Security Roundup - 2018-04-05

Panera bread data leak. The big news this week was Panera’s treatment of a security disclosure, where they did not address a security flaw that exposed user information for 8 months. Panera was driven to take action only after the security researcher reached out to Brian Krebs, who published a scathing article of the details. You can read the researcher’s story here.

Honeypot meat HoneyBot. In an ever increasingly connected world, there is increased concern about security surrounding connected devices, including robots. Now, one set of researchers have started experimenting with HoneyBots, taking the concept of a honeypot where researchers observe malicious users and applying the same concept to robots.

Chat Widgets leak PII. Security researchers discovered a number of live chat systems, used by companies including Google, Verizon and Disney, were leaking actual employee names and other identifying details. This could lead to tailored social engineering attacks, or even directed harrasment of employees.

Obfuscation through legitimate appearances. Analysts at Sucuri had fun analyzing what at first glance may look like an innocent file with proper code structure, but turned out to be obfuscated wordpress malware.

Privacy in DNS. While the push for TLS to provide secure communications continues, others have decided to look at other points of internet privacy. Now, while communications over TLS may be unknowable, someone still knows who you are calling due to DNS. There are now numerous researchers looking at this problem, from OpenDNS who has run DNSCrypt for several years, Cloudflare who is pushing DNS over TLS and just launched a new resolver, and even academic researchers in Princeton who are working on Oblivious DNS.

Written on April 5, 2018