InfoSec Week 29, 2018

The academics have mounted a successful GPS spoofing attack against road navigation systems that can trick humans into driving to incorrect locations. The novel part is that they are using real map data to generate plausible malicious instructions.

Folks from Cloudflare, Mozilla, Fastly, and Apple during a hackaton implemented Encrypted Server Name Indication (SNI). There are implementations in BoringSSL, NSS and picotls.

Good insight on how credit card thieves use free-to-play apps to steal and launder money from the credit cards.

Chromium recently introduced Cross-Origin Read Blocking (CORB) that helps mitigate the threat of side-channel attacks (including Spectre).

For anybody interested in reverse engineering, nice write up about the Smoke Loader malware bot unpacking mechanism and communication with the C&C.

A research on how to bypass memory scanners using Cobalt Strike’s beacon payload and the gargoyle memory scanning evasion technique.

Eset researchers analyzed ongoing espionage campaign against the Ukrainian government institutions.

The intercept summarized what the public has learned about Russian and U.S. spycraft from the Special Counsel Robert Mueller’s indictment of hackers.

Security researchers have uncovered a highly targeted mobile malware campaign that has been operating since August 2015 and found spying on 13 selected iPhones in India.

There is an exploit for Ubuntu Linux (up to 4.17.4) where other users coredumps can be read via setgid directory and killpriv bypass.

InfoSec Week 45, 2017

Researchers exploited antivirus software quarantine mechanism to gain privileges by manipulating the restore process from the virus quarantine. By abusing NTFS directory junctions, the AV quarantine restore process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations.

Wikileaks released source code of leaked CIA hacking tools and it indicates that the CIA used fake certificates attributed to Kaspersky Labs for signing their malware.

A security researcher has discovered factory application in OnePlus devices. It can be used to gain root privileges, dump photos, collect WiFi & GPS information.

There was a vulnerability in CouchDB caused by a discrepancy between the database’s native JSON parser and the Javascript JSON parser used during document validation. Because CouchDB databases are meant to be exposed directly to the internet, this enabled privilege escalation, and ultimately remote code execution, on a large number of installations.

Researchers from the Princeton university have been studying third-party trackers that record sensitive personal data that users type into websites, and the results are not good.

iPhone X's Face ID facial recognition security mechanism system was circumvented by Vietnam experts using a 3D mask.

Security researcher Maxim Goryachy reports being able to execute unsigned code on computers running the Intel Management Engine through USB.

Deep dive into the Facebook sextorcism scheme using fake young girls profiles by the guys from Marseille.

Long read about how the security breaches by the Shadow Brokers damaged the US National Security Agency.

Analysis of a low cost Chinese GSM listening and location device hidden inside the plug of a standard USB data/charging cable.

Privacy Pass is a browser extension for Chrome and Firefox, which uses privacy-preserving cryptography to allow users to authenticate to the services without compromising their anonymity. It uses blind signature schemes.

InfoSec Week 44, 2017

There are at least 14 newly discovered vulnerabilities in the Linux kernel USB subsystem. The vulnerabilities were found by the Google syzkaller kernel fuzzer. According to the researchers, all of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine.

Mozilla will remove root certificate of the Staat der Nederlanden (State of the Netherlands) Certificate Authority from Firefox browser if the Dutch government vote a new law that grants local authorities the power to intercept Internet communication using "false keys".

Bug hunter Scott Bauer has published an in depth analysis of the Android remotely exploitable bug in the blog post named "Please Stop Naming Vulnerabilities: Exploring 6 Previously Unknown Remote Kernel Bugs Affecting Android Phones".

Some web pages use textfield with the CSS "asterix" trick instead of the password field so they can bypass browser security warning when password field is on an unencrypted web page. Nonsense.

More than 54 thousand have the same pair of 512-bit RSA keys as their DNS Zone Signing Keys.

Good blog from the ElcomSoft about the history and current possibilities in the iOS and iCloud forensics.

The Norwegian National Communications Authority reported GPS signal jamming activity in the Finnmark region near the Russian border.

Mac and Linux versions of the Tor anonymity software contained a flaw that can leak users real IP addresses.

Software and HDL code for the PCILeech FPGA based devices that can be used for the Direct Memory Access (DMA) attack and forensics is now available on a GitHub. The FPGA based hardware provides full access to 64-bit memory space without having to rely on a kernel module running on the target system.