1. The fashion and sneaker trading platform StockX was hit by hackers at the end of last week. It initially didn’t acknowledge the attack and first reset users’ passwords, then issued this statement. Reporters were able to verify that users’ account data was stolen from the site back in May. Financial data wasn’t involved. -- TECHCRUNCH
2. Funding and merger news of the week.
Apple device management company Jamf announced its acquisition of the startup MacOS security provider Digita Security. Digita was co-founded by Patrick Wardle, an ex-NSA hacker who is widely regarded as a top malware researcher. Terms weren’t disclosed, and all five employees of the startup will continue to work at Jamf.
Trinity Cyber closed on a $23M funding round from led by Intel Capital. The firm is an MSSP based in the D.C. area.
AppViewX raised $30M in an A funding round led by Brighton Park Capital. The firm is based in Seattle and does networking infrastructure protection.
Truework raised $12M in an A funding round led by Sequoia Capital. The firm is based in San Francisco and has a verified identity platform for consumers and professionals. Ryan Sandler is the CEO.
Confluera raised a $9M A funding round led by Ravi Mhatre. The firm is based in Silicon Valley and does real-time attack detection and response. Abhijit Ghosh is the CEO.
Cervello raised $4.5M in a seed funding round led by North First Ventures. The firm is based in Tel Aviv and does attack prevention. Roie Onn is the CEO.
Cymatic.io raised $4.5M in seed capital. Jason Hollander is the CEO of the endpoint security firm based in Raleigh.
Digital Hands received a $15M funding round led by Fulcrum Equity Partners. Charlotte Baker is the CEO of the SOC-as-a-Service company based in Tampa.
Validated ID received a $2.2M A funding round led by Randstad Innovation Fund. The firm is based in Barcelona and does eSignature services.
3. The researcher Avinash Jain who found the original vulnerability with misconfigured Jira servers with NASA and other customers is back with a new post. This time he provides details on how he found the issue. If you use this project management tool you should spend some time reviewing your own configuration. A carefully-constructed search query can locate hundreds of at-risk situations. This combined with the fact that projects on Jira Cloud can be set up for anonymous access can mean they can leak user data online.-- JAIN @ MEDIUM
4. The latest victim of a business email compromise attack is the North Carolina Cabarrus County School District. It discovered it sent a payment to a hacker’s bank account instead of its legit construction contractor thanks to a well-crafted phony email. The result was a $1.7M payment, only a part of which has been refunded by the bank. -- INDEPENDENT TRIBUNE
5. But this story is just one of many other successful phishing attacks. For example, Protonmail clarifies how the Bellingcat attack happened, with hackers setting up a copycat site to steal passwords among other techniques that have nothing to do with the integrity of their encryption. To help you better hone your defenses, read this post on Vade Secure which dissects typical spear phishing and shows you what to recognize. This note from PhishLabs describes five things to watch out for, including plausibility and attachments.
6. Details on 4M email accounts were recently leaked from Disney’s revamp of its Club Penguin website. It happened through a PHP vulnerability and had help from data obtained from another leak last year. There is a lot of confusing and contradictory information about what happened. -- NAKED SECURITY (SOPHOS)
7. A series of bugs in Nvidia’s GPU display driver were quashed with a recent security update. The bugs could allow remote code execution and privilege escalation attacks. None of the bugs can be exploited remotely, but users are urged to update by going to NVIDIA’s Driver Downloads webpage. -- BLEEPING COMPUTER
8. The researchers who found the original DragonBlood WPA3 bugs are back with new vulnerabilities. The bugs allow hackers to steal passwords transmitted across the wireless network by brute-forcing authentications, and had to do with the ways the original bugs were patched. The two have been assigned CVE-2019-13377 and CVE-2019-13456. -- ZDNET
9. If you are thinking of adding a cybersecurity certification credential, you might want to review this article which parses the utility and appropriateness of each one. It is a first-hand account from someone who has takn the exams and can describe what type of knowledge is tested and the costs involved. -- CSOONLINE
10. The U.S. Army Cyberschool in Fort Gordon has changed its pedagogical tactics over the past several years. This post describes how more nimble instruction has become the norm, and how exercises are constructed to encourage collaboration to solve infosec problems. Students also switch between blue and red team exercises to widen their perspective. -- FIFTH DOMAIN
This newsletter is written and curated by David Strom. I live in St. Louis MO and have covered the infosec industry for decades. I also ran editorial operations for various B2B IT publications including Network Computing (USA), Tom’s Hardware and ReadWrite.com’s business websites. You can find me at @dstrom or my personal site. Finally, we note our editing team: Kim Lyons (Pittsburgh-based journalist and managing editor at Inside), David Stegon (senior editor at Inside, whose reporting experience includes cryptocurrency and technology), and Bobby Cherry (senior editor at Inside, who’s always on social media).