Reddit, two months in
Reddit disclosed yesterday: an attacker bypassed the company's SMS-based two-factor authentication and accessed historical user data including a 2007 backup. The lesson is about SMS as a second factor.
Twitter and the password log
Twitter disclosed yesterday that a bug had logged user passwords in plaintext to an internal log file. The disclosure is unusually clean and the lessons are about logging hygiene.
WannaCry
Ransomware using the EternalBlue exploit hit the NHS and tens of thousands of organisations across at least 150 countries on Friday. The patching window from March was four weeks. The cost will be much larger than the ransom takings.
EternalBlue
Shadow Brokers dropped the Windows portion of their archive yesterday. EternalBlue, a remote SMB exploit against unpatched Windows. Microsoft patched in March. Many people did not.
Apache Struts
CVE-2017-5638 in Apache Struts 2: a remote-code-execution flaw in Content-Type header parsing. Mass scanning began within hours of the patch.
Juniper
Juniper has disclosed unauthorised code in ScreenOS. Two distinct backdoors — administrative authentication, and VPN traffic decryption. Disclosed during the Christmas patch lull.
Superfish
Lenovo shipped consumer laptops with Superfish, an ad-injection package that interposes a self-signed root certificate. The same private key on every machine. A predictable, terrible week.