A zero-day vulnerability in the jQuery File Upload plugin is actively exploited for at least three years. Patch now!
A massive ad fraud scheme involving more than 125 Android apps and websites exploited Android Phones to steal millions.
Literally, almost everybody is doing this scheme against the smartphone users these days.
Kaspersky Lab analyzed complex DarkPulsar backdoor administrative module for a malware leaked by the ShadowBrokers.
They have found around 50 victims located in Russia, Iran and Egypt, mostly companies working in the nuclear energy, telecommunications, IT, aerospace and R&D.
Haaretz investigation reveals Israel has become a leading exporter of tools for spying on civilians.
Dictators around the world use them eavesdrop on human rights activists, monitor emails, hack into apps and record conversations.
The consultancy firm McKinsey helping Saudi Arabia identify influential Saudis who opposed the government's line on Twitter.
Some of those individuals were later imprisoned & targeted with sophisticated spyware.
Companies building "Smart home" products refuse to say whether law enforcement is using their products to spy on citizens.
Mozilla announces experimental partnership with the ProtonVPN.
They will offer a virtual private network (VPN) service to a small group of Firefox users.
The UK grassroots internet provider is testing a data only SIM card that blocks any non-Tor traffic from leaving the phone.
That feeling when you can steal a Tesla by relay attack (or key cloning?), but you have to Google how to unplug the charger.
An insightful review of Android's secure backup practices published by NCC Group.
Endpoint security pioneer Joanna Rutkowska leaves Qubes OS, joins the Golem project.
Matthew Green wrote a post on password-based authenticated key exchange (PAKE )and the new OPAQUE protocol.
Quite useful techniques more people should know about.
Signal Desktop leaves message decryption key in the plain text.
Trail of Bits published a useful guide to the post-quantum cryptography.
Purism project introduced their own security token called the Librem Key. They have partnered with the Nitrokey manufacturer, but the firmware provides additional functionality, like a challenge response mode where the key informs you if the bios running on a PC has validated itself to the key.
Google built a prototype of a censored search engine which should be used in China, that links users’ searches to their phone numbers.
According to a Swiss officials, two Russian spies caught in the Netherlands had been plotting a cyber attack on a Swiss defense lab analyzing the Novichok nerve agent used in the Salisbury poisoning.
Citizen Lab has published a new report about the Pegasus spyware created by Israeli cyber-security firm NSO Group.
The malware is operating on both Android and iOS devices, and the researchers identified 45 countries in which operators of NSO Group’s Pegasus spyware may be conducting operations.
Hackers were running cryptocurrency mining malware on the Indian government sites.
Every day this week, Cloudflare is announcing support for a new technology that uses cryptography.
They have introduced Onion service, BGP PKI (RPKI), IPFS node. Essentially, we can call them an active global adversary now.
The Western Digital My Cloud was affected by an authentication bypass vulnerability.
An unauthenticated attacker could exploit this vulnerability to authenticate as an admin user without needing to provide a password.
NSS Labs filed an antitrust suit against CrowdStrike, Symantec, ESET and the Anti-Malware Testing Standards Organization (AMTSO), because they found out that the "vendors have conspired to prevent testing of their products by placing clauses in their end user licensing agreements (EULA) that make testing of their products subject to their permission."
The new Necurs botnet spam campaign targets Banks with the malicious Wizard (.wiz) files used by Microsoft programs such as Word to guide users through complex or repetitive tasks.
Informative blog by the LineageOS engineers covering Qualcomm bootloader chain of trust to the point of Android OS being loaded.
GnuPG can now be used to perform notarial acts in the State of Washington.
A new CSS-based web attack will crash and restart your iPhone.
Interesting project - SlotBot: Hacking slot machines to win the jackpot with a buttonhole camera and brute-force search.
Google started selling their Titan Security Key bundle that support FIDO standards for secure authentication. They have written the firmware by themselves, but the price should be lower for this kind of hardware.
Interesting three month research on hacking Australian law firms by registering expired domain names. Thousands of emails received with sensitive material.
Researchers systematically retrieved 3500 AT controlling commands from over 2000 Android smartphone firmware images across 11 vendors and "demonstrated that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices."
Fortnite Installer created by Epic Games allowed to install anything on the customer Android phone. An Epic security engineer requested Google to delay public disclosure for the 90 days period, to allow time for the update, but Google refused.
US T-Mobile Database was breached, 2 millions of customers' data exposed.
Ars Technica published a good introductory review of the WireGuard next generation VPN software.
WhatsApp has warned users that by using a free backup service offered by Google, messages will no longer be protected by end-to-end encryption.
Assured researchers published an article which provides a brief overview of the new TLS 1.3.
If you wanted to know how to use PGP in an organization of 200 people, read this blog about OpenPGP key distribution.
They are now turning the lessons learned into an Internet standard.
Mozilla Firefox 62 and newer support a new TLS API for WebExtensions.
There is now a certificate viewer leveraging new API called Certainly Something (Certificate Viewer).
In-depth blog spot by voidsecurity about the VirtualBox code execution vulnerability.
Mark Ermolov and Maxim Goryachy researchers have published a detailed walk-through for accessing an Intel's Management Engine (IME) JTAG feature, which provides debugging access to the processor.
A Comcast security flaws exposed more than 26 millions of customers’ personal information. Basically, an attacker could spoof IP address using "X-forwarded-for" header on a Comcast login page and reveal the customer’s location.
According to the Check Point Research, more than 150k computers are infected with the new variant of Ramnit botnet named Black. Botnet install second stage malware with the proxy functionality.
Malware infected Apple chip maker Taiwan Semiconductor Manufacturing. All of their factories were shut down last week, but they had already recovered from the attack.
A flaw in the Linux kernel may cause a remote denial of service [CVE-2018-5390]. Attack require less than 2 Kbps of traffic.
GDPR and other cookie consent scripts are used to distribute malware.
Interesting blog on how criminals in Iran make money by creating Android malware apps.
Let's Encrypt root CA certificate is now trusted by all major root programs. They were dependent on a cross-signing on some systems, so this is great news!
There is a really effective new attack on WPA PSK (Pre-Shared Key) passwords. Attackers can ask Access Point for the data required for offline cracking, no client traffic sniffing is needed anymore.
Innovative new research on a software implementation hardening was published with the name "Chaff Bugs: Deterring Attackers by Making Software Buggier".
The idea is simple, introduce a large number of non-exploitable bugs in the program which makes the bug discovery and exploit creation significantly harder.
Researchers from the University of Milan published padding oracle attack against Telegram Passport.
Don't roll your own cryptography schemes if other people depend on it...
A Handshake is a new experimental peer-to-peer root DNS. They have published resolver source code and have test network up and running. Looks like really promising project.
The academics have mounted a successful GPS spoofing attack against road navigation systems that can trick humans into driving to incorrect locations. The novel part is that they are using real map data to generate plausible malicious instructions.
Folks from Cloudflare, Mozilla, Fastly, and Apple during a hackaton implemented Encrypted Server Name Indication (SNI). There are implementations in BoringSSL, NSS and picotls.
Good insight on how credit card thieves use free-to-play apps to steal and launder money from the credit cards.
Chromium recently introduced Cross-Origin Read Blocking (CORB) that helps mitigate the threat of side-channel attacks (including Spectre).
For anybody interested in reverse engineering, nice write up about the Smoke Loader malware bot unpacking mechanism and communication with the C&C.
A research on how to bypass memory scanners using Cobalt Strike’s beacon payload and the gargoyle memory scanning evasion technique.
Eset researchers analyzed ongoing espionage campaign against the Ukrainian government institutions.
The intercept summarized what the public has learned about Russian and U.S. spycraft from the Special Counsel Robert Mueller’s indictment of hackers.
Security researchers have uncovered a highly targeted mobile malware campaign that has been operating since August 2015 and found spying on 13 selected iPhones in India.
There is an exploit for Ubuntu Linux (up to 4.17.4) where other users coredumps can be read via setgid directory and killpriv bypass.
Yet another high severity attack against the Intel CPUs. Unpatched systems can leak SIMD, FP register state between privilege levels. These registers are used for private keys nowadays.
The cost of a patch is more expensive context switches because the fix has to unload and reload all SIMD, FP state.
The team behind the CopperheadOS, hardened Google-free Android fork, has imploded. Guys, CEO and CTO (main and probably the only developer) are blaming each other.
Chromium devs are planning to enforce TLS protocol invariants by rolling new TLS 1.3 versions every six weeks.
According to the developers: "Every six weeks, we would randomly pick a new code point. These versions will otherwise be identical to TLS 1.3, save maybe minor details to separate keys and exercise allowed syntax changes. The goal is to pave the way for future versions of TLS by simulating them (“draft negative one”)."
The Kromtech Security Center found 17 malicious docker images stored on Docker Hub for an entire year. With more than 5 million pulls, containers were primarily used to mine cryptocurrency.
At least 74 persons, mostly Nigerians, were arrested due to crimes related to the business e-mail compromise schemes.
Good summary of the existing inter-service authentication schemes. Bearer, hmac based tokens etc.
There is an Ancient "su - hostile" vulnerability in Debian 8 & 9. Doing "su - hostile" may lead to the root privilege escalation. Default sudo -u probably is
There is a critical command injection vulnerability in the macaddress NPM package.
Blog about the crafting remote code execution via server-side spreadsheet injection.
An implementation flaw in multiple cryptographic libraries allows a side-channel based attacker to recover ECDSA or DSA private keys. Lots of libraries affected, like LibreSSL, Mozilla NSS, OpenSSL, etc.
Google Pixel 2 devices implement insider attack resistance in the tamper-resistant hardware security module that guards the encryption keys for user data.
It is not possible to upgrade the firmware that checks the user's password unless you present the correct user password.
Avast Threat Labs analyzed malware pre-installed on a thousands of Android devices. More than 18000 users of Avast already had this adware in a device. Cheap smartphones are primarily affected.
Great blog post about the USB reverse engineering tools and practices by the Glenn 'devalias' Grant.
FBI advice router users to reboot devices in order to remove VPNFilter malware infecting 500k devices.
If you didn't hear about the recent arbitrary code execution vulnerability in git software (CVE 2018-11234, CVE 2018-11235), there is a high level summary on the Microsoft DevOps blog.
The white hat hacker received $25000 bug bounty for getting root access on all Shopify instances by leveraging Server Side Request Forgery (SSRF) attack.
Attacking browsers by site-channel attacks using CSS3 features. The guys demonstrated how to deanonymize website visitors and more.
The Underhanded Crypto Contest for 2018 started, the topic has two categories: Backdooring messaging systems & Deceptive APIs. If you want to write some backdoor to the cryptographic implementation bud you do not harm anybody, this is a good opportunity.
Article about the new threat model and potential mitigations for the Chrome browser against the Spectre like vulnerabilities.
New article by the Intercept about the Google military drone AI contract. They want to make fortune on an image recognition.
Codechain - secure multiparty code reviews with signatures and hash chains.
According to the author, Codechain is not about making sure the code you execute is right, but making sure you execute the right code.
500,000 routers in more than 50 countries are infected with the malware targeting routers. Primarily home devices like Linksys, MikroTik, NETGEAR and TP-Link.
Cisco's Talos Security attributed malware to the future Russian cyber operations against the Ukraine. The US FBI agents seize control of the botnet.
The Internet Archive's Wayback Machine is deleting evidence on the malware sellers. They have removed from their archive a webpage of a Thailand-based firm FlexiSpy, which offers desktop and mobile malware.
According to the McAfee team, North Korean threat actor Sun Team is targeting defectors using the malicious Android applications on Google Play.
Don't use sha256crypt & sha512crypt primitives as shipped with GNU/Linux, they're leaking information about the password via time duration of a hashing operation.
Not critical vulnerability, but good to know.
The Intercept published an interesting article about the Japanese signals intelligence agency, based on Snowden's leaks.
The US FBI repeatedly overstated encryption threat figures to Congress and the public.
The US internet provider Comcast was leaking the usernames and passwords of customers’ wireless routers to anyone with the valid subscriber’s account number and street address number.
Amazon is pitching their facial recognition technology to law enforcement agencies, saying the program could aid criminal investigations by recognizing suspects in photos and videos.
Great blog about the SMS binary payloads and how SMS is weakening mobile security for years.
Researchers from the Eclypsium found a new variation of the Spectre attack that can allow attackers to recover data stored inside CPU System Management Mode. They have even published Proof-of-concept.
Major (probably not only) US cell carriers are selling access to the real-time phone location data.
Because, you know the Electronic Communications Privacy Act only restricts telecommunication companies from disclosing data to the government, it doesn't restrict disclosure to other companies. Which can resell back to the gov. Hacker News discussion on a topic is quite informative.
Guardian wrote that according to the Oracle findings, Android devices send detailed information on searches, what is being viewed and also precise locations to the Google. Even if location services are turned off and the smartphone does not have a Sim card or application installed.
A new report details a widespread campaign targeting several Turkish activists and protesters by their government, using the government malware made by FinFisher.
A new set of vulnerabilities affecting users of PGP and S/MIME were published. The main problem lies in how email clients handle the output of the encryption tool, the protocol itself is not vulnerable, GnuPG should be fine.
Cryptocurrency mining malware was found in the Ubuntu Snap Store.
Essential reading on how spies are able to shape narrative of a journalistic pieces by document leaking.
The US media has learned the identity of the prime suspect in the Vault7 WikiLeaks CIA breach. Should be a 29-year-old former C.I.A. software engineer, government malware writer.
Great blog post about math behind and existing implementations of the homomorphic encryption.
There is an article about the common encryption workarounds in the criminal investigations written by Orin S. Kerr and Bruce Schneier.
Sunder is a new desktop application for dividing access to secret information between multiple participants using Shamir's secret sharing method.
DARKSURGEON is a Windows packer project to empower incident response, malware analysis, and network defense.
Google disables domain fronting capability in their App Engine, which was used to evade censorship. What a fortunate timing.
Bloomberg published article on how Palantir is using the War on Terror tools to track American citizens.
The U.S. and the UK blame Russia for a campaign of hacks into routers, switches and other connected infrastructure.
One of the people charged for the Reveton ransomware trojan was actually working as a Microsoft network engineer.
Intel processors now allow antivirus (mostly Microsoft right now) to Use built-in GPUs for in-memory malware scanning.
Avast shared CCleaner breach timeline. They were infiltrated via TeamViewer. More than 2.3 million users, 40 companies infected.
Nice blog post about the quantum resistant hash-based signature schemes. No public key cryptography.
New Android P enables users to change default DNS server, it will also support DNS over TLS.
There is a new web standard for authentication, designed to replace password login method with the public key cryptography and biometrics.
OpenSSL is vulnerable to a cache timing vulnerability in RSA Key Generation (CVE-2018-0737).
Could be theoretically exploited by some hypervisor, but they have decided not to release emergency fix.
The Endgame has released Ember (Endgame Malware BEnchmark for Research), an open source collection of 1.1 million portable executable file metadata & derived features from the PE files, hashes and a benchmark model trained on those features.