Hackers have poisoned the Arch Linux PDF reader package named “acroread” that was found in a user-provided Arch User Repository (AUR). They have put downloader malware inside.
Hackers took over the maintainer account of the eslint-scope and eslint-config-eslint npm packages and published malicious versions which were downloading some juicy scripts from the pastebin.com. https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
Backend of the TimeHop iOS application was compromised, personal records of the 21 million customers leaked.
Nice journalism about how few researchers found the names and addresses of soldiers and secret agents using Strava fitness application when the company published tracking maps on the internet.
Lexington Insurance Company and Beazley Insurance Company are suing Trustwave over a 2009 breach. Trustwave supposedly failed to detect malware that caused a breach.
This will be huge precedent in the whole industry.
One email to a North American Network Operators mailing list led to a concerted effort to kick a notorious BGP hijacking factory off the Internet.
It looks like that the Carbanak banking malware source code was leaked.
Researchers found spying malware signed using digital certificates stolen from D-Link and other Taiwanese tech-companies.
Yet another high severity attack against the Intel CPUs. Unpatched systems can leak SIMD, FP register state between privilege levels. These registers are used for private keys nowadays.
The cost of a patch is more expensive context switches because the fix has to unload and reload all SIMD, FP state.
The team behind the CopperheadOS, hardened Google-free Android fork, has imploded. Guys, CEO and CTO (main and probably the only developer) are blaming each other.
Chromium devs are planning to enforce TLS protocol invariants by rolling new TLS 1.3 versions every six weeks.
According to the developers: "Every six weeks, we would randomly pick a new code point. These versions will otherwise be identical to TLS 1.3, save maybe minor details to separate keys and exercise allowed syntax changes. The goal is to pave the way for future versions of TLS by simulating them (“draft negative one”)."
The Kromtech Security Center found 17 malicious docker images stored on Docker Hub for an entire year. With more than 5 million pulls, containers were primarily used to mine cryptocurrency.
At least 74 persons, mostly Nigerians, were arrested due to crimes related to the business e-mail compromise schemes.
Good summary of the existing inter-service authentication schemes. Bearer, hmac based tokens etc.
There is an Ancient "su - hostile" vulnerability in Debian 8 & 9. Doing "su - hostile" may lead to the root privilege escalation. Default sudo -u probably is
There is a critical command injection vulnerability in the macaddress NPM package.
Blog about the crafting remote code execution via server-side spreadsheet injection.
An implementation flaw in multiple cryptographic libraries allows a side-channel based attacker to recover ECDSA or DSA private keys. Lots of libraries affected, like LibreSSL, Mozilla NSS, OpenSSL, etc.
New research has found a flaw in a group messaging part of a Signal protocol used by Signal, WhatsApp and Threema. It’s hardly exploitable, but the server (attacker) could be, in some theoretical scenario, able to silently join an encrypted group chat.
Janit0r, author of the mass internet scanning campaign known as Internet Chemotherapy, released two more blogs about the campaign. Interesting.
A tale about the npm package which crawled user entered credit card information from the websites. It is a work of fiction, but published few hours after dozens of npm packages stopped working due to missing dependencies... Scary.
HC7 Planetary Ransomware is probably the first known ransomware asking for Ethereum as a ransom payment. It's for Windows users only.
There is a hardwired network backdoor in the Western Digital MyCloud drives (user: mydlinkBRionyg, password: abc12345cba). Vendor probably patched it six months after reported.
Wi-Fi Protected Access III - WPA3 will be forced on a marked this year. Hopefully a lot of security enhancements to wi-fi protocol will be delivered by the WPA3-certified devices.
Let's Encrypt certification authority has temporarily disabled TLS-SNI-01 authorization challenge due to reported exploitation technique possible on a shared hosting infrastructure.
Google Cloud security engineers reported remote code execution vulnerability in the AMD Platform Security Processor.
Brian Krebs wrote a blog about the flourishing online markets with the stolen credentials.
VirusTotal has a new feature, a visualization tool for the relationship between files, URLs, domains and IP addresses.
A Meltdown vulnerability proof of concept for reading passwords out of Google Chrome browser.
The German Interior Minister is preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations.
According to the Citizen Lab, Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware sold by Israeli firm Cyberbit.
Elcomsoft wrote an insight about the drastically degraded security of the Apples iOS 11 operating system.
Chinese drone maker D.J.I. is potentially sharing collected data with the Chinese government.
Crooks are installing cryptocurrency miners by using typosquatting npm package names. They are searching for the unregistered package names with the difference of one bit from a well known packages.
Swiftype written a good blog about their infrastructure risk assessment and threat modeling.
Nvidia published a paper about the clustering of a benign and malicious Windows executables using neural networks.
Bucket Stream - Find interesting Amazon S3 Buckets by watching certificate transparency logs.
Sysdig Inspect – a powerful interface for container troubleshooting and security investigation