Welcome back after a week’s hiatus to give people time to be thankful for all the good in their life. The best things in life: SIEM and log management, crowd-based threat intelligence, vulnerability assessment, asset discovery, and intrusion detection.
I am Root
Apple found itself in the headlines as it was revealed that anyone could log in with root credentials without a password. I’m sure employees Geniuses at Apple stores were delighted with customers trying out the hack on display units.
While many experts bemoaned the irresponsible disclosure of the vulnerability, it was apparently known on the Apple developer forums and thought of more as a bug.
Perhaps one of the most impressive aspects of this debacle was how quickly Apple turned it around and issued a patch within a day. I don’t know what they put in their coffee at Apple HQ, but I’ll have two!
Anyone can hack MacOS High Sierra just by typing “root”. | Wired
New security update fixes macOS root bug | ars Technica
Apple releases update to fix critical macOS High Sierra security issue | The Verge
Portable Faraday Cage
This story caught my attention because of its simplicity. A man in Australia was sacked from his job after it was discovered the 60-year old electrician blocked his whereabouts by storing his personal digital assistant, that has a GPS inside, in an empty foil packet of Twisties, a puffy cheese-based snack that is popular in Australia.
I can only imagine how the prosecution kept a straight face claiming the man was using an elaborate Faraday cage while holding up an empty packet of crisps (chips).
Employee used crisp packet as ‘Faraday cage’ to hide his whereabouts during work | Telegraph
Holiday Cybersecurity guide
The lovable reprobate Rob Graham posted a great guide for anyone visiting relatives during the holidays, and what you can do to help them become more secure.
It’s a very decent list that’s worth checking out.
Your holiday cybersecurity guide | Errata Security
Uber breach
Ride share company Uber can’t seem to find itself in a good story at all these days. After having 57 million users details breached, the company hid the fact for over a year.
The company allegedly paid $100k to the attackers as a form of hush money. It’s not confirmed whether the money was extorted from Uber, or if it was a bug bounty that went too far.
What it did remind everyone of is that many companies are still woefully poor at securing cloud infrastructure.
Of course, most companies get breached at some point or another – hiding from regulators and customers won’t make it any better.
Uber hid data breach that exposed info for 57 million users | engadget
Uber Hid 2016 Breach, Paying Hackers to Delete Stolen Data | NY Times
Three things you need to hear about Information security
It’s easy in any line of work to become a bit jaded after a while. The same challenges can feel like Groundhog Day. That turns to cynicism, and anger, and despair.
But it doesn’t need to be like that, as Stefan Friedli reminds us in Information Security: Three things you need to hear.
Random nugget
I can’t remember how I came across this insanely useful list by Ming Chow where he has a list of ransomware and who paid the ransom amongst other things.
References for Political Science, International Relations, and Law | Ming Chow Github
