Hello and welcome to TSD, your regular blog post with top of mind security issues. TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.
Check back here every Tuesday for more TSD or sign up below to stay in the loop!
Please reach out to us directly, via security@cyral.com or on Twitter at @dant24 if you have any questions, concerns, tips or anything else!
- In TSD-14, we highlighted a vulnerability that was reported in Netgear routers. However, as reported by The Register, if you have 1 of these 45 Netgear routers, you should replace it ASAP as they won’t be patching them.
- 3 have been charged in the Twitter hack and the alleged mastermind is a 17 year old from Florida. Twitter reported that the attack was from a “phone spear phishing” attack aka social engineering over the phone. Ars Technica has a shortened version of the research from Unit 221B, detailing how the attackers scraped LinkedIn for potential people that would have access. Besides all of the public information, the key piece of evidence was a data breach of a forum that the FBI had since April!
- Shiny Hunters, first mentioned in TSD-12, are now responsible for 18 different data breaches according to BleepingComputer. Dave.com, Havenly and Drizly are 3 of the highest profile releases in this latest round. TechCrunch found the Drizly database for sale and Drizly later confirmed that they had been breached and the data up for sale included “email addresses, date-of-birth, passwords… and, in some cases, delivery address”.
- And finally… Tick tock goes the clock until the President bans TikTok for national security reasons, or for inflating the Tulsa invite numbers and trolling the campaign, but maybe Microsoft will buy it before then and the US can get a 30% cut of the deal? TechCrunch transcribed the President’s remarks from yesterday morning. As to the “reason”, I think The Washington Post sums it up the best: “TikTok doesn’t appear to take any more of your data than Facebook. That’s not a compliment.” 2020 continues to be weird.
Owl fun and facts:
Researchers have recently completed describing an owl from 55 million years ago. The researchers named the owl “Primoptynx poliotauros; Primoptynx means “first owl” (“primus” is the Latin word for “first,” and “ptynx” is Greek for “owl”).” This owl is unique because the researchers say that based on the bone structure of the feet, they had talons and used them to kill prey like hawks whereas modern day owls use their beaks. Article via LiveScience based on original journal article published July 28 in the Journal of Vertebrate Paleontology.
A Shout Out:
Semgrep v0.17.0 was released last week and we would be remiss if we didn’t mention this awesome security as code tool.
“Semgrep is a command-line tool for offline static analysis. Use pre-built or custom rules to enforce code and security standards in your codebase. Semgrep combines the convenient and iterative style of grep with the powerful features of an AST matcher. Easily find function calls, class or method definitions, and more — without having to understand ASTs or wrestle with regexes.”
Semgrep is free and open source. If you’d like to explore an early access commercial version that allows you to “centrally define policy, enforce scans via CI/CD, and connect to systems like Slack and Jira” head on over to r2c to request access.
That’s owl for now!