SECURITY WARNINGS & Notices - Please post them here

[bob3160]

Garmin services and production go down after ransomware attack.
Details here

[Asyn]

FBI warns US companies about backdoors in Chinese tax software
https://www.zdnet.com/article/fbi-warns-us-companies-about-backdoors-in-chinese-tax-software/

[Asyn]

Source code from dozens of companies leaked online
https://www.bleepingcomputer.com/news/security/source-code-from-dozens-of-companies-leaked-online/

[polonus]

Additionally to what bob3160 wrote on Garmin's interruptions:
Update: https://status.inreach.garmin.com/

Garmin leaked internal memo on iThome.com [article in Taiwanese --> Google Translate]

-> https://archive.is/https://www.ithome.com.tw/news/139004

Alternative product to use: https://www.vernier.com/product/labquest-2/

polonus

[bob3160]

Weekly Security News Roundup w/e 7/24/2020

https://youtu.be/9SQ9Zdv0hgU

[Asyn]

Potential Legacy Risk from Malware Targeting QNAP NAS Devices
https://us-cert.cisa.gov/ncas/alerts/aa20-209a

[polonus]

Mobile banking-app Dave leaks data of 2.9 million users.
Here we can see who's "really lost" in this case: https://dave.com/.well-known/security.txt 

Read on this security.txt initiative for security policy standard researchers: https://securitytxt.org/
and spread the word.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[Asyn]

Hacker leaks 386 million user records from 18 companies for free
https://www.bleepingcomputer.com/news/security/hacker-leaks-386-million-user-records-from-18-companies-for-free/

[bob3160]

Hacker leaks 386 million user records from 18 companies for free
https://www.bleepingcomputer.com/news/security/hacker-leaks-386-million-user-records-from-18-companies-for-free/

If leaking this information is illegal, and apparently BleepingComputer is able to 'talk' to this hacker, I wonder if
BleepingComputer has an obligation to report this to the authorities? I wonder if they've done that?

[DavidR]

Hacker leaks 386 million user records from 18 companies for free
https://www.bleepingcomputer.com/news/security/hacker-leaks-386-million-user-records-from-18-companies-for-free/

If leaking this information is illegal, and apparently BleepingComputer is able to 'talk' to this hacker, I wonder if
BleepingComputer has an obligation to report this to the authorities? I wonder if they've done that?

Or be complicit ?

[Asyn]

Apple, Kanye, Gates, Bezos, more hacked in Twitter account crypto scam
https://www.bleepingcomputer.com/news/security/apple-kanye-gates-bezos-more-hacked-in-twitter-account-crypto-scam/

Scammers hacked Twitter and hijacked accounts using admin tool
https://www.bleepingcomputer.com/news/security/scammers-hacked-twitter-and-hijacked-accounts-using-admin-tool/

Florida Teenager Is Charged as ‘Mastermind’ of Twitter Hack
https://www.nytimes.com/2020/07/31/technology/twitter-hack-arrest.html

[Asyn]

Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites
https://www.wordfence.com/blog/2020/08/newsletter-plugin-vulnerabilities-affect-over-300000-sites/

[Asyn]

Hacker leaks passwords for 900+ enterprise VPN servers
https://www.zdnet.com/article/hacker-leaks-passwords-for-900-enterprise-vpn-servers/

[polonus]

How to detect malcious webshop websites?

Read: https://www.ic3.gov/media/2020/200803.aspx

There are plenty of ways to check online whether a webshop is to be trusted, like scamadviser, UrlVoid, Trustpilot, etc.
Mozilla observatory. HTTP downgraded websites are suspicious. Also contructions like WW2 etc.
Brand new registrations , whois data through 3rd parties.

Misspellings and grammatical errors.
Often cybercrinimals give themselves away in such ways.

When something seems too good to be true, then that might really be the case.
Always use your common sense under all circumstances.

polonus

[Asyn]

Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder
https://www.wordfence.com/blog/2020/08/critical-vulnerability-exposes-over-700000-sites-using-divi-extra-and-divi-builder/