Inside | Real news, curated by real humans
Inside Security

Inside Security (Nov 4th, 2016)

David’s Take

The Australian Red Cross blood donor database has been hacked; it is the country’s largest breach to date. Websites built in Wix can be vulnerable to a cross-site scripting attack. You can now legally hack your own connected devices without being sued by the devices’ manufacturer.

-- David Strom, editor of Inside Security

Threat of the Week, AU edition
More than one million personal and medical records of Australian citizens donating blood to the Red Cross Blood Service have been exposed online in the country’s biggest and most damaging data breach to date. The records go back to 2010 and were discovered by an anonymous source. The records contain personal details, email addresses, and dates of birth, along with medical information typical of a blood bank. – ITNEWS AU
Attacks and threats
Cloud-based web hosting provider is vulnerable to a cross-site scripting vulnerability that can give attackers control over any of the millions of websites hosted on the platform. All that needs to happen is to add a single parameter to any site created on Wix and the attacker can cause their JavaScript to be loaded and run as part of the target website. Security researchers from Contrast Security discovered the vulnerability and demonstrate how it is accomplished on that link. They contacted Wix last month, which has not yet responded. – THREATPOST

Last Friday, a new exemption to the decades-old Digital Millennium Copyright Act quietly kicked in, carving out protections for Americans who now will be permitted to hack their own devices without fear that manufacturers could sue them.  Security researchers are also allowed limited leeway into testing devices in certain situations, such as in a test lab. Tractor manufacturer John Deere last year cited the law to argue that tractor owners couldn’t repair certain software components of their own vehicles.  These exemptions provide legal cover to reverse-engineers who otherwise may not explore critical subjects. -- WIRED
Methods and tools

Security researchers at Princeton University, Google, and elsewhere have developed a software tool designed to let domain name registration companies detect and block people attempting to register domains intended for malicious purposes. It is called Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration or PREDATOR. It allows registrars to assess reputations before the domain registration takes place. Early tests of the tool show a low false-positive rate. – DARK READING

Singapore’s government will collaborate with the National University of Singapore and local telco Singtel on a new cybersecurity research lab. The three will spend $30 M over the next five years to develop new ways, methods and tools, such as quantum cryptography, data analytics and machine learning. There are already 30 researchers housed at the lab, and work is already underway on using predictive analytics to thwart impending cyber threats using anonymized real-time telco data.  – STRAITS TIMES

If you are looking for a fast fuzzing tool, you might want to check out a new open source release of GRR. Fuzzing is the ability to automatically test your program’s tolerance for bad or misformed inputs. These security researchers developed GRR for DARPA’s Cyber Grand Challenge, and now are releasing it as an open-source project.  They claim it is fast and “can eat just-in-time compilers and self-modifying code for breakfast. It’s a lean, mean, bug-finding machine.” – TRAIL OF BITS

Law enforcement agencies across the globe staged a crackdown on darknet web sites last week, targeting merchants and thousands of customers who were looking to obtain illegal drugs and goods. In addition to the U.S., Europol and law enforcement agencies from Australia, Canada, New Zealand and the U.K. participated in the operation. One of the targets were customers of the AlphaBay Market. Among the items seized at a Los Angeles mail processing facility were live turtles sent from Las Vegas, a counterfeit bong made in China, and fake Ray-Ban sunglasses. -- ITWORLD

Microsoft this week is contributing the designs of its hyperscale Azure servers to the Open Compute Project. Called Project Olympus, the designs will showcase software-defined networking and other large-scale efforts to boost their servers’ speed and capacity. What is interesting is that the servers are not feature complete, and Microsoft would like to collaborate with other project members and the public to improve them. “By sharing designs that are actively in development, Project Olympus will allow the community to contribute to the ecosystem by downloading, modifying, and forking the hardware design just like open source software.” – MICROSOFT AZURE BLOG
Just for fun

The Obama White House communications staff is making plans for how to preserve the various social media accounts that have been used over the past eight years, including having archives of its Twitter, Facebook, and other accounts. Many of them will retain their followers but start with a fresh page after Inauguration Day. The story is an interesting look at the role that the National Archives will play in this process and how these accounts will transition to the next elected President. – WHITEHOUSE BLOG
How likely are you to recommend Inside Security to a friend or colleague?



Did we get anything wrong or miss a story? We realize that many of our readers are smarter and more informed than we are – so please hit reply and let us know when we miss something!

Also, don't forget to vote on which newsletter we launch next!

Did you know we're crowdfunding the cost of an investigative journalist for the Inside Daily Brief? Check out our Patreon campaign to see the perks at various levels. And, many thanks to the following patrons for being above the $75/month level, which includes a link in every issue of the IDB:

Love That Pet – Weedmaps – This Week in Startups – ReadThisThing

Support us on Patreon

Copyright © 2016 Inside, All rights reserved.

You're receiving this email because you are subscribed to Inside Security. If you don't want to receive it anymore, go ahead and unsubscribe – or just hit reply and tell us how to make it better.

Subscribe to Inside Security