v4 has 70+ Node.js specific rules and now uses Ajin’s standalone njsscan as the core engine. Start scanning your Node.js apps today!
That’s owl for now!