InfoSec Week 49, 2018
Apple included support for the WebAuthentication API in the latest Safari Release 71 (Technology Preview). The new WebAuthentication as implemented supports USB-based CTAP2 devices.
Posted
#Weekly-News
Apple included support for the WebAuthentication API in the latest Safari Release 71 (Technology Preview). The new WebAuthentication as implemented supports USB-based CTAP2 devices.
Posted
#Weekly-News
Sennheiser's HeadSetup software is installing a root certificate into the OS Trusted CA Certificate store. They have also put a private key on a device, the same one for all users, which allows any user to perform a man-in-the-middle SSL attacks against SSL communication.
Posted
#Weekly-News
The German government-issued identity card (nPA) SDK had a critical security vulnerability allowing an attacker to impersonate arbitrary users against affected web applications.
Posted
#Weekly-News
Researchers at the University of California have found that GPUs are vulnerable to side-channel attacks and demonstrated multiple types of attacks. After reverse engineering Nvidia GPU, researchers were able to steal rendered password box from a browser, sniffed other browser related data and also settings from the neural network computations on a GPU in the data center.
Posted
#Weekly-News
A default VirtualBox virtual network device has a vulnerability allowing an attacker with root privilege to escape guest OS, execute commands in ring3 on a host. All operating systems affected.
Posted
#Weekly-News
The US federal prosecutors say that Chinese spies hacked dozen firms to steal aviation engineering secrets for the Chinese aerospace company.
Posted
#Weekly-News
A zero-day vulnerability in the jQuery File Upload plugin is actively exploited for at least three years. Patch now!
Posted
#Weekly-News
The Czech Security Intelligence Service (BIS) shuts down Hezbollah servers in the Hezbollah hacking operation. Hackers used female Facebook profiles to trick victims into installing spyware.
Posted
#Weekly-News
Memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation can screw you. Just answering a call from an attacker could completely compromise WhatsApp.
Posted
#Weekly-News
Estonia sues Gemalto for €152M over ID card flaws. According to an article, some keys were NOT generated on a smartcard due to a scaling issue. Well, looks like they are not affected by ROCA vulnerability, just compromised by Gemalto:)
Posted
#Weekly-News
Linux had officially committed to implementing and obeying the Code of Conduct — which is immediately misused to remove top Linux coders. Some of the Linux developers are now threatening to withdraw the license to all of their code.
Posted
#Weekly-News
Purism project introduced their own security token called the Librem Key. They have partnered with the Nitrokey manufacturer, but the firmware provides additional functionality, like a challenge response mode where the key informs you if the bios running on a PC has validated itself to the key.
Posted
#Weekly-News