This week’s Security Roundup brought to you by Or Rikon and Sean Smith.
Forms over HTTP to be considered insecure. Reminder that Google is planning to show pages as insecure if they contain forms that get posted over HTTP, rather than HTTPS. Avoiding essentially requires upgrading to use SSL.
WikiLeaks Website Apparently hacked by OurMine using DNS poisoning. Recently, the Wikileaks website, known for its high-profile leaks against big names like the CIA, was attacked by OurMine, a hacker group calling themselves White Hats who try to point out bugs. On Thursday, users of the website were welcomed by an announcement from OurMine, taunting Wikileaks and Anonymous for challenging them previously. The attack was based on DNS poisoning, navigating users to an OurMine server instead of Wikileak’s, which means that actual Wikileaks servers were not compromised.
Accessing Uber’s Internal Chat System. For those of you interested in exploits, check out this security researchers run down of how they bypassed Uber’s SSO for their internal chat app, allowing them to impersonate users.
MongoPocalypse Resumes. You may recall last winter where various DBs were being exploited and held for ransom, starting with MongoDB. Reports have it that this has again resumed, with 45K MongoDB instances being hit. A tragedy in that these databases are still exposed to the internet after the previous wake up call, which would mitigate casual automated drive bys.
Popular file converter sites hacked. A server hosting a collection of popular file conversion sites like pdf2jpg, used by thousands daily, has been discovered to have been repeatedly compromised during the past year. The breach, performed by exploiting a known issue with the ImageMagick library, allowed the attacker complete control of the server. Given that ImageTragick was reported last year, this is yet another unfortunate incident of poor patching cadence.
Abandoned domains should be treated as security problems. We’ve previously reported on some stories involving expired domains still receiving potentially serious traffic, or potentially allowing someone to do something malicious (like deface a website or serve malware). For those that missed them, and this article provides additional examples, including Flickr.
More IoT exploits. Security researchers have found three backdoor accounts in two Arris commercial modems which currently appear to be discontinues. These backdoors would allow users to take over the device and, according to scan data from sources like Shodan.io, researchers believe there are 220K said modems currently on the internet.