35-year-old vulnerability has been discovered in the SCP file transfer utility. According to the advisory impact section, "Malicious scp server can write arbitrary files to scp target directory, change the target directory permissions and to spoof the client output."
Multiple U.S. government websites SSL certificates have expired and some sites are inaccessible due to properly used HTTP Strict Transport Security.
There's nobody there to renew them due to a government shutdown.
Researchers found a new kind of Windows malware using encrypted messaging app Telegram to receive "encrypted" instructions. Nothing innovative with the malware sample, but what is really interesting is, that telegram messages are coupled with unique IDs and malware analysts from the Forcepoint Labs were able to retroactively scrape all the messages issued by the malware operator.
Not sure what kind of channel was used by the bot, but it looks really suspicious to be able to scrape old messages.
The researchers at the CanSecWest Vancouver conference will be able to participate in the annual Pwn2Own challenge. This year also in car hacking as Tesla Model 3 will be available.
One of last surviving Navajo code talkers, Alfred Newman, has passed away at 94. Newman, with many others, developed during World War II an unbreakable code for military transmissions using the unwritten Navajo language.
Security researcher Troy Hunt updated his service Have I Been Pwn with 772,904,991 new email addresses and lots of passwords after finding 87GB of leaked passwords and email addresses by the MEGA cloud storage provider.
There was a massive data breach at the Oklahoma Securities Commission with millions of files containing decades worth of confidential case file intelligence from the agency and sensitive FBI investigation source materials leaked.
Hackers broke into an SEC database and made millions from inside info.
Malicious former employee installed Raspberry Pi in the company network closet, but the Reddit crowd helped with the investigation.
Great blog post about the factors in authentication. The more factors to be used, the bigger headache from the enrollment procedures.
Noise Protocol Framework Explorer created by Nadim Kobeissi now supports generating secure implementations in Go for any arbitrary Noise Handshake Pattern.
CERT Poland (CERT Polska) opens access to its malware database (MWDB).
Personal information of many German politicans were published online. Since then, Police arrested 20 years old suspect.
Qualys has sent out a security advisory describing three stack-overrun vulnerabilities in systemd-journald. They have two working exploits already.
Samsung Phone Users Perturbed to Find They Can't Delete Facebook.
According to a Hacker News comment (2nd link), it should be possible to delete application via cable using ADB. I didn't try it.
Australian government issued a warning regarding WhatsApp hoax that is promoting installation of a ‘gold’ version of the application. Installation leads to a malware infection.
After Motherboard's article about US carriers selling customers location data, senators call on FCC to investigate T-Mobile, AT&T, and Sprint.
Trial of a Mexican drug lord Joaquín "El Chapo" Guzmán started and it looks like his IT security guy gave encryption keys for a SIP communication service to investigators long time ago.
El Chapo also spyied on his wife and fiancées using Flexi-spy spyware which provider was subpoenaed by FBI.
Singapore's ministry of communications and information published "Public Report of the Committee of Inquiry (COI) into the cyber attack on Singapore Health Services Private Limited Patient Database".
If you are into incident response, this report is really great source.
Back in 2015, Facebook filed patent request describing how to track user relations using the dust on camera lens.
If your computer rely on BitLocker in TPM mode (boot without PIN), it is possible to extract cryptographic material data out of your computer and decrypt the hard drive.
Zerodium platform wants to pay you $2,000,000 for remote iOS jailbreaks, $1,000,000 for WhatsApp / iMessage / SMS / MMS remote code execution exploit, and $500,000 for Chrome remote exploit.
Security engineer Chris Palmer published blog about the state of software security in 2019.
The NSA has so far open-sourced 32 projects on Github, as part of its Technology Transfer Program.
Research paper on a new hardware-agnostic side-channel attack which is targeting the operating system page cache was published.
Interesting paper from the last October a long-term secure storage proposal:
"ELSA: Efficient Long-Term Secure Storage of Large Datasets".
Let's Encrypt recapitulated the last year in the operation of their ACME based certification authority, and summarized the challenges that they will work on in 2019.
They intend to deploy multi-perspective validation, checking multiple distinct Autonomous Systems for domain validation, preventing potential BGP hijacks. They also plan to run own Certificate Transparency (CT) log.
According to the consultant Nathan Ziehnert, "CenturyLink 50 hour outage at 15 datacenters across the US — impacting cloud, DSL, and 911 services was caused by a single network card sending bad packets."
Great blog by Artem Dinaburg, where he is resurrecting 30 years old fuzzing techniques from the famous research papers to run them on on the current Linux distro. Successfully.
An article by Wired about the fake murder for hire services on dark web and a freelance security researcher that took them down. As it turned out, some clients killed their targets themselves.
Multiple newspaper publishers in the US were hit by a ransomware attack, delaying their operations.
The European Union starts running bug bounties on Free and Open Source Software.
Foxit Readers' proof of concept exploit for the Use-After-Free vulnerability (CVE-2018-14442) was published on Github.
Attacker launched multiple servers that return an error message to the connected Electrum clients, which then turn them into a fake update prompt linking to a malware.
Adam Langley published blog about the zero-knowledge attestation when using FIDO based authentication. It could prevent a single-vendor policy some sites started to require.
Interesting blog post by Wouter Castryck on "CSIDH: post-quantum key exchange using isogeny-based group actions".
The security researcher Bruno Keith published a a proof of concept for a remote code execution vulnerability in Microsoft Edge browser (CVE-2018-8629).
If you are interested in older car hacking/tuning, check this article about overcoming the speed limitation on an old Japanese Subaru Impreza STi.
Jonathan “smuggler” Logan published study on the future of black markets and cryptoanarchy named "Dropgangs, or the future of darknet markets".
The Chinese battery expert is charged with stealing trade secrets from US employer, as he prepared to return home. Forensics found deleted research materials not related to his contract on a USB voluntarily provided to a supervisor.
The New York Times published an article about the insecurity of the mobile networks' Signaling System 7 (SS7) and the unwillingness to address mobile network vulnerabilities in general.
Iraq government took down unlicensed towers used for illegal internet bandwidth smuggling operation in the disputed province of Kirkuk.
Indias' Ministry of Home Affairs has issued a notification authorizing 10 agencies to tap, intercept and decrypt all personal data on computers and networks.
Yet another article from NY Times, this time on how Facebook uses 7500 moderators around the world to keep content "normal".
Hackers are infecting Linux servers with JungleSec ransomware using IPMI remote console, manually running encryption program, then asking for ransom.
The beta version of the WireGuard next gen VPN for iOS was released into the App Store.
Someone from the France uploaded a new sample of Shamoon wiper malware to VirusTotal. The sample is signed with Baidu digital certificate expired back in 2016.
The Wired magazine published a list of articles they have published on a security topic in 2018. Some of them are really good.
Amazon sends 1700 Alexa voice recordings to a random person.
Google Project Zero published a blog about the FunctionSimSearch open-source library which is capable to find similar functions in the assembly.
They are using it to detect code statically-linked vulnerable library functions in executables.
London's police is testing facial recognition technology in central London this week. Feel free to get your face scanned and processed for the bright future.
Facebook gave Spotify and Netflix access to a users' private messages. Also shared user information with Microsoft, Amazon, Yahoo without explicit consent.
Researchers published results of an investigation into Russian election interference on behalf of the US Senate Intelligence Committee. They have analyzed data sets from Facebook, Twitter, Google.
Adam Langley wrote about their further Google Chrome TLS experiments with the post-quantum lattice based cryptography.
Matthew Green wrote his thoughts on GCHQ’s latest proposal for surveilling encrypted messaging and phone calls.
Tencent Blade Team discovered a remote code execution vulnerability in SQLite. It was already fixed in Chromium.
Good story about the investigation of the Chinese industrial espionage.
University of California, Berkeley researchers are building open-source secure enclave using RISC-V.
Well-known cypherpunk movement founder Timothy May passed away.
Microsoft introduced Windows Sandbox for applications.
Interesting paper on systematic parsing of X.509 certificates with strong termination guarantees: "Systematic Parsing of X.509: Eradicating Security Issues with a Parse Tree".
A Dive into Cypherlock, a tool that could prevent forced decryption.
Instant, re-usable, generic MD5 collisions over different file formats. https://github.com/corkami/pocs/blob/master/collisions/README.md
According to the New York Times sources, Marriott customers' data were breached by Chinese hackers.
Attribution is hard, especially when investigating government related hacks. We have to wait for more information.
A Google+ API software update introduced in November had caused the Google+ API to broadcast user profiles to third-party developers, exposing the personal information of more than 52 million users.
Excellent journalistic piece about the location data industry. It's impossible to anonymize this kind of datasets. Really recommended!
Check Point researchers found 53 critical bugs in Adobe Reader and Adobe Pro by using WinAFL fuzzer.
The Cisco Talos team wrote about the various practical side-channel attack scenarios against the encrypted messaging apps like WhatsApp, Telegram, and Signal.
Study finds 5 out of 17 tested certification authorities are vulnerable to spoofing domain validation by using the IP fragmentation attack.
A team behind the open source automation tool Jenkins published a patch for a critical vulnerability that could allow permission checks to be bypassed through the use of specially-crafted URLs.
Microsoft took the first step in advocacy for the regulation of a facial recognition technology.
A recent variant of a Shamoon malware wiped around ten percent PCs of the Italian oil and gas company Saipem.
Russian State Duma is going to prohibit Russian servicemen from publishing personal information online.
Researcher Natalie Silvanovich from the Google Project Zero fuzzed WhatsApp application and (surprisingly) didn't find exploitable bugs, just a heap corruption.
Australian guys, there is a GitHub repository where you can ask legal questions about the terrible Assistance and Access Bill. The questions are answered by lawyers.
Apple included support for the WebAuthentication API in the latest Safari Release 71 (Technology Preview).
The new WebAuthentication as implemented supports USB-based CTAP2 devices.
Critical Kubernetes privilege escalation bug (CVE-2018-1002105) was found and patched during this week. When exploited, the bug allows anonymous users as well a authenticated one to use admin privileges over the cluster API.
There is an exploit published on a GitHub already.
British Telecom will not use Huawei's 5G kit within the core of the network due to security concerns.
Security agencies in Australia will gain greater access to encrypted messages due to a new legislative.
US National Security Archive published a complete index of all 1504 items in the declassified collection of NSA internal Cryptolog periodical.
Security researchers released attacks on 7 TLS implementations, making use of Bleichenbacher and Manger's attack.
The research with a name "The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations" also includes a TLS 1.3 downgrade attack.
Ransomware Infected 100k computers in China then demands WeChat Payment and is using XOR as an "encryption". Author was probably identified because he registered domain to his own name.
It looks like 13 years old Virut botnet is resurrected in the wild.
Great blog on how guy scammed the scammer to send him photo of his ID.
Nearly 250 Pages of internal Facebook documents, emails and statistics were posted online by the UK Parliament.
A User Data of the question-and-answer website Quora were compromised.
The records of 500 million customers of the Marriott International hotel group were compromised.
Interesting revisited paper: "From Keys to Databases -- Real-World Applications of Secure Multi-Party Computation."
GTRS - is a tool that uses Google Translator as a proxy to send arbitrary commands to an infected machine.
Sennheiser's HeadSetup software is installing a root certificate into the OS Trusted CA Certificate store.
They have also put a private key on a device, the same one for all users, which allows any user to perform a man-in-the-middle SSL attacks against SSL communication.
German chat platform Knuddels.de (Cuddles) has been fined 20k€ for storing user passwords in plain text.
What is interesting is that the regional GDPR data watchdog wanted to avoid bankrupting the company. "The overall financial burden on the company was taken into account in addition to other circumstances".
Crooks are using new attack vector to spread malware, they are requesting maintainer access to a widely-used open source projects on github, then pushing compromised version to millions of people.
Two international cybercriminal Rings dismantled and eight defendants indicted for causing tens of millions of dollars in losses in the digital advertising fraud.
They have produced Boaxxe/Miuref & Kovter malware.
Cisco Talos has discovered DNSpionage malware targeting governments and companies in the Middle East using phishing attack.
The U.S. Treasury Department has sanctioned two Iranians allegedly involved in Bitcoin ransomware scheme SamSam.
They have basically put Bitcoin addresses on the Office of Foreign Assets Control’s (OFAC) sanctions list.
Scammers are changing the contact details for banks on Google Maps.
Almost all VPN browser extensions are in fact just a proxy and are vulnerable to a different level of IP leaks and DNS leaks.
Google, Mozilla are working on letting web apps edit local user files despite warning it could be really dangerous.
The German Federal Office for Information Security, BSI, publishes Microsoft Windows 10 telemetry analysis.
BlackBerry purchased Cylance, the machine-learning based anti-malware company for $1.4 billion dollars.
They plans to integrate Cylance's anti-malware solution into the BlackBerry Spark platform.
The Sequoia team introduced the first release of a new Rust implementation of the OpenPGP licensed under GPL 3.0.
The German government-issued identity card (nPA) SDK had a critical security vulnerability allowing an attacker to impersonate arbitrary users against affected web applications.
One of the largest dark Web hosting service providers was hacked using the PHP vulnerability we wrote a week ago and taken offline by deleting the whole database.
More than 6500 Dark Web services were hosted there which means that literally one third of the publicly facing dark web is gone.
For 30 months, internet traffic going to Australian Defense websites flowed through the China Telecom's data centers due to BGP hijacking.
"How the strange routing occurred is known. But the reasons why it persisted for so long aren't, and many involved in the situation aren't eager to directly comment."
The Computer Emergency Response Team of Ukraine (CERT-UA) and the Foreign Intelligence Service of Ukraine detected a new malware Pterodo Windows backdoor that was targeting computers at Ukrainian government agencies.
The US government is persuading wireless and internet providers in allied countries to avoid telecommunications equipment from Chinese company Huawei.
Mozilla published a blog post about their concern regarding the EU Terrorist Content Regulation.
TinkerSec security researchers published on a Twitter a great story about his insider penetration testing assignment. Really good read, he got busted.
The VUSec security group published ECCploit paper and an article demonstrating Rowhammer bitflip exploits on the Error-correcting Code (ECC) enabled systems.
The Crypto.cat author, security researcher Nadim Kobeissi published ProtonMail encryption paper, "An Analysis of the ProtonMail Cryptographic Architecture".
MiSafes' Kids Watcher child-tracking smartwatches can be compromised, children can be tracked.
Zydis is the ultimate, open-source X86 & X86-64 decoder/disassembler library.
Researchers at the University of California have found that GPUs are vulnerable to side-channel attacks and demonstrated multiple types of attacks. After reverse engineering Nvidia GPU, researchers were able to steal rendered password box from a browser, sniffed other browser related data and also settings from the neural network computations on a GPU in the data center.
Cybersecurity firm Trend Micro has analyzed a new cryptocurrency mining malware that targets Linux OS and is able to hide its processes by implementing a rootkit component.
The rootkit will replace and hooks the readdir and readdir64 application programming interfaces (APIs) of the libc library so the system is unable to monitor miner workers anymore.
An Australian hacker has spent thousands of hours hacking the DRM that medical device manufacturers put on a continuous positive airway pressure (CPAP) machines to create a free tool that lets patients modify their treatment.
In 2016, Russia's Internet Research Agency used browser plugin malware called FaceMusic which "liked" Russian content and made their content popular on a social networks.
Now a Russian national living in Bulgaria has been detained on an US arrest warrant and is accused of online fraud & maintaining a computer network with servers in Dallas between Sep 2014 - Dec 2016.
The European Commission has just announced trials in Hungary, Greece and Latvia of iBorderCtrl project that includes the use of an AI-based lie detection system to spot when visitors to the EU give false information about themselves and their reasons for entering the area.
Troy Hunt analyzed 2FA, U2F authentication mechanisms and commented on the Google Advanced Protection enrollment procedure.
Bitwarden open source password manager has completed a thorough security audit and cryptographic analysis from the security experts at Cure53.
According to a Censys online platform, over a million AT&T devices, probably cable modems share the same TLS private key.
Researchers from Mozilla published blog on how they have designed privacy-aware Firefox Sync.
Two weeks ago we wrote about an attack against the OCB2 authenticated encryption scheme. It breaks integrity of OCB2.
Now there are two more papers, one breaks confidentiality and the other recovers plain text.
There is a zero day exploit "PHP_imap_open_exploit" in PHP that allows bypassing disabled exec functions by using call to imap_open.