Malgregator

InfoSec Week 50, 2018

According to the New York Times sources, Marriott customers' data were breached by Chinese hackers.
Attribution is hard, especially when investigating government related hacks. We have to wait for more information.
https://www.nytimes.com/2018/12/11/us/politics/trump-china-trade.html

A Google+ API software update introduced in November had caused the Google+ API to broadcast user profiles to third-party developers, exposing the personal information of more than 52 million users.
https://www.blog.google/technology/safety-security/expediting-changes-google-plus/

Excellent journalistic piece about the location data industry. It's impossible to anonymize this kind of datasets. Really recommended!
https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html

Check Point researchers found 53 critical bugs in Adobe Reader and Adobe Pro by using WinAFL fuzzer.
https://research.checkpoint.com/50-adobe-cves-in-50-days/

The Cisco Talos team wrote about the various practical side-channel attack scenarios against the encrypted messaging apps like WhatsApp, Telegram, and Signal.
https://blog.talosintelligence.com/2018/12/secureim.html

Study finds 5 out of 17 tested certification authorities are vulnerable to spoofing domain validation by using the IP fragmentation attack.
https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf

A team behind the open source automation tool Jenkins published a patch for a critical vulnerability that could allow permission checks to be bypassed through the use of specially-crafted URLs.
https://jenkins.io/security/advisory/2018-12-05/

Microsoft took the first step in advocacy for the regulation of a facial recognition technology.
https://blogs.microsoft.com/on-the-issues/2018/12/06/facial-recognition-its-time-for-action/

A recent variant of a Shamoon malware wiped around ten percent PCs of the Italian oil and gas company Saipem.
https://www.zdnet.com/article/shamoon-malware-destroys-data-at-italian-oil-and-gas-company/

Russian State Duma is going to prohibit Russian servicemen from publishing personal information online.
https://informnapalm.org/en/seared-by-napalm-russian-state-duma-advances-legislation-banning-russian-servicemen-from-publishing-personal-information-online/

Researcher Natalie Silvanovich from the Google Project Zero fuzzed WhatsApp application and (surprisingly) didn't find exploitable bugs, just a heap corruption.
https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-conferencing-part-3.html

Australian guys, there is a GitHub repository where you can ask legal questions about the terrible Assistance and Access Bill. The questions are answered by lawyers.
https://github.com/alfiedotwtf/AABillFAQ

InfoSec Week 49, 2018

Apple included support for the WebAuthentication API in the latest Safari Release 71 (Technology Preview). The new WebAuthentication as implemented supports USB-based CTAP2 devices.
https://webkit.org/blog/8517/release-notes-for-safari-technology-preview-71/

Critical Kubernetes privilege escalation bug (CVE-2018-1002105) was found and patched during this week. When exploited, the bug allows anonymous users as well a authenticated one to use admin privileges over the cluster API.
There is an exploit published on a GitHub already.
https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/
https://github.com/evict/poc_CVE-2018-1002105

British Telecom will not use Huawei's 5G kit within the core of the network due to security concerns.
https://www.bbc.com/news/technology-46453425

Security agencies in Australia will gain greater access to encrypted messages due to a new legislative.
https://mobile.abc.net.au/news/2018-12-06/labor-backdown-federal-government-to-pass-greater-surveillance/10591944

US National Security Archive published a complete index of all 1504 items in the declassified collection of NSA internal Cryptolog periodical.
https://nsarchive.gwu.edu/briefing-book/cyber-vault/2018-12-04/cyber-brief-cryptolog

Security researchers released attacks on 7 TLS implementations, making use of Bleichenbacher and Manger's attack.
The research with a name "The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations" also includes a TLS 1.3 downgrade attack.
http://cat.eyalro.net/

Ransomware Infected 100k computers in China then demands WeChat Payment and is using XOR as an "encryption". Author was probably identified because he registered domain to his own name.
https://movaxbx.ru/2018/12/05/ransomware-infects-100k-pcs-in-china-demands-wechat-payment/

It looks like 13 years old Virut botnet is resurrected in the wild.
https://chrisdietri.ch/post/virut-resurrects/

Great blog on how guy scammed the scammer to send him photo of his ID.
https://medium.com/@hackerfantastic/scamming-the-scammers-2fb934099ccc

Nearly 250 Pages of internal Facebook documents, emails and statistics were posted online by the UK Parliament.
https://motherboard.vice.com/en_us/article/59vwez/nearly-250-pages-of-devastating-internal-facebook-documents-posted-online-by-uk-parliament

A User Data of the question-and-answer website Quora were compromised.
https://help.quora.com/hc/en-us/articles/360020212652

The records of 500 million customers of the Marriott International hotel group were compromised.
https://www.bbc.com/news/technology-46401890

Interesting revisited paper: "From Keys to Databases -- Real-World Applications of Secure Multi-Party Computation."
https://eprint.iacr.org/2018/450

GTRS - is a tool that uses Google Translator as a proxy to send arbitrary commands to an infected machine.
https://github.com/mthbernardes/GTRS

InfoSec Week 48, 2018

Sennheiser's HeadSetup software is installing a root certificate into the OS Trusted CA Certificate store.
They have also put a private key on a device, the same one for all users, which allows any user to perform a man-in-the-middle SSL attacks against SSL communication.
https://www.bleepingcomputer.com/news/security/sennheiser-headset-software-could-allow-man-in-the-middle-ssl-attacks/

German chat platform Knuddels.de (Cuddles) has been fined 20k€ for storing user passwords in plain text.
What is interesting is that the regional GDPR data watchdog wanted to avoid bankrupting the company. "The overall financial burden on the company was taken into account in addition to other circumstances".
https://www.theregister.co.uk/2018/11/23/knuddels_fined_for_plain_text_passwords/

Crooks are using new attack vector to spread malware, they are requesting maintainer access to a widely-used open source projects on github, then pushing compromised version to millions of people.
https://github.com/dominictarr/event-stream/issues/116

Two international cybercriminal Rings dismantled and eight defendants indicted for causing tens of millions of dollars in losses in the digital advertising fraud.
They have produced Boaxxe/Miuref & Kovter malware.
https://www.us-cert.gov/ncas/alerts/TA18-331A

Cisco Talos has discovered DNSpionage malware targeting governments and companies in the Middle East using phishing attack.
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html

The U.S. Treasury Department has sanctioned two Iranians allegedly involved in Bitcoin ransomware scheme SamSam.
They have basically put Bitcoin addresses on the Office of Foreign Assets Control’s (OFAC) sanctions list.
https://home.treasury.gov/news/press-releases/sm556

Scammers are changing the contact details for banks on Google Maps.
http://blog.abhijittomar.com/2018/10/19/google-business-claim-scam/

Almost all VPN browser extensions are in fact just a proxy and are vulnerable to a different level of IP leaks and DNS leaks.
https://blog.innerht.ml/vpn-extensions-are-not-for-privacy/

Google, Mozilla are working on letting web apps edit local user files despite warning it could be really dangerous.
https://www.techrepublic.com/article/google-mozilla-working-on-letting-web-apps-edit-files-despite-warning-it-could-be-abused-in-terrible/

The German Federal Office for Information Security, BSI, publishes Microsoft Windows 10 telemetry analysis.
https://www.ghacks.net/2018/11/23/german-federal-office-bsi-publishes-telemetry-analysis/

BlackBerry purchased Cylance, the machine-learning based anti-malware company for $1.4 billion dollars.
They plans to integrate Cylance's anti-malware solution into the BlackBerry Spark platform.
https://www.csoonline.com/article/3321746/security/blackberrys-acquisition-of-cylance-raises-eyebrows-in-the-security-community.html

The Sequoia team introduced the first release of a new Rust implementation of the OpenPGP licensed under GPL 3.0.
https://sequoia-pgp.org/blog/2018/11/26/initial-release/

InfoSec Week 47, 2018

The German government-issued identity card (nPA) SDK had a critical security vulnerability allowing an attacker to impersonate arbitrary users against affected web applications.
https://seclists.org/fulldisclosure/2018/Nov/56

One of the largest dark Web hosting service providers was hacked using the PHP vulnerability we wrote a week ago and taken offline by deleting the whole database.
More than 6500 Dark Web services were hosted there which means that literally one third of the publicly facing dark web is gone.
https://www.zdnet.com/article/popular-dark-web-hosting-provider-got-hacked-6500-sites-down/

For 30 months, internet traffic going to Australian Defense websites flowed through the China Telecom's data centers due to BGP hijacking.
"How the strange routing occurred is known. But the reasons why it persisted for so long aren't, and many involved in the situation aren't eager to directly comment."
https://www.databreachtoday.com/did-china-spy-on-australian-defense-websites-a-11714

The Computer Emergency Response Team of Ukraine (CERT-UA) and the Foreign Intelligence Service of Ukraine detected a new malware Pterodo Windows backdoor that was targeting computers at Ukrainian government agencies.
https://hackercombat.com/new-pterodo-backdoor-malware-detected-by-ukraine/

The US government is persuading wireless and internet providers in allied countries to avoid telecommunications equipment from Chinese company Huawei.
https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=12165136

Mozilla published a blog post about their concern regarding the EU Terrorist Content Regulation.
https://blog.mozilla.org/netpolicy/2018/11/21/the-eu-terrorist-content-regulation-a-threat-to-the-ecosystem-and-our-users-rights/

TinkerSec security researchers published on a Twitter a great story about his insider penetration testing assignment. Really good read, he got busted.
https://threader.app/thread/1063423110513418240

The VUSec security group published ECCploit paper and an article demonstrating Rowhammer bitflip exploits on the Error-correcting Code (ECC) enabled systems.
https://www.vusec.net/projects/eccploit/

The Crypto.cat author, security researcher Nadim Kobeissi published ProtonMail encryption paper, "An Analysis of the ProtonMail Cryptographic Architecture".
https://eprint.iacr.org/2018/1121

MiSafes' Kids Watcher child-tracking smartwatches can be compromised, children can be tracked.
https://www.pentestpartners.com/security-blog/tracking-and-snooping-on-a-million-kids/

Zydis is the ultimate, open-source X86 & X86-64 decoder/disassembler library.
https://github.com/zyantific/zydis

InfoSec Week 46, 2018

Researchers at the University of California have found that GPUs are vulnerable to side-channel attacks and demonstrated multiple types of attacks. After reverse engineering Nvidia GPU, researchers were able to steal rendered password box from a browser, sniffed other browser related data and also settings from the neural network computations on a GPU in the data center.
https://www.networkworld.com/article/3321036/data-center/gpus-are-vulnerable-to-side-channel-attacks.html

Cybersecurity firm Trend Micro has analyzed a new cryptocurrency mining malware that targets Linux OS and is able to hide its processes by implementing a rootkit component.
The rootkit will replace and hooks the readdir and readdir64 application programming interfaces (APIs) of the libc library so the system is unable to monitor miner workers anymore.
https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth

An Australian hacker has spent thousands of hours hacking the DRM that medical device manufacturers put on a continuous positive airway pressure (CPAP) machines to create a free tool that lets patients modify their treatment.
https://motherboard.vice.com/en_us/article/xwjd4w/im-possibly-alive-because-it-exists-why-sleep-apnea-patients-rely-on-a-cpap-machine-hacker

In 2016, Russia's Internet Research Agency used browser plugin malware called FaceMusic which "liked" Russian content and made their content popular on a social networks.
Now a Russian national living in Bulgaria has been detained on an US arrest warrant and is accused of online fraud & maintaining a computer network with servers in Dallas between Sep 2014 - Dec 2016.
https://edition.cnn.com/2018/11/10/world/russian-hacker-wanted-by-the-united-states-arrested-in-bulgaria/index.html

The European Commission has just announced trials in Hungary, Greece and Latvia of iBorderCtrl project that includes the use of an AI-based lie detection system to spot when visitors to the EU give false information about themselves and their reasons for entering the area.
https://www.privateinternetaccess.com/blog/2018/11/ai-based-lie-detection-system-at-eu-borders-will-screen-travellers-for-biomarkers-of-deceit

Troy Hunt analyzed 2FA, U2F authentication mechanisms and commented on the Google Advanced Protection enrollment procedure.
https://www.troyhunt.com/beyond-passwords-2fa-u2f-and-google-advanced-protection/

Bitwarden open source password manager has completed a thorough security audit and cryptographic analysis from the security experts at Cure53.
https://blog.bitwarden.com/bitwarden-completes-third-party-security-audit-c1cc81b6d33

According to a Censys online platform, over a million AT&T devices, probably cable modems share the same TLS private key.
https://twitter.com/nikitab/status/1062161234173288449

Researchers from Mozilla published blog on how they have designed privacy-aware Firefox Sync.
https://hacks.mozilla.org/2018/11/firefox-sync-privacy/

Two weeks ago we wrote about an attack against the OCB2 authenticated encryption scheme. It breaks integrity of OCB2.
Now there are two more papers, one breaks confidentiality and the other recovers plain text.
https://ia.cr/2018/1087
https://ia.cr/2018/1090

There is a zero day exploit "PHP_imap_open_exploit" in PHP that allows bypassing disabled exec functions by using call to imap_open.
https://github.com/Bo0oM/PHP_imap_open_exploit

InfoSec Week 45, 2018

A default VirtualBox virtual network device has a vulnerability allowing an attacker with root privilege to escape guest OS, execute commands in ring3 on a host.
All operating systems affected.
https://github.com/MorteNoir1/virtualbox_e1000_0day

Researchers at Radboud University in the Netherlands have revealed encryption vulnerabilities in the solid-state drives (SSD).
Samsung nor Crucial manufacturers are producing buggy firmware where anybody who steals your drive is able to decrypt it on their own.
https://www.ru.nl/publish/pages/909275/draft-paper_1.pdf

Police in the Netherlands were able to decrypt more than 258,000 messages sent using proprietary IronChat end-to-end (probably not) encrypted messaging application.
Lessons learned: do not use custom, proprietary, "exclusive" application nobody else except your gang members have...
https://www.politie.nl/en/news/2018/november/02-apeldoorn-police-have-achieved-a-breakthrough-in-the-interception-and-decryption-of-crypto-communication.html

The first release of 5G (3GPP Release 15) includes protection against an active IMSI catching.
"But in a typical case where 5G UE also supports LTE, it is still vulnerable to LTE IMSI catchers."
https://arxiv.org/abs/1811.02293

New "PortSmash" CPU side channel vulnerability impacts all CPUs that use a Simultaneous Multithreading (SMT).
The vulnerability has been discovered by researchers from the Tampere University of Technology in Finland and Technical University of Havana, Cuba.
https://github.com/bbbrumley/portsmash

Troy Hunt published blog on how passwords are superior to many alternative methods, primarily because "everyone understands how to use it".
https://www.troyhunt.com/heres-why-insert-thing-here-is-not-a-password-killer/

US Cyber Command (USCYBERCOM) starts uploading unclassified foreign APT malware samples to VirusTotal.
https://www.cybercom.mil/Media/News/News-Display/Article/1681533/new-cnmf-initiative-shares-malware-samples-with-cybersecurity-industry/

Iran found CIA spies by Googling their online communication channels after double agent told them modus operandi.
https://www.yahoo.com/news/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html

Some explanation by Doug Madory of Oracle on how and when China Telecom hijacked BGP routing to send US-to-US traffic via mainland China.
https://internetintel.oracle.com/blog-single.html?id=China+Telecom%27s+Internet+Traffic+Misdirection

Early version of an open source, free WireGuard for iOS VPN tunneling implementation is in public testing.
https://lists.zx2c4.com/pipermail/wireguard/2018-November/003526.html

Microsoft releases a Linux version of their ProcDump Sysinternals Tool.
https://github.com/Microsoft/ProcDump-for-Linux

InfoSec Week 44, 2018

The US federal prosecutors say that Chinese spies hacked dozen firms to steal aviation engineering secrets for the Chinese aerospace company.
https://arstechnica.com/tech-policy/2018/10/feds-say-chinese-spies-and-their-hired-hackers-stole-aviation-secrets/

Apple's ICMP packet-handling code contains a heap buffer overflow vulnerability (CVE-2018-4407).
Exploit can DoS any Mac, iOS device on a network by sending a crafted packet. The ping of death is back.
https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407

Microsoft is sharing Indian bank customers' data with U.S. intelligence agencies.
Looks like the banks were aware of it, when they have signed the Office 365 license agreements.
https://www.neowin.net/news/microsoft-has-been-sharing-indian-bank-customers039-data-with-us-intelligence-agencies

Google announced the launch of reCAPTCHA v3, which aims to improve user experience by removing the need for challenges. It uses the score based on the user on-site interactions.
https://developers.google.com/recaptcha/docs/v3

The end-to-end encrypted instant messaging application Signal introduced a new "Sealed sender" privacy feature that is protecting the sender before traffic observation.
https://signal.org/blog/sealed-sender/

Multiple malicious python libraries found and removed from PyPI. Guys are typo-squatting popular repository names and deliver malware.
https://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/

Great list of lessons learned over 20 years of red teaming by security expert Matt Devost.
https://www.oodaloop.com/ooda-original/2015/10/22/10-red-teaming-lessons-learned-over-20-years/

Cisco Talos researchers found a code execution vulnerability in the anti-malware tool Sophos HitmanPro.Alert.
https://www.scmagazineuk.com/vulnerability-found-sophos-anti-malware-product/article/1497367

Researcher Jay Rosenberg documents clear connection between one of Lazarus Group's tools and an open source Chinese CasperPhpTrojan remote access trojan.
https://www.intezer.com/paleontology-the-unknown-origins-of-lazarus-malware/

Apple releases specification of T2 security chip.
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf

Researchers announced a fast attack breaking OCB2, an ISO-standard authenticated encryption scheme.
https://eprint.iacr.org/2018/1040

InfoSec Week 43, 2018

A zero-day vulnerability in the jQuery File Upload plugin is actively exploited for at least three years. Patch now!
https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/
https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206

A massive ad fraud scheme involving more than 125 Android apps and websites exploited Android Phones to steal millions.
Literally, almost everybody is doing this scheme against the smartphone users these days.
https://www.buzzfeednews.com/article/craigsilverman/how-a-massive-ad-fraud-scheme-exploited-android-phones-to

Kaspersky Lab analyzed complex DarkPulsar backdoor administrative module for a malware leaked by the ShadowBrokers.
They have found around 50 victims located in Russia, Iran and Egypt, mostly companies working in the nuclear energy, telecommunications, IT, aerospace and R&D.
https://securelist.com/darkpulsar/88199/

Haaretz investigation reveals Israel has become a leading exporter of tools for spying on civilians.
Dictators around the world use them eavesdrop on human rights activists, monitor emails, hack into apps and record conversations.
https://www.haaretz.com/israel-news/.premium.MAGAZINE-israel-s-cyber-spy-industry-aids-dictators-hunt-dissidents-and-gays-1.6573027

The consultancy firm McKinsey helping Saudi Arabia identify influential Saudis who opposed the government's line on Twitter.
Some of those individuals were later imprisoned & targeted with sophisticated spyware.
https://www.nytimes.com/2018/10/20/us/politics/saudi-image-campaign-twitter.html

Companies building "Smart home" products refuse to say whether law enforcement is using their products to spy on citizens.
https://techcrunch.com/2018/10/19/smart-home-devices-hoard-data-government-demands/

Mozilla announces experimental partnership with the ProtonVPN.
They will offer a virtual private network (VPN) service to a small group of Firefox users.
https://blog.mozilla.org/futurereleases/2018/10/22/testing-new-ways-to-keep-you-safe-online/

The UK grassroots internet provider is testing a data only SIM card that blocks any non-Tor traffic from leaving the phone.
https://motherboard.vice.com/en_us/article/d3qqj7/sim-card-forces-data-through-tor-brass-horn-communications

That feeling when you can steal a Tesla by relay attack (or key cloning?), but you have to Google how to unplug the charger.
https://gizmodo.com/hackers-allegedly-caught-on-video-stealing-tesla-model-1829905478

An insightful review of Android's secure backup practices published by NCC Group.
https://www.nccgroup.trust/us/our-research/android-cloud-backuprestore/?research=Public+Reports

Endpoint security pioneer Joanna Rutkowska leaves Qubes OS, joins the Golem project.
https://www.qubes-os.org/news/2018/10/25/the-next-chapter/

Matthew Green wrote a post on password-based authenticated key exchange (PAKE )and the new OPAQUE protocol.
Quite useful techniques more people should know about.
https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/

Signal Desktop leaves message decryption key in the plain text.
https://www.bleepingcomputer.com/news/security/signal-desktop-leaves-message-decryption-key-in-plain-sight/

Trail of Bits published a useful guide to the post-quantum cryptography.
https://blog.trailofbits.com/2018/10/22/a-guide-to-post-quantum-cryptography/

InfoSec Week 42, 2018

The Czech Security Intelligence Service (BIS) shuts down Hezbollah servers in the Hezbollah hacking operation. Hackers used female Facebook profiles to trick victims into installing spyware.
https://www.zdnet.com/article/czech-intelligence-service-shuts-down-hezbollah-hacking-operation/

More than 420K compromised MikroTik routers can be found on the Internet with half of them mining cryptocurrencies, according to the results of Censys scanner.
Also, there is anonymous gray-hat researcher patching them remotely.
https://twitter.com/bad_packets/status/1050533001824595968
https://www.zdnet.com/article/a-mysterious-grey-hat-is-patching-peoples-outdated-mikrotik-routers/

Fake Adobe updates are circulating that will actually update the Windows version of a plugin on your computer, but also install cryptocurrency mining malware.
https://researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners/

According to a new research, if you're an American of European descent, there's a 60% chance you can be uniquely identified by public information in DNA databases. This is not information that you have made public; this is information your relatives have made public. https://www.schneier.com/blog/archives/2018/10/how_dna_databas.html

The Pentagon travel system has been hacked. Personal information and credit card data of at least 30K U.S. military and civilian personnel are affected.
https://www.militarytimes.com/news/your-military/2018/10/12/pentagon-reveals-cyber-breach-of-travel-records/

A PoC exploit for a Windows (CVE-2018-8495) remote code execution vulnerability that can be exploited via Microsoft Edge has been published.
https://leucosite.com/Microsoft-Edge-RCE/

There is a serious SSH bug discovered in LibSSH library.
Basically a client can bypass the authentication process by telling the server to set the internal state machine maintained by the library to authenticated.
https://www.libssh.org/security/advisories/CVE-2018-10933.txt

Electron just merged fix enabling position independent executable build (PIE) on Linux, so all Electron-Apps on Linux can soon leverage Address space layout randomization (ASLR) protection.
https://github.com/electron/electron/pull/15148

On this site, you can find "every byte of a TLS connection explained and reproduced".
Really interesting project.
https://tls.ulfheim.net/

Researcher Lance R. Vick started a spreadsheet to compare relative security, privacy, compatibility, and features of various messenger systems.
https://docs.google.com/spreadsheets/d/1-UlA4-tslROBDS9IqHalWVztqZo7uxlCeKPQ-8uoFOU/edit

Recorded Future published analysis of a Russian and Chinese illegal hacking Communities.
https://www.recordedfuture.com/russian-chinese-hacking-communities/

Firefox Nightly now supports encrypting the TLS Server Name Indication (SNI) extension, which helps prevent attackers on a network from learning users browsing history.
https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/

Swedish kids can read about the DNSSEC on a milk carton.
https://twitter.com/recollir/status/1051480941171003392/photo/1

InfoSec Week 41, 2018

Memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation can screw you. Just answering a call from an attacker could completely compromise WhatsApp.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1654

Great story about the spear phishing scheme against the MacEwan University in Canada. Investigators were able to track stolen money to China and back to the Canadian real estate investments.
https://www.thestar.com/edmonton/2018/10/09/how-a-fraudster-got-12-million-out-of-a-canadian-university-they-just-asked-for-it.html

Millions of Xiongmai video surveillance devices can be easily hacked. Devices can be discovered because of predictable cloud ID derived from the MAC address, then compromised by using malicious firmware images delivered by fake update server.
https://sec-consult.com/en/blog/2018/10/millions-of-xiongmai-video-surveillance-devices-can-be-hacked-via-cloud-feature-xmeye-p2p-cloud/

US Department of Defense published some findings from the weapons systems pentesting.
Weak passwords, port scans that caused the weapons system to fail, etc.
https://www.gao.gov/mobile/products/GAO-19-128

"Making sense of the alleged Supermicro motherboard attack" published by researchers at the University of Cambridge Computer Laboratory is explaining the possible technical aspects behind the recent Bloomberg story about the hardware backdoors shipped from China.
https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

US Police used victims' Fitbit data to charge 90-Year-Old man in stepdaughter’s killing.
They knew about the suspect, but the Fitbit data made the investigation easier.
https://www.nytimes.com/2018/10/03/us/fitbit-murder-arrest.html

New Zealand can now fine travelers who refuse to unlock their digital devices for a search.
http://www.abc.net.au/news/2018-10-04/nz-customs-can-force-travellers-to-unlock-digital-devices/10338662

Microsoft patches zero day vulnerability (CVE-2018-8453) in the win32k.sys discovered by Kaspersky Lab back in August.
The exploit is used to target victims in the Middle East.
https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/

There are multiple severe vulnerabilities reported in the Juniper network devices.
https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES

Red Hat's Flatpak used for application distribution on Linux is implementing some questionable security practices.
https://flatkill.org/

Exploit for MikroTik router WinBox vulnerability gives full root access.
https://thehackernews.com/2018/10/router-hacking-exploit.html

Congratulations to ICANN for the first-ever DNSSEC root key signing key rollover that took place on 11 October 2018.
https://www.icann.org/resources/pages/ksk-rollover

Mozilla decided to delay distrust of the Symantec TLS certification authority from their browsers.
https://blog.mozilla.org/security/2018/10/10/delaying-further-symantec-tls-certificate-distrust/

ADAPE-Script - Active Directory Assessment and Privilege Escalation Script can automate your AD recon and pentesting.
https://github.com/hausec/ADAPE-Script


Page 1 / 11