Tag Jenkins

InfoSec Week 50, 2018

According to the New York Times sources, Marriott customers' data were breached by Chinese hackers.
Attribution is hard, especially when investigating government related hacks. We have to wait for more information.
https://www.nytimes.com/2018/12/11/us/politics/trump-china-trade.html

A Google+ API software update introduced in November had caused the Google+ API to broadcast user profiles to third-party developers, exposing the personal information of more than 52 million users.
https://www.blog.google/technology/safety-security/expediting-changes-google-plus/

Excellent journalistic piece about the location data industry. It's impossible to anonymize this kind of datasets. Really recommended!
https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html

Check Point researchers found 53 critical bugs in Adobe Reader and Adobe Pro by using WinAFL fuzzer.
https://research.checkpoint.com/50-adobe-cves-in-50-days/

The Cisco Talos team wrote about the various practical side-channel attack scenarios against the encrypted messaging apps like WhatsApp, Telegram, and Signal.
https://blog.talosintelligence.com/2018/12/secureim.html

Study finds 5 out of 17 tested certification authorities are vulnerable to spoofing domain validation by using the IP fragmentation attack.
https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf

A team behind the open source automation tool Jenkins published a patch for a critical vulnerability that could allow permission checks to be bypassed through the use of specially-crafted URLs.
https://jenkins.io/security/advisory/2018-12-05/

Microsoft took the first step in advocacy for the regulation of a facial recognition technology.
https://blogs.microsoft.com/on-the-issues/2018/12/06/facial-recognition-its-time-for-action/

A recent variant of a Shamoon malware wiped around ten percent PCs of the Italian oil and gas company Saipem.
https://www.zdnet.com/article/shamoon-malware-destroys-data-at-italian-oil-and-gas-company/

Russian State Duma is going to prohibit Russian servicemen from publishing personal information online.
https://informnapalm.org/en/seared-by-napalm-russian-state-duma-advances-legislation-banning-russian-servicemen-from-publishing-personal-information-online/

Researcher Natalie Silvanovich from the Google Project Zero fuzzed WhatsApp application and (surprisingly) didn't find exploitable bugs, just a heap corruption.
https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-conferencing-part-3.html

Australian guys, there is a GitHub repository where you can ask legal questions about the terrible Assistance and Access Bill. The questions are answered by lawyers.
https://github.com/alfiedotwtf/AABillFAQ

InfoSec Week 8, 2018

Fraudsters are impersonating authors and publishing computer generated books so they can launder money via Amazon.
https://krebsonsecurity.com/2018/02/money-laundering-via-author-impersonation-on-amazon/

Crooks made over $3 million by installing cryptocurrency miners on Jenkins Servers by exploiting Java deserialization RCE vulnerability (CVE-2017-1000353) in the Jenkins.
https://securityaffairs.co/wordpress/69232/malware/jenkinsminer-targets-jenkins-servers.html

Tesla's Kubernetes installed in the Amazon AWS infrastructure was compromised by hackers.They have set up private cryptocurrency mining pool there.
https://www.bleepingcomputer.com/news/security/tesla-internal-servers-infected-with-cryptocurrency-miner/

The co-founder of WhatsApp, Brian Acton, has given $50 millions to support Signal messenger and create a self-sustaining foundation. Very good news for this donation funded privacy technology.
https://signal.org/blog/signal-foundation/

Hackers are exploiting the CISCO ASA vulnerability (CVE-2018-0101) in attacks in the wild.
https://securityaffairs.co/wordpress/68959/hacking/cve-2018-0101-cisco-asa-flaw.html

Security Researcher Troy Hunt published half a billion passwords collected and processed from various breaches. There is also API for this dataset, and some statistics about the password usage.
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

There is a critical vulnerability in Mi-Cam baby monitors that let attackers spy on infants. At least 52k users are affected.
https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html

Public key cryptography explained in the form of Ikea instructions. Check other images as well!
https://idea-instructions.com/public-key/