Estonia sues Gemalto for €152M over ID card flaws. According to an article, some keys were NOT generated on a smartcard due to a scaling issue.
Well, looks like they are not affected by ROCA vulnerability, just compromised by Gemalto:)
Apple laptops on Intel chipsets were running in the Intel Management Engine Manufacturing Mode. The vulnerability (CVE-2018-4251) was patched in macOS High Sierra update 10.13.5.
By exploiting the vulnerability, an attacker could write old versions of Intel ME without physical access to the computer, with the possibility of running arbitrary code in ME.
The FBI took down Phantom Secure, a Canadian (not only) encrypted communication service.
The company turned smartphones to a single use encrypted communication devices, mostly to be used by drug kingpins.
The service was sold only to a customers recommended by the existing one.
The US-CERT has released a technical alert warning about a new "FASTCash" ATM scheme being used by the North Korean APT hacking group.
The malware installed on the issuers' compromised switch application servers intercepts the transaction request and responds the fake responses, fooling ATMs to spit out a large amount of cash.
Brian Krebs wrote about the really clever phishing scam schemes executed over the phone. They are pretending to be a bank, and have lots of information about the victim before the scam occurs.
Some Reddit guy found tiny Linux PC hooked to to a router in his apartment. Investigation showed, that it is some kind of information stealing device and the info collectors are paying a "rent" to a roommate which implanted it on his own network. https://www.reddit.com/r/whatisthisthing/comments/9ixdh9/found_hooked_up_to_my_router/e6nh61r/
Facebook published some technical details about the recent profile leaking vulnerability.
The attackers connected three bugs and basically automated the whole process of obtaining user access tokens.
ESET researchers documented the first UEFI rootkit found in the wild. Called LoJax, the rootkit is targeting central, eastern Europe and Balkan government organizations.
Conor Patrick recently launched Kickstarter campaign for Solo, the first open source FIDO2 USB, NFC security key. Support it!
A step-by-step Linux kernel exploitation for CVE-2017-11176 with the exploit code included.
Google Pixel 2 devices implement insider attack resistance in the tamper-resistant hardware security module that guards the encryption keys for user data.
It is not possible to upgrade the firmware that checks the user's password unless you present the correct user password.
Avast Threat Labs analyzed malware pre-installed on a thousands of Android devices. More than 18000 users of Avast already had this adware in a device. Cheap smartphones are primarily affected.
Great blog post about the USB reverse engineering tools and practices by the Glenn 'devalias' Grant.
FBI advice router users to reboot devices in order to remove VPNFilter malware infecting 500k devices.
If you didn't hear about the recent arbitrary code execution vulnerability in git software (CVE 2018-11234, CVE 2018-11235), there is a high level summary on the Microsoft DevOps blog.
The white hat hacker received $25000 bug bounty for getting root access on all Shopify instances by leveraging Server Side Request Forgery (SSRF) attack.
Attacking browsers by site-channel attacks using CSS3 features. The guys demonstrated how to deanonymize website visitors and more.
The Underhanded Crypto Contest for 2018 started, the topic has two categories: Backdooring messaging systems & Deceptive APIs. If you want to write some backdoor to the cryptographic implementation bud you do not harm anybody, this is a good opportunity.
Article about the new threat model and potential mitigations for the Chrome browser against the Spectre like vulnerabilities.
New article by the Intercept about the Google military drone AI contract. They want to make fortune on an image recognition.
Codechain - secure multiparty code reviews with signatures and hash chains.
According to the author, Codechain is not about making sure the code you execute is right, but making sure you execute the right code.
500,000 routers in more than 50 countries are infected with the malware targeting routers. Primarily home devices like Linksys, MikroTik, NETGEAR and TP-Link.
Cisco's Talos Security attributed malware to the future Russian cyber operations against the Ukraine. The US FBI agents seize control of the botnet.
The Internet Archive's Wayback Machine is deleting evidence on the malware sellers. They have removed from their archive a webpage of a Thailand-based firm FlexiSpy, which offers desktop and mobile malware.
According to the McAfee team, North Korean threat actor Sun Team is targeting defectors using the malicious Android applications on Google Play.
Don't use sha256crypt & sha512crypt primitives as shipped with GNU/Linux, they're leaking information about the password via time duration of a hashing operation.
Not critical vulnerability, but good to know.
The Intercept published an interesting article about the Japanese signals intelligence agency, based on Snowden's leaks.
The US FBI repeatedly overstated encryption threat figures to Congress and the public.
The US internet provider Comcast was leaking the usernames and passwords of customers’ wireless routers to anyone with the valid subscriber’s account number and street address number.
Amazon is pitching their facial recognition technology to law enforcement agencies, saying the program could aid criminal investigations by recognizing suspects in photos and videos.
Great blog about the SMS binary payloads and how SMS is weakening mobile security for years.
Researchers from the Eclypsium found a new variation of the Spectre attack that can allow attackers to recover data stored inside CPU System Management Mode. They have even published Proof-of-concept.
Electron applications designed to run on Windows that register themselves as the default handler for a protocol, like Skype, Slack and others, are vulnerable to the remote code execution vulnerability.
Dutch intelligence service AIVD provided the FBI with important information regarding Russian interference with the American elections. They have following the Cozy Bear APT for years.
Good blog about the exploitation of the Intel Management Engine 11 vulnerabilities. Researchers Mark Ermolov and Maxim Goryachy were able to debug and analyse most of the Intel ME processes.
It's possible to bypass the Cloudflare protection by scanning internet for misconfigured customers' servers.
It is possible for an unauthenticated attacker in the LAN network to achieve remote code execution (CVE-2018-5999) in the AsusWRT router as the root user.
The Tinder dating application is not using encryption when accessing data on a backend server. Your naked photos could be seen by a waitress in a restaurant. The geeky one.
Oracle has released patches for ten vulnerabilities in VirtualBox, which allows guest to host virtual machine escape.
The guy was able to obtain TLS certificates from the Let's Encrypt certification authority for domains that he does not own, due to the TLS-SNI-01 challenge workflow in a cloud environment. Shared hosting providers like Heroku, AWS CloudFront affected.
Blog by Joanna Rutkowska on a future Qubes Air operating system architecture roadmap. They want to provide compartmentalized secure Qubes OS as a service.
There is a cryptographic analysis of the WireGuard protocol. WireGuard is a layer 3 replacement for the IPsec, OpenVPN solutions. Interesting project.
Nice introduction on how to fuzz TCP servers by Robert Swiecki.