The US federal prosecutors say that Chinese spies hacked dozen firms to steal aviation engineering secrets for the Chinese aerospace company.
Apple's ICMP packet-handling code contains a heap buffer overflow vulnerability (CVE-2018-4407).
Exploit can DoS any Mac, iOS device on a network by sending a crafted packet. The ping of death is back.
Microsoft is sharing Indian bank customers' data with U.S. intelligence agencies.
Looks like the banks were aware of it, when they have signed the Office 365 license agreements.
Google announced the launch of reCAPTCHA v3, which aims to improve user experience by removing the need for challenges. It uses the score based on the user on-site interactions.
The end-to-end encrypted instant messaging application Signal introduced a new "Sealed sender" privacy feature that is protecting the sender before traffic observation.
Multiple malicious python libraries found and removed from PyPI. Guys are typo-squatting popular repository names and deliver malware.
Great list of lessons learned over 20 years of red teaming by security expert Matt Devost.
Cisco Talos researchers found a code execution vulnerability in the anti-malware tool Sophos HitmanPro.Alert.
Researcher Jay Rosenberg documents clear connection between one of Lazarus Group's tools and an open source Chinese CasperPhpTrojan remote access trojan.
Apple releases specification of T2 security chip.
Researchers announced a fast attack breaking OCB2, an ISO-standard authenticated encryption scheme.
A zero-day vulnerability in the jQuery File Upload plugin is actively exploited for at least three years. Patch now!
A massive ad fraud scheme involving more than 125 Android apps and websites exploited Android Phones to steal millions.
Literally, almost everybody is doing this scheme against the smartphone users these days.
Kaspersky Lab analyzed complex DarkPulsar backdoor administrative module for a malware leaked by the ShadowBrokers.
They have found around 50 victims located in Russia, Iran and Egypt, mostly companies working in the nuclear energy, telecommunications, IT, aerospace and R&D.
Haaretz investigation reveals Israel has become a leading exporter of tools for spying on civilians.
Dictators around the world use them eavesdrop on human rights activists, monitor emails, hack into apps and record conversations.
The consultancy firm McKinsey helping Saudi Arabia identify influential Saudis who opposed the government's line on Twitter.
Some of those individuals were later imprisoned & targeted with sophisticated spyware.
Companies building "Smart home" products refuse to say whether law enforcement is using their products to spy on citizens.
Mozilla announces experimental partnership with the ProtonVPN.
They will offer a virtual private network (VPN) service to a small group of Firefox users.
The UK grassroots internet provider is testing a data only SIM card that blocks any non-Tor traffic from leaving the phone.
That feeling when you can steal a Tesla by relay attack (or key cloning?), but you have to Google how to unplug the charger.
An insightful review of Android's secure backup practices published by NCC Group.
Endpoint security pioneer Joanna Rutkowska leaves Qubes OS, joins the Golem project.
Matthew Green wrote a post on password-based authenticated key exchange (PAKE )and the new OPAQUE protocol.
Quite useful techniques more people should know about.
Signal Desktop leaves message decryption key in the plain text.
Trail of Bits published a useful guide to the post-quantum cryptography.
The Czech Security Intelligence Service (BIS) shuts down Hezbollah servers in the Hezbollah hacking operation. Hackers used female Facebook profiles to trick victims into installing spyware.
More than 420K compromised MikroTik routers can be found on the Internet with half of them mining cryptocurrencies, according to the results of Censys scanner.
Also, there is anonymous gray-hat researcher patching them remotely.
Fake Adobe updates are circulating that will actually update the Windows version of a plugin on your computer, but also install cryptocurrency mining malware.
According to a new research, if you're an American of European descent, there's a 60% chance you can be uniquely identified by public information in DNA databases. This is not information that you have made public; this is information your relatives have made public. https://www.schneier.com/blog/archives/2018/10/how_dna_databas.html
The Pentagon travel system has been hacked. Personal information and credit card data of at least 30K U.S. military and civilian personnel are affected.
A PoC exploit for a Windows (CVE-2018-8495) remote code execution vulnerability that can be exploited via Microsoft Edge has been published.
There is a serious SSH bug discovered in LibSSH library.
Basically a client can bypass the authentication process by telling the server to set the internal state machine maintained by the library to authenticated.
Electron just merged fix enabling position independent executable build (PIE) on Linux, so all Electron-Apps on Linux can soon leverage Address space layout randomization (ASLR) protection.
On this site, you can find "every byte of a TLS connection explained and reproduced".
Really interesting project.
Researcher Lance R. Vick started a spreadsheet to compare relative security, privacy, compatibility, and features of various messenger systems.
Recorded Future published analysis of a Russian and Chinese illegal hacking Communities.
Firefox Nightly now supports encrypting the TLS Server Name Indication (SNI) extension, which helps prevent attackers on a network from learning users browsing history.
Swedish kids can read about the DNSSEC on a milk carton.
Memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation can screw you. Just answering a call from an attacker could completely compromise WhatsApp.
Great story about the spear phishing scheme against the MacEwan University in Canada. Investigators were able to track stolen money to China and back to the Canadian real estate investments.
Millions of Xiongmai video surveillance devices can be easily hacked. Devices can be discovered because of predictable cloud ID derived from the MAC address, then compromised by using malicious firmware images delivered by fake update server.
US Department of Defense published some findings from the weapons systems pentesting.
Weak passwords, port scans that caused the weapons system to fail, etc.
"Making sense of the alleged Supermicro motherboard attack" published by researchers at the University of Cambridge Computer Laboratory is explaining the possible technical aspects behind the recent Bloomberg story about the hardware backdoors shipped from China.
US Police used victims' Fitbit data to charge 90-Year-Old man in stepdaughter’s killing.
They knew about the suspect, but the Fitbit data made the investigation easier.
New Zealand can now fine travelers who refuse to unlock their digital devices for a search.
Microsoft patches zero day vulnerability (CVE-2018-8453) in the win32k.sys discovered by Kaspersky Lab back in August.
The exploit is used to target victims in the Middle East.
There are multiple severe vulnerabilities reported in the Juniper network devices.
Red Hat's Flatpak used for application distribution on Linux is implementing some questionable security practices.
Exploit for MikroTik router WinBox vulnerability gives full root access.
Congratulations to ICANN for the first-ever DNSSEC root key signing key rollover that took place on 11 October 2018.
Mozilla decided to delay distrust of the Symantec TLS certification authority from their browsers.
ADAPE-Script - Active Directory Assessment and Privilege Escalation Script can automate your AD recon and pentesting.
Estonia sues Gemalto for €152M over ID card flaws. According to an article, some keys were NOT generated on a smartcard due to a scaling issue.
Well, looks like they are not affected by ROCA vulnerability, just compromised by Gemalto:)
Apple laptops on Intel chipsets were running in the Intel Management Engine Manufacturing Mode. The vulnerability (CVE-2018-4251) was patched in macOS High Sierra update 10.13.5.
By exploiting the vulnerability, an attacker could write old versions of Intel ME without physical access to the computer, with the possibility of running arbitrary code in ME.
The FBI took down Phantom Secure, a Canadian (not only) encrypted communication service.
The company turned smartphones to a single use encrypted communication devices, mostly to be used by drug kingpins.
The service was sold only to a customers recommended by the existing one.
The US-CERT has released a technical alert warning about a new "FASTCash" ATM scheme being used by the North Korean APT hacking group.
The malware installed on the issuers' compromised switch application servers intercepts the transaction request and responds the fake responses, fooling ATMs to spit out a large amount of cash.
Brian Krebs wrote about the really clever phishing scam schemes executed over the phone. They are pretending to be a bank, and have lots of information about the victim before the scam occurs.
Some Reddit guy found tiny Linux PC hooked to to a router in his apartment. Investigation showed, that it is some kind of information stealing device and the info collectors are paying a "rent" to a roommate which implanted it on his own network. https://www.reddit.com/r/whatisthisthing/comments/9ixdh9/found_hooked_up_to_my_router/e6nh61r/
Facebook published some technical details about the recent profile leaking vulnerability.
The attackers connected three bugs and basically automated the whole process of obtaining user access tokens.
ESET researchers documented the first UEFI rootkit found in the wild. Called LoJax, the rootkit is targeting central, eastern Europe and Balkan government organizations.
Conor Patrick recently launched Kickstarter campaign for Solo, the first open source FIDO2 USB, NFC security key. Support it!
A step-by-step Linux kernel exploitation for CVE-2017-11176 with the exploit code included.
Linux had officially committed to implementing and obeying the Code of Conduct — which is immediately misused to remove top Linux coders.
Some of the Linux developers are now threatening to withdraw the license to all of their code.
Bug in Twitter sent users' private direct messages to third-party developers who were not authorized to receive them. Some brand accounts should be affected.
Qualcomm accuses Apple of stealing chip secrets for the purpose of helping Intel overcome engineering flaws in its chips.
Australian government pushes for the smartphone spyware implanted by Telco vendors, manufacturers.
At least the sixth backdoor account was removed from Cisco devices this year.
This time it's "hardcoded credentials" in the Cisco Video Surveillance Manager (VSM) Software.
ESET researchers discovered, that the Kodi Media Player add-ons are misused for the cryptocurrency mining malware distribution.
According to a stackexchange post, "the Chinese police is forcing whole cities to install an Android spyware app Jingwang Weishi.
They are stopping people in the street and detaining those who refuse to install it."
Researchers proved that the security of PKCS #1 Digital Signatures is as secure as any of its successors like RSA-PSS and RSA Full-Domain.
There is a novel cache poisoning attack on WiFi by a remote off-path mitm attack vector.
Takes only 30 seconds and is using interesting multi-packet injection for timing side channel inference for injection. Works on Windows, OSX and Linux.
Purism project introduced their own security token called the Librem Key. They have partnered with the Nitrokey manufacturer, but the firmware provides additional functionality, like a challenge response mode where the key informs you if the bios running on a PC has validated itself to the key.
Google built a prototype of a censored search engine which should be used in China, that links users’ searches to their phone numbers.
According to a Swiss officials, two Russian spies caught in the Netherlands had been plotting a cyber attack on a Swiss defense lab analyzing the Novichok nerve agent used in the Salisbury poisoning.
Citizen Lab has published a new report about the Pegasus spyware created by Israeli cyber-security firm NSO Group.
The malware is operating on both Android and iOS devices, and the researchers identified 45 countries in which operators of NSO Group’s Pegasus spyware may be conducting operations.
Hackers were running cryptocurrency mining malware on the Indian government sites.
Every day this week, Cloudflare is announcing support for a new technology that uses cryptography.
They have introduced Onion service, BGP PKI (RPKI), IPFS node. Essentially, we can call them an active global adversary now.
The Western Digital My Cloud was affected by an authentication bypass vulnerability.
An unauthenticated attacker could exploit this vulnerability to authenticate as an admin user without needing to provide a password.
NSS Labs filed an antitrust suit against CrowdStrike, Symantec, ESET and the Anti-Malware Testing Standards Organization (AMTSO), because they found out that the "vendors have conspired to prevent testing of their products by placing clauses in their end user licensing agreements (EULA) that make testing of their products subject to their permission."
The new Necurs botnet spam campaign targets Banks with the malicious Wizard (.wiz) files used by Microsoft programs such as Word to guide users through complex or repetitive tasks.
Informative blog by the LineageOS engineers covering Qualcomm bootloader chain of trust to the point of Android OS being loaded.
GnuPG can now be used to perform notarial acts in the State of Washington.
A new CSS-based web attack will crash and restart your iPhone.
Interesting project - SlotBot: Hacking slot machines to win the jackpot with a buttonhole camera and brute-force search.
Tesla model S is using a 40bit challenge response scheme broken back in 2005. Researchers stole a car in ~6 seconds with precomputed tables.
This kind of bug is an law enforcement dream.
Very interesting read from Troy Hunt on the effectiveness of negative media coverage and shaming of bad security.
Researchers say that the developers of Adware Doctor, the fourth highest ranking paid app in the Mac App Store, have found a way to bypass Apple restrictions and sends the browsing history of its users to a server in China. Apple already removed the application from the Mac Store.
Apple has also removed most of the popular security applications offered by cyber-security vendor Trend Micro from its official Mac App Store after they were caught stealing users' sensitive data without their consent.
European Court of Human Rights rules that GCHQ Data collection violates the human rights charter.
The Iran government, at least since 2016, is is spying on its citizens, Kurdish and Turkish natives, and ISIS supporters, using mobile applications with a malware.
The operation has been named Domestic Kitten.
Researchers introduced previously overlooked side-channel attack vector called Nemesis that abuses the CPU’s interrupt mechanism to leak microarchitectural instruction timings from enclaved execution environments such as Intel SGX, Sancus, and TrustLite.
India’s controversial Aadhaar identity database software was hacked, ID database compromised.
The vulnerability could allow someone to circumvent security measures in the Aadhaar software, and create new entries.
Criminals are faking Google Analytics script to steal credential and stay under the radar.
The OpenSSL team released version 1.1.1. There are a lots of new features like TLS 1.3 support, side-channel hardening, new RNG, SHA3, Ed25519 support.
USB media shipped with the Schneider Electric Conext ComBox and Conext Battery Monitor solar products were infected with malware.
Two days after the proof-of-concept exploit for the Windows Task Scheduler vulnerability appeared online, malware developers have started using it.
Five Eyes, an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States, officially warns the tech world that they should build interception capabilities voluntarily or governments will legislate.
Security researchers from the Kaitiaki Labs presented exploitation techniques against the automation in the LTE mobile networks.
.NET Framework remote code injection vulnerability (CVE-2018-8284) enables low privileged SharePoint users to execute commands on the server.
A good blog post by a bug hunter Steven Seeley - Analyzing and Exploiting an Elevation of Privilege Vulnerability in Docker for Windows (CVE-2018-15514).
Thousands of MikroTik routers are forwarding owners’ traffic to unknown attackers.
A great insight into the world of WW2 women code breakers who unmasked the Soviet spies.
ProtonMail released a major new version (4.0) of OpenPGPjs which introduces streaming cryptography.
Bruce Schneier announced the publication of the latest book with the name "Click Here to Kill Everybody: Security and Survival in a Hyper-connected World".
There is a new collection of botnet source codes on GitHub.
Google started selling their Titan Security Key bundle that support FIDO standards for secure authentication. They have written the firmware by themselves, but the price should be lower for this kind of hardware.
Interesting three month research on hacking Australian law firms by registering expired domain names. Thousands of emails received with sensitive material.
Researchers systematically retrieved 3500 AT controlling commands from over 2000 Android smartphone firmware images across 11 vendors and "demonstrated that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices."
Fortnite Installer created by Epic Games allowed to install anything on the customer Android phone. An Epic security engineer requested Google to delay public disclosure for the 90 days period, to allow time for the update, but Google refused.
US T-Mobile Database was breached, 2 millions of customers' data exposed.
Ars Technica published a good introductory review of the WireGuard next generation VPN software.
WhatsApp has warned users that by using a free backup service offered by Google, messages will no longer be protected by end-to-end encryption.
Assured researchers published an article which provides a brief overview of the new TLS 1.3.
If you wanted to know how to use PGP in an organization of 200 people, read this blog about OpenPGP key distribution.
They are now turning the lessons learned into an Internet standard.
Mozilla Firefox 62 and newer support a new TLS API for WebExtensions.
There is now a certificate viewer leveraging new API called Certainly Something (Certificate Viewer).
In-depth blog spot by voidsecurity about the VirtualBox code execution vulnerability.
Mark Ermolov and Maxim Goryachy researchers have published a detailed walk-through for accessing an Intel's Management Engine (IME) JTAG feature, which provides debugging access to the processor.