Yet another high severity attack against the Intel CPUs. Unpatched systems can leak SIMD, FP register state between privilege levels. These registers are used for private keys nowadays.
The cost of a patch is more expensive context switches because the fix has to unload and reload all SIMD, FP state.
The team behind the CopperheadOS, hardened Google-free Android fork, has imploded. Guys, CEO and CTO (main and probably the only developer) are blaming each other.
Chromium devs are planning to enforce TLS protocol invariants by rolling new TLS 1.3 versions every six weeks.
According to the developers: "Every six weeks, we would randomly pick a new code point. These versions will otherwise be identical to TLS 1.3, save maybe minor details to separate keys and exercise allowed syntax changes. The goal is to pave the way for future versions of TLS by simulating them (“draft negative one”)."
The Kromtech Security Center found 17 malicious docker images stored on Docker Hub for an entire year. With more than 5 million pulls, containers were primarily used to mine cryptocurrency.
At least 74 persons, mostly Nigerians, were arrested due to crimes related to the business e-mail compromise schemes.
Good summary of the existing inter-service authentication schemes. Bearer, hmac based tokens etc.
There is an Ancient "su - hostile" vulnerability in Debian 8 & 9. Doing "su - hostile" may lead to the root privilege escalation. Default sudo -u probably is
There is a critical command injection vulnerability in the macaddress NPM package.
Blog about the crafting remote code execution via server-side spreadsheet injection.
An implementation flaw in multiple cryptographic libraries allows a side-channel based attacker to recover ECDSA or DSA private keys. Lots of libraries affected, like LibreSSL, Mozilla NSS, OpenSSL, etc.
Australian government drafts new laws, that will force technology giants like Facebook, Google to give government agencies access to encrypted data.
A security researcher at Telspace Systems, Dmitri Kaslov, discovered a vulnerability in the Microsoft Windows JScript component, that can be exploited by an attacker to execute malicious code on a target computer.
IBM X-Force Research has uncovered a new Brazilian, Delphi-based MnuBot malware active in the wild. It downloads it's functionality during the execution dynamically from the remote C&C server, so its functionality can be upgraded on the fly.
The US Department of Homeland Security and FBI issues alert over two new malware, Joanap remote access tool and Brambul SMB worm, linked to the Hidden Cobra hacker group.
A Toronto-based investment firm alleges that a rival company hired the Israeli companies tied to state intelligence agencies, to help sway a business dispute over a 2014 bid for a telecommunications company.
Google announced a project Capillary: End-to-end encryption for push messaging in Android. It should be available backward to API level 19 - KitKat.
Engineers from the University of Toronto have built a filter that slightly alters photos of people’s faces to keep facial recognition software from realizing what it's looking at. https://joeybose.github.io/assets/adversarial-attacks-face.pdf
Research paper about the business model of a botnet operation, even with a business model canvas!
New research takes on the problem of habituation to security warnings. They have used eye tracking and fMRI data to find out how people react to the security warnings in the software.
A new paper by Bonnetain and Schrottenloher giving improved quantum attack on a newly proposed Commutative Supersingular Isogeny Diffie–Hellman (CSIDH) key exchange. According to the paper, they show, that the 128-bit classical, 64-bit quantum security parameters proposed actually offer at most 37 bits of quantum security.
Google Pixel 2 devices implement insider attack resistance in the tamper-resistant hardware security module that guards the encryption keys for user data.
It is not possible to upgrade the firmware that checks the user's password unless you present the correct user password.
Avast Threat Labs analyzed malware pre-installed on a thousands of Android devices. More than 18000 users of Avast already had this adware in a device. Cheap smartphones are primarily affected.
Great blog post about the USB reverse engineering tools and practices by the Glenn 'devalias' Grant.
FBI advice router users to reboot devices in order to remove VPNFilter malware infecting 500k devices.
If you didn't hear about the recent arbitrary code execution vulnerability in git software (CVE 2018-11234, CVE 2018-11235), there is a high level summary on the Microsoft DevOps blog.
The white hat hacker received $25000 bug bounty for getting root access on all Shopify instances by leveraging Server Side Request Forgery (SSRF) attack.
Attacking browsers by site-channel attacks using CSS3 features. The guys demonstrated how to deanonymize website visitors and more.
The Underhanded Crypto Contest for 2018 started, the topic has two categories: Backdooring messaging systems & Deceptive APIs. If you want to write some backdoor to the cryptographic implementation bud you do not harm anybody, this is a good opportunity.
Article about the new threat model and potential mitigations for the Chrome browser against the Spectre like vulnerabilities.
New article by the Intercept about the Google military drone AI contract. They want to make fortune on an image recognition.
Codechain - secure multiparty code reviews with signatures and hash chains.
According to the author, Codechain is not about making sure the code you execute is right, but making sure you execute the right code.
500,000 routers in more than 50 countries are infected with the malware targeting routers. Primarily home devices like Linksys, MikroTik, NETGEAR and TP-Link.
Cisco's Talos Security attributed malware to the future Russian cyber operations against the Ukraine. The US FBI agents seize control of the botnet.
The Internet Archive's Wayback Machine is deleting evidence on the malware sellers. They have removed from their archive a webpage of a Thailand-based firm FlexiSpy, which offers desktop and mobile malware.
According to the McAfee team, North Korean threat actor Sun Team is targeting defectors using the malicious Android applications on Google Play.
Don't use sha256crypt & sha512crypt primitives as shipped with GNU/Linux, they're leaking information about the password via time duration of a hashing operation.
Not critical vulnerability, but good to know.
The Intercept published an interesting article about the Japanese signals intelligence agency, based on Snowden's leaks.
The US FBI repeatedly overstated encryption threat figures to Congress and the public.
The US internet provider Comcast was leaking the usernames and passwords of customers’ wireless routers to anyone with the valid subscriber’s account number and street address number.
Amazon is pitching their facial recognition technology to law enforcement agencies, saying the program could aid criminal investigations by recognizing suspects in photos and videos.
Great blog about the SMS binary payloads and how SMS is weakening mobile security for years.
Researchers from the Eclypsium found a new variation of the Spectre attack that can allow attackers to recover data stored inside CPU System Management Mode. They have even published Proof-of-concept.
Major (probably not only) US cell carriers are selling access to the real-time phone location data.
Because, you know the Electronic Communications Privacy Act only restricts telecommunication companies from disclosing data to the government, it doesn't restrict disclosure to other companies. Which can resell back to the gov. Hacker News discussion on a topic is quite informative.
Guardian wrote that according to the Oracle findings, Android devices send detailed information on searches, what is being viewed and also precise locations to the Google. Even if location services are turned off and the smartphone does not have a Sim card or application installed.
A new report details a widespread campaign targeting several Turkish activists and protesters by their government, using the government malware made by FinFisher.
A new set of vulnerabilities affecting users of PGP and S/MIME were published. The main problem lies in how email clients handle the output of the encryption tool, the protocol itself is not vulnerable, GnuPG should be fine.
Cryptocurrency mining malware was found in the Ubuntu Snap Store.
Essential reading on how spies are able to shape narrative of a journalistic pieces by document leaking.
The US media has learned the identity of the prime suspect in the Vault7 WikiLeaks CIA breach. Should be a 29-year-old former C.I.A. software engineer, government malware writer.
Great blog post about math behind and existing implementations of the homomorphic encryption.
There is an article about the common encryption workarounds in the criminal investigations written by Orin S. Kerr and Bruce Schneier.
Sunder is a new desktop application for dividing access to secret information between multiple participants using Shamir's secret sharing method.
DARKSURGEON is a Windows packer project to empower incident response, malware analysis, and network defense.
There is a first ransomware which is taking advantage of a new Process Doppelgänging fileless code injection technique. Working on all modern versions of Microsoft Windows, since Vista. This variant of a known SynAck ransomware is using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process.
Security researchers from the Dutch information security company Computes has found that some Volkswagen and Audi cars are vulnerable to remote hacking. They were able to exploit vehicle infotainment systems. The possible attackers could track car location as well as listen to the conversations in a car.
Twitter found a bug that stored user passwords unmasked in an internal log, there is no indication of a breach, but all Twitter users should change their passwords.
There is a breakthrough cryptographic attack on 5-round AES using only 2^22 (previous best was 2^32) presented at CRYPTO 2018. It is joint work of Nathan Keller, Achiya Bar On, Orr Dunkelman, Eyal Ronen and Adi Shamir. This kind of attack is good when evaluating the security of a cipher, it does not have any real world implication as the AES is using at least 10 rounds in production implementations.
Bug hunter which found multiple vulnerabilities in the 7-zip software used by anti-virus vendors wrote an blog on how to exploit one of such bugs. Interesting read.
The 360 Core Security Division response team detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious sample that uses a browser 0-day vulnerability (CVE-2018-8174). It is a remote code execution vulnerability of Windows VBScript engine and affects the latest version of Internet Explorer.
Microsoft patched this vulnerability few days ago and credited Chinese researchers.
Source code of TreasureHunter Point-of-Sale malware leaks online.
The ssh-decorator package from Python pip had an obvious backdoor (sending ip+login+password to ssh-decorate[.]cf in cleartext HTTP).
Luke Picciau wrote about his experience with Matrix and it's Riot messenger for one year.
There is a first official version 1.0 RC of Briar for Android.
Briar is an open-source End-to-end encrypted Bluetooth / WiFi / Tor based mesh-networking (decentralized) messaging application.
The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection.
Multiple tech giants like Apple, Microsoft, Google and others formed an industry coalition and have joined security experts in criticizing encryption backdoors, after Ray Ozzie's CLEAR key escrow idea was widely derided. He basically proposed a scheme where the users have no control over their own devices, but the devices can be securely forensically analyzed by the government agencies.
There is an information leaking vulnerability via crafted user-supplied CDROM image.
"An attacker supplying a crafted CDROM image can read any file (or device node) on the dom0 filesystem with the permissions of the qemu device model process."
QubesOS operationg system is not affected due to the properly compartmentalized architecture.
Great in-depth blog about the reconstruction of the exploit created by the CIA's "Engineering Development Group" targeting MikroTik's RouterOS embedded operating system. This exploit was made public by the WikiLeaks last year.
Bypassing authentication and impersonating arbitrary users in Oracle Access Manager with padding oracle. The guy basically broke Oracles home grown cryptographic implementation.
There is a critical privilege escalation vulnerability affecting Apache Hadoop versions from 2.2.0 to 2.7.3.
According to the Arbor Networks' security researchers have claimed that the anti-theft software Absolute LoJack is serving as an espionage software modified by the Russia-based Fancy Bear group.
Wired wrote an article about the famous Nigerian 419 scammers, their culture and why they are still flourishing.
Matrix and Riot instant messenger applications are confirmed as the basis for the France’s government initiative to implement federated secure messenger.
Amazon threatens to suspend Signal's secure messenger AWS account over censorship circumvention. They are using different TLS Server Name Indication - "domain fronting" - when establishing connection to circumvent network censorship, but Amazon says it is against their terms of services.
Respected German CT-Magazine says that there are 8 new Spectre vulnerabilities found in the Intel processors.
A loud sound emitted by a gas-based fire suppression system deployed in the data center has destroyed the hard drives of a Swedish data center, downing NASDAQ operations across Northern Europe.
Signal for iOS, version 220.127.116.11 and prior, is vulnerable to the screen lock bypass (CVE-2018-9840).
The blog explains how the vulnerability can be exploited in practice.
Good summary about the integrated circuits Counterfeiting, detection and avoidance methods by hardware engineer Yahya Tawil.
A new python-based cryptocurrency mining malware PyRoMine (FortiGuard Labs) is using the ETERNALROMANCE exploit attributed to the NSA, to propagate Monero cryptocurrency miner.
The Australian Bureau of Statistics tracked people by their mobile device data to enrich their collection of data.
BGP hijack affected Amazon DNS and rerouted web traffic for more than two hours. Attackers used the hijack to serve fake MyEtherWallet.com cryptocurrency website.
Embedi researchers analyzed the security of a Huawei Secospace USG6330 firewall firmware. Good insight on how to analyze devices in general.
The ISO has rejected SIMON and SPECK symmetric encryption algorithms designed and proposed by the NSA. They are optimized for small and low-cost processors like IoT devices.
The Center for Information Technology Policy at Princeton Announced IoT Inspector - an ongoing initiative to study consumer IoT security and privacy.
There is a Proof of Concept for Fusée Gelée - a coldboot vulnerability that allows full, unauthenticated arbitrary code execution on NVIDIA's Tegra line of embedded processors. This vulnerability compromises the entire root-of-trust for each processor, leading to full compromise of on-device secrets where USB access is possible.
Google disables domain fronting capability in their App Engine, which was used to evade censorship. What a fortunate timing.
Bloomberg published article on how Palantir is using the War on Terror tools to track American citizens.
The U.S. and the UK blame Russia for a campaign of hacks into routers, switches and other connected infrastructure.
One of the people charged for the Reveton ransomware trojan was actually working as a Microsoft network engineer.
Intel processors now allow antivirus (mostly Microsoft right now) to Use built-in GPUs for in-memory malware scanning.
Avast shared CCleaner breach timeline. They were infiltrated via TeamViewer. More than 2.3 million users, 40 companies infected.
Nice blog post about the quantum resistant hash-based signature schemes. No public key cryptography.
New Android P enables users to change default DNS server, it will also support DNS over TLS.
There is a new web standard for authentication, designed to replace password login method with the public key cryptography and biometrics.
OpenSSL is vulnerable to a cache timing vulnerability in RSA Key Generation (CVE-2018-0737).
Could be theoretically exploited by some hypervisor, but they have decided not to release emergency fix.
The Endgame has released Ember (Endgame Malware BEnchmark for Research), an open source collection of 1.1 million portable executable file metadata & derived features from the PE files, hashes and a benchmark model trained on those features.
The U.S. Secret Service is warning about a new scam scheme where the crooks are intercepting new debit cards in the mail and replace the chips on the cards with chips from old cards. Once owners activate the cards, crooks will use stolen chips for their financial gain.
Russian state regulator Roskomnadzor have ordered to block the Telegram messaging application 48 hours after it missed a deadline to give up encryption keys to the online conversations of its users. I am not sure whether the Telegram protocol is actually blocked in Russia now.
A new Android P version will enforce applications to communicate over TLS secured connection by default.
Kudelski Security published a walk-through guide about Manger's attack against RSA OAEP. 1-bit leak from oraculum suffices to decrypt ciphertexts.
In depth article about stealing FUZE credit card content via Bluetooth.
Understanding Code Signing Abuse in Malware Campaigns. Pretty good statistics.
There is a vulnerability that results in a bypass of a tamper protection provided by the Sophos Endpoint Protection v10.7. Protection mechanism can be bypassed by deleting the unprotected registry key.
Several vulnerabilities have been found in the Apache HTTPD server. Update now.
Microsoft Windows tool certutil.exe for displaying certification authority information can be used to fetch data from the internet in the similar fashion like WGET or CURL.
There is a paper about breaking 256-bit security (NIST post-quantum candidate) WalnutDSA in under a minute.
Snallygaster - a Tool to Scan for Secrets on Web Servers
Nice map of the ongoing Linux kernel defenses. The map shows the relations between the vulnerability classes, current kernel defenses and bug detection mechanisms.