Der Bayerische Rundfunk hat zusammen mit Propublika Million von Datensätzen von Patienten im Internet gefunden. Offenbar sind medizinische Untersuchungsberichte und Röntgenbilder, zusammen mit personenbezogenen Daten ungeschützt auf Servern auffindbar gewesen. Im wesentlichen geht es wohl um US Patienten, aber 13.000 Betroffene in Deutschland sind immer noch sportlich.
Wenn Daten das neue Öl sind, dann ist das so ein Ölteppich.
Again, it’s Facebook, that made news with a data breach. TechCrunch reported first about midnight Euroean time, but it’s all over the news by today, noon. It’s time to realize social media is a mistake.
@Jack was hacked. Wired has a story how it happened. TL;DR: Sim Swap is an attack that allows intercepting the 2nd factor for authentication, when using SMS to a cellphone.
While a lot of people debate DNS-over-https (and it’s dependencies), IETF has a specification for DNS-over-QUIC on it’s standards track.
This document describes the use of QUIC to provide transport privacy for DNS. The encryption provided by QUIC has similar properties to that provided by TLS, while QUIC transport eliminates the head-of-line blocking issues inherent with TCP and provides more efficient error corrections than UDP. DNS over QUIC (DNS/QUIC) has privacy properties similar to DNS over TLS specified in RFC7858, and performance similar to classic DNS over UDP.
Source: Specification of DNS over Dedicated QUIC Connections
Macrumors, among others, reports. A good move in the vulnerability ecosystem.
Open Policy Agent to manage policy for Kubernetes with GateKeeper.
Earlier this week, it became public that Capital One was victim to a privacy leak, affecting more than 100 million of their customers. News revealed details about the source of the attack, that apparently an individual conducted and bragged about it publicly.
Now, a few days later and more facts known, the always excellent Krebs on Security blog offers some lessons learned from the incident. It has good statements from Netflix, CloudFlare, DisruptOS and AWS personnel, including citations about the involvement of IAM, EC2 and WAF. In particular, it points out mitigations that AWS recommends in response to Server Side Request Forgery (SSRF).
Interesting is the conclusion that Rich Mogull comes to, that the industry is facing a major gap in skills, related to this kind of cloud security. Basic skill and availability thereof has always been a major gap in the entire industry. Only with the arrival of cloud it becomes more sparse. Mostly, because corporations maintain both their existing data centers and new cloud infrastructure, leaving out on the opportunity to become more secure in the cloud.
Google’s Project Zero drops a hand full of Zero Day vulnerabilities for the iPhone at Black Hat 2019. Apparently one of them isn’t patched yet. Interaction-less Attack Surface in this context means, it’s wormable, executing code with no human interaction.
Source: Look, No Hands! — The Remote, Interaction-less Attack Surface of the iPhone
Heute hat der Europäische Gerichtshof in einem Fall von FashionID, des Onlineshop des Modehändlers Peek & Cloppenburg, ein Urteil gesprochen. Es geht darin darum, wie mit der Weitergabe von Benutzerdaten bei der Verwendung von 3rd Party Content umgegangen werden muss. Dass der Einsatz von beispielsweise Facebook Like Buttons
Unter anderem versucht die Tagesschau aufzuklären. Weil das Urteil durch den EuGH ergangen ist und daher Konsequenzen über Deutschland hinaus haben wird, berichten auch internationale News wie Techcrunch und Yahoo(Reuters).
Simon Assion von #twobirds, Twitter-aktiver Rechtsanwalt, fasst eben dort einige Stichpunkte zu dem Urteil in einem Thread zusammen.
The Internet was built with de-centralized infrastructures in mind. To scale globally, network providers like CloudFlare have emerged, to run decentralized infrastructures and offer them as a service. In general, keeping service independent of each others and maintaining heterogeneous networks have a proven track record of resilience, that is not necessarily inherent to the architecture of these providers. Just like Akamai had a bad day in 2004, CloudFlare today suffered from a global outage, that left many obvious collateral problems visible all over the Internet. Bloomberg, among others, reports:
CloudFlare Inc., an internet service meant to protect websites from going down, faced its own network issues on Tuesday, leading to several prominent sites — like blogging platform Medium and video game chat provider Discord — being unavailable for some time.
Source: Net Defender CloudFlare Goes Down, Taking Many Websites With It – Bloomberg