Memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation can screw you. Just answering a call from an attacker could completely compromise WhatsApp.
Great story about the spear phishing scheme against the MacEwan University in Canada. Investigators were able to track stolen money to China and back to the Canadian real estate investments.
Millions of Xiongmai video surveillance devices can be easily hacked. Devices can be discovered because of predictable cloud ID derived from the MAC address, then compromised by using malicious firmware images delivered by fake update server.
US Department of Defense published some findings from the weapons systems pentesting.
Weak passwords, port scans that caused the weapons system to fail, etc.
"Making sense of the alleged Supermicro motherboard attack" published by researchers at the University of Cambridge Computer Laboratory is explaining the possible technical aspects behind the recent Bloomberg story about the hardware backdoors shipped from China.
US Police used victims' Fitbit data to charge 90-Year-Old man in stepdaughter’s killing.
They knew about the suspect, but the Fitbit data made the investigation easier.
New Zealand can now fine travelers who refuse to unlock their digital devices for a search.
Microsoft patches zero day vulnerability (CVE-2018-8453) in the win32k.sys discovered by Kaspersky Lab back in August.
The exploit is used to target victims in the Middle East.
There are multiple severe vulnerabilities reported in the Juniper network devices.
Red Hat's Flatpak used for application distribution on Linux is implementing some questionable security practices.
Exploit for MikroTik router WinBox vulnerability gives full root access.
Congratulations to ICANN for the first-ever DNSSEC root key signing key rollover that took place on 11 October 2018.
Mozilla decided to delay distrust of the Symantec TLS certification authority from their browsers.
ADAPE-Script - Active Directory Assessment and Privilege Escalation Script can automate your AD recon and pentesting.
Linux had officially committed to implementing and obeying the Code of Conduct — which is immediately misused to remove top Linux coders.
Some of the Linux developers are now threatening to withdraw the license to all of their code.
Bug in Twitter sent users' private direct messages to third-party developers who were not authorized to receive them. Some brand accounts should be affected.
Qualcomm accuses Apple of stealing chip secrets for the purpose of helping Intel overcome engineering flaws in its chips.
Australian government pushes for the smartphone spyware implanted by Telco vendors, manufacturers.
At least the sixth backdoor account was removed from Cisco devices this year.
This time it's "hardcoded credentials" in the Cisco Video Surveillance Manager (VSM) Software.
ESET researchers discovered, that the Kodi Media Player add-ons are misused for the cryptocurrency mining malware distribution.
According to a stackexchange post, "the Chinese police is forcing whole cities to install an Android spyware app Jingwang Weishi.
They are stopping people in the street and detaining those who refuse to install it."
Researchers proved that the security of PKCS #1 Digital Signatures is as secure as any of its successors like RSA-PSS and RSA Full-Domain.
There is a novel cache poisoning attack on WiFi by a remote off-path mitm attack vector.
Takes only 30 seconds and is using interesting multi-packet injection for timing side channel inference for injection. Works on Windows, OSX and Linux.
If you are running Linux machines in Microsoft Azure, you should disable built-in wa-linux-agent backdoor that enable root access from Azure console.
There is a good blog post by Stuart Schechter about the dark side of the two factor authentication. Highly recommended reading.
Great research by Eyal Ronen, Kenneth G. Paterson and Adi Shamir demonstrate that adopting pseudo constant time implementations of TLS are not secure against the modified Lucky 13 attack on encryption in CBC-mode. Tested against four fully patched implementations of TLS - Amazon's s2n, GnuTLS, mbed TLS and wolfSSL.
Traefik, popular open source reverse proxy and load balancing solution is leaking (CVE-2018-15598) TLS certificate private keys via API.
Google enrolled Hardware Secure Module to their Cloud Key Management Service. The customers can use it to store their encryption keys with FIPS 140-2 Level 3 security certified devices from now on.
Microsoft Corp said that Russian hackers are targeting U.S. political groups ahead of November’s congressional elections.
The WIRED cover story on how Russian NotPetya malware took down Maersk, the world’s largest shipping firm.
Kaspersky Lab published analysis of a sophisticated "Dark Tequila" banking malware which is targeting customers in Mexico and other Latin American nations.
NSA successfully cracked and listened for years to encrypted networks of Russian Airlines, Al Jazeera, and other “High Potential” targets.
Anonymous targeted Spanish Constitutional Court, economy and foreign ministry websites to support Catalonia separatist drive.
Red Teaming/Adversary Simulation Toolkit is a collection of open source and commercial tools that aid in red team operations.
There is an OpenSSH user enumeration attack against all software versions on all operating systems.
It's a timing attack with proof of concept already published.
The so-called RedAlpha malware campaign targeting the Tibetan community is deploying a novel “ext4” Linux backdoor. The group is using infrastructure registered with Tsinghua1 University, China and is believed to be conducted by Chinese state-sponsored actors in support of China’s economic development goals.
The Australia’s Assistance and Access Bill, introduced this week, want to jail people for up to 10 years if they refuse to unlock their phones.
A new research paper named "Piping Botnet - Turning Green Technology into a Water Disaster" demonstrate that the researchers were able to manipulate commercial smart IoT systems used for regulating water and electricity resources.
The guy with his BMW car encountered the theft attempt, where something that looked like a vandalism was actually a really smart attack against the modern alarm system.
Cloudflare analyzed the changes and improvements of a new TLS 1.3 (RFC 8446) standard that was finally published last week.
New Foreshadow attack demonstrates how speculative execution can be exploited for reading the contents of Intels' SGX-protected memory as well as extracting the machine’s private attestation key.
Practical dictionary attacks are possible against the main mode of IPsec IKEv1/v2 standard. Successful exploitation of a weak password requires only a single active man-in-the-middle attack.
If you are interested how cryptographic key management is practically done, I have written a blog Commercial Cryptographic Key Management in 2018, where I am explaining a little bit about the hardware, people and processes behind it.
Google published BrokenType, the font fuzzing toolset that helped find lots of vulnerabilities in the Windows kernel. It includes a font mutator, generator and loader.
Marcus Brinkmann demonstrated how some configuration options in the GnuPG allow remote attackers to spoof arbitrary signature. He used the embedded “filename” parameter in OpenPGP literal data packets, together with the verbose option set in their gpg.conf file.
Tapplock Smart Lock has critical bugs making it a trivial protection. They are using the AES key derived from the MAC address, so anyone with a Bluetooth enabled smartphone can pick up the key upon getting to a smart lock Bluetooth range.
Crooks are injecting credit card stealing backdoor to the config files of a hacked Magento e-commerce platforms. They can reinfect the rest of code base over and over again with the config load.
Updated Satori botnet began to perform network wide scan looking for exploitable XiongMai uc-httpd 1.0.0 devices (CVE-2018-10088).
Baby Monitors in the USA were hacked via obscure Chinese IoT cloud. The woman from the Facebook post claims that someone controlled the camera remotely and spied on her, possibly listened in to conversations.
OpenBSD disables Intel's hyper-threading due to possible exploitable spectre-class bugs in the architecture.
Linux is getting support for in-kernel hibernation encryption. Encrypts disk-image memory, thereby increasing the general security of full-disk encryption on Linux and reducing the attack surface.
OTSECA - (ot)her (sec)urity (a)wareness is an open source security auditing tool to search and dump system configuration. It allows you to generate reports in HTML or RAW-HTML formats.
There is a first ransomware which is taking advantage of a new Process Doppelgänging fileless code injection technique. Working on all modern versions of Microsoft Windows, since Vista. This variant of a known SynAck ransomware is using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process.
Security researchers from the Dutch information security company Computes has found that some Volkswagen and Audi cars are vulnerable to remote hacking. They were able to exploit vehicle infotainment systems. The possible attackers could track car location as well as listen to the conversations in a car.
Twitter found a bug that stored user passwords unmasked in an internal log, there is no indication of a breach, but all Twitter users should change their passwords.
There is a breakthrough cryptographic attack on 5-round AES using only 2^22 (previous best was 2^32) presented at CRYPTO 2018. It is joint work of Nathan Keller, Achiya Bar On, Orr Dunkelman, Eyal Ronen and Adi Shamir. This kind of attack is good when evaluating the security of a cipher, it does not have any real world implication as the AES is using at least 10 rounds in production implementations.
Bug hunter which found multiple vulnerabilities in the 7-zip software used by anti-virus vendors wrote an blog on how to exploit one of such bugs. Interesting read.
The 360 Core Security Division response team detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious sample that uses a browser 0-day vulnerability (CVE-2018-8174). It is a remote code execution vulnerability of Windows VBScript engine and affects the latest version of Internet Explorer.
Microsoft patched this vulnerability few days ago and credited Chinese researchers.
Source code of TreasureHunter Point-of-Sale malware leaks online.
The ssh-decorator package from Python pip had an obvious backdoor (sending ip+login+password to ssh-decorate[.]cf in cleartext HTTP).
Luke Picciau wrote about his experience with Matrix and it's Riot messenger for one year.
There is a first official version 1.0 RC of Briar for Android.
Briar is an open-source End-to-end encrypted Bluetooth / WiFi / Tor based mesh-networking (decentralized) messaging application.
The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection.
Multiple tech giants like Apple, Microsoft, Google and others formed an industry coalition and have joined security experts in criticizing encryption backdoors, after Ray Ozzie's CLEAR key escrow idea was widely derided. He basically proposed a scheme where the users have no control over their own devices, but the devices can be securely forensically analyzed by the government agencies.
There is an information leaking vulnerability via crafted user-supplied CDROM image.
"An attacker supplying a crafted CDROM image can read any file (or device node) on the dom0 filesystem with the permissions of the qemu device model process."
QubesOS operationg system is not affected due to the properly compartmentalized architecture.
Great in-depth blog about the reconstruction of the exploit created by the CIA's "Engineering Development Group" targeting MikroTik's RouterOS embedded operating system. This exploit was made public by the WikiLeaks last year.
Bypassing authentication and impersonating arbitrary users in Oracle Access Manager with padding oracle. The guy basically broke Oracles home grown cryptographic implementation.
There is a critical privilege escalation vulnerability affecting Apache Hadoop versions from 2.2.0 to 2.7.3.
According to the Arbor Networks' security researchers have claimed that the anti-theft software Absolute LoJack is serving as an espionage software modified by the Russia-based Fancy Bear group.
Wired wrote an article about the famous Nigerian 419 scammers, their culture and why they are still flourishing.
Matrix and Riot instant messenger applications are confirmed as the basis for the France’s government initiative to implement federated secure messenger.
Amazon threatens to suspend Signal's secure messenger AWS account over censorship circumvention. They are using different TLS Server Name Indication - "domain fronting" - when establishing connection to circumvent network censorship, but Amazon says it is against their terms of services.
Respected German CT-Magazine says that there are 8 new Spectre vulnerabilities found in the Intel processors.
A cyberattack on a Saudi Arabian petrochemical company was probably planed with the physical explosion in mind.
They have attributed Iran, and didn't mention Stuxnet at all, so a little bit one-sided view of this cyberwarfare exchange.
There is a critical vulnerability in Credential Security Support Provider protocol (CredSSP) that affects all versions of Windows. Due to cryptographic flaw, man-in-the-middle attack could allow remote procedure calls attack and data exfiltration against the RDP and WinRM.
A vulnerability (CVE-2018-1057) in Samba allows authenticated users to change other users' password.
Kubernetes vulnerability (CVE-2017-1002101) allows containers using subpath volume mounts with any volume type to access files/directories outside of the volume, including the host’s filesystem. Updated version is already available.
Quite good exchange on the encryption policy and the government backdoor proposals between the US National Academy of Sciences and the Electronic Frontier Foundation. Relevant for all democratic regimes.
Kaspersky has discovered PlugX remote access tool (RAT) malware installed across the pharmaceutical organizations in Vietnam, aimed at stealing drug formulas and business information.
Encrypted Email Service provider ProtonMail is being blocked by internet service providers in Turkey.
CTS-Labs security researchers has published a whitepaper identifying four classes of potential vulnerabilities of the Ryzen, EPYC, Ryzen Pro, and Ryzen Mobile processor lines.
Adam Langley's blog post about the inability of the TLS 1.3 to snoop on proxy traffic.
Hacker Adrian Lamo dies at 37. He was known for his involvement in passing information on whistleblower Chelsea Manning, a former US Army soldier who leaked sensitive information to the WikiLeaks.
To find assault suspect, police in the Raleigh, North Carolina used search warrants to demand Google accounts not of specific suspects, but from any mobile devices that veered too close to the scene of a crime in specific time.
Kaspersky releases Klara, a distributed system written in Python, designed to help threat intelligence researchers hunt for new malware using Yara rules.
Nice paper about the simple manual cipher that should be resistant against the modern cryptanalysis.
LC4: A Low-Tech Authenticated Cipher for Human-To-Human Communication https://eprint.iacr.org/2017/339
Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.
Nice article on Russia's hacking capabilities against the foreign critical infrastructure.
Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.
New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.
Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.
Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.
New research has found a flaw in a group messaging part of a Signal protocol used by Signal, WhatsApp and Threema. It’s hardly exploitable, but the server (attacker) could be, in some theoretical scenario, able to silently join an encrypted group chat.
Janit0r, author of the mass internet scanning campaign known as Internet Chemotherapy, released two more blogs about the campaign. Interesting.
A tale about the npm package which crawled user entered credit card information from the websites. It is a work of fiction, but published few hours after dozens of npm packages stopped working due to missing dependencies... Scary.
HC7 Planetary Ransomware is probably the first known ransomware asking for Ethereum as a ransom payment. It's for Windows users only.
There is a hardwired network backdoor in the Western Digital MyCloud drives (user: mydlinkBRionyg, password: abc12345cba). Vendor probably patched it six months after reported.
Wi-Fi Protected Access III - WPA3 will be forced on a marked this year. Hopefully a lot of security enhancements to wi-fi protocol will be delivered by the WPA3-certified devices.
Let's Encrypt certification authority has temporarily disabled TLS-SNI-01 authorization challenge due to reported exploitation technique possible on a shared hosting infrastructure.
Google Cloud security engineers reported remote code execution vulnerability in the AMD Platform Security Processor.
Brian Krebs wrote a blog about the flourishing online markets with the stolen credentials.
VirusTotal has a new feature, a visualization tool for the relationship between files, URLs, domains and IP addresses.
A Meltdown vulnerability proof of concept for reading passwords out of Google Chrome browser.