Ubiquiti network devices are being remotely exploited, via port 10001 discovery service. Results in loss of device management, also being used as a weak UDP DDoS amplification attack: 56 bytes in, 206 bytes out.
Researchers demonstrated that Intel SGX trusted enclave poses a security thread, when they implemented proof malware that bypasses antivirus protection by leveraging SGX properties. Find more information in the research paper named "Practical Enclave Malware with Intel SGX".
Looks like the diffusion layer of Russian symmetric ciphers Kuznyechik and hash function Streebog, have mathematical properties required for the backdoor. There is no theoretical attack yet, and I am not convinced that it is on purpose, but the construction is suspicious.
Google engineers have designed a new encryption mode for ChaCha stream cipher called Adiantum. The new encryption mode should be used on cheap ARM processors that does not have hardware support for AES, and it is almost 5x faster than AES-256-XTS.
Current versions of Ubuntu Linux were found to be vulnerable to local privilege escalation due to a bug in the snapd API.
Phones running Android OS can be compromised remotely by viewing malicious PNG image.
A new vulnerability in the runc, container runtime used by Docker, Kubernetes and others. allows container escape just by running a malicious image.
NCC Group published an interesting blog about a downgrade attack on TLS 1.3 and multiple other vulnerabilities in major TLS Libraries which they found last year.
Researcher Scott Gayou published a step by step guide on how to jailbreak Subaru Crosstrek 2018 head unit leveraging USB port and update mechanism.
According to the Airbnb presentation, 38 percent of bugs at Airbnb could have been prevented by using types.
You can try to find bugs in the Swiss eVoting System, as they opened a bug bounty program. There is also a source code available for registered bug hunters.
Google open sourced ClusterFuzz, an infrastructure used for fuzzing Chrome and OSS-Fuzz, continuous fuzzing pipeline of open source software.
Google Project Zero published a blog about the FunctionSimSearch open-source library which is capable to find similar functions in the assembly.
They are using it to detect code statically-linked vulnerable library functions in executables.
London's police is testing facial recognition technology in central London this week. Feel free to get your face scanned and processed for the bright future.
Facebook gave Spotify and Netflix access to a users' private messages. Also shared user information with Microsoft, Amazon, Yahoo without explicit consent.
Researchers published results of an investigation into Russian election interference on behalf of the US Senate Intelligence Committee. They have analyzed data sets from Facebook, Twitter, Google.
Adam Langley wrote about their further Google Chrome TLS experiments with the post-quantum lattice based cryptography.
Matthew Green wrote his thoughts on GCHQ’s latest proposal for surveilling encrypted messaging and phone calls.
Tencent Blade Team discovered a remote code execution vulnerability in SQLite. It was already fixed in Chromium.
Good story about the investigation of the Chinese industrial espionage.
University of California, Berkeley researchers are building open-source secure enclave using RISC-V.
Well-known cypherpunk movement founder Timothy May passed away.
Microsoft introduced Windows Sandbox for applications.
Interesting paper on systematic parsing of X.509 certificates with strong termination guarantees: "Systematic Parsing of X.509: Eradicating Security Issues with a Parse Tree".
A Dive into Cypherlock, a tool that could prevent forced decryption.
Instant, re-usable, generic MD5 collisions over different file formats. https://github.com/corkami/pocs/blob/master/collisions/README.md
Researchers at the University of California have found that GPUs are vulnerable to side-channel attacks and demonstrated multiple types of attacks. After reverse engineering Nvidia GPU, researchers were able to steal rendered password box from a browser, sniffed other browser related data and also settings from the neural network computations on a GPU in the data center.
Cybersecurity firm Trend Micro has analyzed a new cryptocurrency mining malware that targets Linux OS and is able to hide its processes by implementing a rootkit component.
The rootkit will replace and hooks the readdir and readdir64 application programming interfaces (APIs) of the libc library so the system is unable to monitor miner workers anymore.
An Australian hacker has spent thousands of hours hacking the DRM that medical device manufacturers put on a continuous positive airway pressure (CPAP) machines to create a free tool that lets patients modify their treatment.
In 2016, Russia's Internet Research Agency used browser plugin malware called FaceMusic which "liked" Russian content and made their content popular on a social networks.
Now a Russian national living in Bulgaria has been detained on an US arrest warrant and is accused of online fraud & maintaining a computer network with servers in Dallas between Sep 2014 - Dec 2016.
The European Commission has just announced trials in Hungary, Greece and Latvia of iBorderCtrl project that includes the use of an AI-based lie detection system to spot when visitors to the EU give false information about themselves and their reasons for entering the area.
Troy Hunt analyzed 2FA, U2F authentication mechanisms and commented on the Google Advanced Protection enrollment procedure.
Bitwarden open source password manager has completed a thorough security audit and cryptographic analysis from the security experts at Cure53.
According to a Censys online platform, over a million AT&T devices, probably cable modems share the same TLS private key.
Researchers from Mozilla published blog on how they have designed privacy-aware Firefox Sync.
Two weeks ago we wrote about an attack against the OCB2 authenticated encryption scheme. It breaks integrity of OCB2.
Now there are two more papers, one breaks confidentiality and the other recovers plain text.
There is a zero day exploit "PHP_imap_open_exploit" in PHP that allows bypassing disabled exec functions by using call to imap_open.
The Czech Security Intelligence Service (BIS) shuts down Hezbollah servers in the Hezbollah hacking operation. Hackers used female Facebook profiles to trick victims into installing spyware.
More than 420K compromised MikroTik routers can be found on the Internet with half of them mining cryptocurrencies, according to the results of Censys scanner.
Also, there is anonymous gray-hat researcher patching them remotely.
Fake Adobe updates are circulating that will actually update the Windows version of a plugin on your computer, but also install cryptocurrency mining malware.
According to a new research, if you're an American of European descent, there's a 60% chance you can be uniquely identified by public information in DNA databases. This is not information that you have made public; this is information your relatives have made public. https://www.schneier.com/blog/archives/2018/10/how_dna_databas.html
The Pentagon travel system has been hacked. Personal information and credit card data of at least 30K U.S. military and civilian personnel are affected.
A PoC exploit for a Windows (CVE-2018-8495) remote code execution vulnerability that can be exploited via Microsoft Edge has been published.
There is a serious SSH bug discovered in LibSSH library.
Basically a client can bypass the authentication process by telling the server to set the internal state machine maintained by the library to authenticated.
Electron just merged fix enabling position independent executable build (PIE) on Linux, so all Electron-Apps on Linux can soon leverage Address space layout randomization (ASLR) protection.
On this site, you can find "every byte of a TLS connection explained and reproduced".
Really interesting project.
Researcher Lance R. Vick started a spreadsheet to compare relative security, privacy, compatibility, and features of various messenger systems.
Recorded Future published analysis of a Russian and Chinese illegal hacking Communities.
Firefox Nightly now supports encrypting the TLS Server Name Indication (SNI) extension, which helps prevent attackers on a network from learning users browsing history.
Swedish kids can read about the DNSSEC on a milk carton.
If you are running Linux machines in Microsoft Azure, you should disable built-in wa-linux-agent backdoor that enable root access from Azure console.
There is a good blog post by Stuart Schechter about the dark side of the two factor authentication. Highly recommended reading.
Great research by Eyal Ronen, Kenneth G. Paterson and Adi Shamir demonstrate that adopting pseudo constant time implementations of TLS are not secure against the modified Lucky 13 attack on encryption in CBC-mode. Tested against four fully patched implementations of TLS - Amazon's s2n, GnuTLS, mbed TLS and wolfSSL.
Traefik, popular open source reverse proxy and load balancing solution is leaking (CVE-2018-15598) TLS certificate private keys via API.
Google enrolled Hardware Secure Module to their Cloud Key Management Service. The customers can use it to store their encryption keys with FIPS 140-2 Level 3 security certified devices from now on.
Microsoft Corp said that Russian hackers are targeting U.S. political groups ahead of November’s congressional elections.
The WIRED cover story on how Russian NotPetya malware took down Maersk, the world’s largest shipping firm.
Kaspersky Lab published analysis of a sophisticated "Dark Tequila" banking malware which is targeting customers in Mexico and other Latin American nations.
NSA successfully cracked and listened for years to encrypted networks of Russian Airlines, Al Jazeera, and other “High Potential” targets.
Anonymous targeted Spanish Constitutional Court, economy and foreign ministry websites to support Catalonia separatist drive.
Red Teaming/Adversary Simulation Toolkit is a collection of open source and commercial tools that aid in red team operations.
Facebook, Google, Cisco, WhatsApp and other industry partners get together to create Message Layer Security as an open standard for end-to-end encryption with formal verification. Messaging Layer Security is now an IETF working group as well.
Long read about the takedown of Gooligan, Android botnet that was stealing OAuth credentials back in 2016.
The Israeli security company CTS Labs published information about a series of exploits against AMD chips just one day after they have notified the AMD.
Russia orders company behind the Telegram messaging application to hand over users’ encryption keys.
Hacker behind Guccifer 2.0 pseudonym, known for providing WikiLeaks with stolen emails from the US Democratic National Committee, was an officer of Russia’s military intelligence directorate.
Fascinating in depth blog about the breaking security of the Ledger cryptocurrency hardware wallet.
There was a Facebook bug which made persistent XSS in Facebook wall possible by embedding an external video using the Open Graph protocol.
Documents leaked by Edward Snowden reveal that the NSA worked to “track down” Bitcoin users.
Dark Web Map - a visualization of the structure of 6.6k Tor's onion services, a.k.a. hidden services, a.k.a. the dark web.
Electron applications designed to run on Windows that register themselves as the default handler for a protocol, like Skype, Slack and others, are vulnerable to the remote code execution vulnerability.
Dutch intelligence service AIVD provided the FBI with important information regarding Russian interference with the American elections. They have following the Cozy Bear APT for years.
Good blog about the exploitation of the Intel Management Engine 11 vulnerabilities. Researchers Mark Ermolov and Maxim Goryachy were able to debug and analyse most of the Intel ME processes.
It's possible to bypass the Cloudflare protection by scanning internet for misconfigured customers' servers.
It is possible for an unauthenticated attacker in the LAN network to achieve remote code execution (CVE-2018-5999) in the AsusWRT router as the root user.
The Tinder dating application is not using encryption when accessing data on a backend server. Your naked photos could be seen by a waitress in a restaurant. The geeky one.
Oracle has released patches for ten vulnerabilities in VirtualBox, which allows guest to host virtual machine escape.
The guy was able to obtain TLS certificates from the Let's Encrypt certification authority for domains that he does not own, due to the TLS-SNI-01 challenge workflow in a cloud environment. Shared hosting providers like Heroku, AWS CloudFront affected.
Blog by Joanna Rutkowska on a future Qubes Air operating system architecture roadmap. They want to provide compartmentalized secure Qubes OS as a service.
There is a cryptographic analysis of the WireGuard protocol. WireGuard is a layer 3 replacement for the IPsec, OpenVPN solutions. Interesting project.
Nice introduction on how to fuzz TCP servers by Robert Swiecki.
There is a remotely exploitable vulnerability in the Vitek CCTV firmware. Reverse netcat shell included.
Matthew Green thinks that the recently discovered "Extended Random" extension of the RSA’s BSAFE TLS library found in the older Canon printers could be NSA backdoor.
Filippo Valsorda presented the key recovery attack against the carry bug in x86-64 P-256 elliptic curve implementation in the Go library. JSON Web Encryption affected.
Explanation how web trackers exploit browser login managers to track users on the Internet.
According to the hacker Konstantin Kozlovsky, the creation of WannaCry and Lurk malware was supervised by the Russian FSB agency.
Short blog about the cracking encrypted (40-bit encryption) PDFs using hashcat.
Crooks behind the VenusLocker ransomware to Monero mining. They are executing Monero CPU miner XMRig as a remote thread under the legitimate Windows component wuapp.exe.
Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme.
Proofpoint researchers published paper on largely undocumented LazarusGroup campaigns targeting cryptocurrency individuals and organizations. The research covers implants and tactics not currently covered in the media.
The "Janus" Android vulnerability (CVE-2017-13156) allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. The vulnerability allows attackers to inject malware into legitimate application and avoiding detection.
According to the research by Hanno Böck, Juraj Somorovsky and Craig Young, the Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption still works on almost 3% of the Alexa top million most visited websites. The researchers were even able to sign a message using Facebook’s private TLS key. Vendors like Citrix, F5, Cisco, and multiple SSL implementations are affected.
HP had a keylogger in the Touchpad driver, which was disabled by default, but could be enabled by setting a registry value.
There is a remote root code execution flaw (CVE-2017-15944) in the Palo Alto Networks firewalls.
Researchers from the Group-IB spotted the operations of a Russian-speaking MoneyTaker group that stole as much as $10 million from US and Russian banks.
Recorded Future analyzed costs of various cybercriminal services sold on the dark market.
Internet traffic for organizations such as Google, Apple, Facebook, Microsoft, Twitch were briefly rerouted to Russia.
Microsoft started rolling out an update for Malware Protection Engine to fix a remotely exploitable bug discovered by the British intelligence agency.
Avast open-sources RetDec machine-code decompiler for platform-independent analysis of executable files. It's based on LLVM.
Wireless network sniffer Kismet now supports the DJI DroneID UAV telemetry extensions.
Wazuh - Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
It supports log management and analysis, integrity monitoring, anomaly detection and compliance monitoring.
Wifiphisher is an automated victim-customized phishing attacks against Wi-Fi clients.
There are at least 14 newly discovered vulnerabilities in the Linux kernel USB subsystem. The vulnerabilities were found by the Google syzkaller kernel fuzzer. According to the researchers, all of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine.
Mozilla will remove root certificate of the Staat der Nederlanden (State of the Netherlands) Certificate Authority from Firefox browser if the Dutch government vote a new law that grants local authorities the power to intercept Internet communication using "false keys".
Bug hunter Scott Bauer has published an in depth analysis of the Android remotely exploitable bug in the blog post named "Please Stop Naming Vulnerabilities: Exploring 6 Previously Unknown Remote Kernel Bugs Affecting Android Phones".
Some web pages use textfield with the CSS "asterix" trick instead of the password field so they can bypass browser security warning when password field is on an unencrypted web page. Nonsense.
More than 54 thousand have the same pair of 512-bit RSA keys as their DNS Zone Signing Keys.
Good blog from the ElcomSoft about the history and current possibilities in the iOS and iCloud forensics.
The Norwegian National Communications Authority reported GPS signal jamming activity in the Finnmark region near the Russian border.
Mac and Linux versions of the Tor anonymity software contained a flaw that can leak users real IP addresses.
Software and HDL code for the PCILeech FPGA based devices that can be used for the Direct Memory Access (DMA) attack and forensics is now available on a GitHub. The FPGA based hardware provides full access to 64-bit memory space without having to rely on a kernel module running on the target system.