According to a Reuters investigation, United Arab Emirates used former U.S. intelligence operatives to hack into the iPhones of activists, diplomats and foreign politicians using so-called Karma spyware.
The Russia also has it's own Wikileaks. Called Distributed Denial of Secrets, the website aims to "bring into one place dozens of different archives of hacked material that, at best, have been difficult to locate, and in some cases appear to have disappeared entirely from the web."
The Japanese government will run penetration tests against all the IoT devices in the country in preparation for the Tokyo 2020 Summer Olympics. They want to map vulnerable devices and find out how to harden infrastructure.
Researchers analyzed 6000 router firmware images and the result is quite depressing. The home router software safety hygiene deteriorated over the past 15 years.
A Samsung Galaxy Apps Store bug allowed an attacker to inject arbitrary code through the interception of periodic update requests made by the Apps Store.
Vulnerable Cisco RV320/RV325 routers are being exploited in the wild. Thousands of routers are exposed on the internet with the web-based management interface vulnerability that could allow an unauthenticated, remote attacker to retrieve sensitive configuration information.
US National Institute of Standards and Technology (NIST) announced the second-round candidates for quantum resistant public-key encryption and key-establishment algorithms.
The vulnerability in the Apples' FaceTime application enables caller to hear called person without accepting a call. Apple decided to turn off FaceTime conference servers before the fix is released.
Luke Berner found out interesting method how to maintain persistence after a password change using the two-factor authentication (2FA) no mayor websites.
A zero-day vulnerability in the jQuery File Upload plugin is actively exploited for at least three years. Patch now!
A massive ad fraud scheme involving more than 125 Android apps and websites exploited Android Phones to steal millions.
Literally, almost everybody is doing this scheme against the smartphone users these days.
Kaspersky Lab analyzed complex DarkPulsar backdoor administrative module for a malware leaked by the ShadowBrokers.
They have found around 50 victims located in Russia, Iran and Egypt, mostly companies working in the nuclear energy, telecommunications, IT, aerospace and R&D.
Haaretz investigation reveals Israel has become a leading exporter of tools for spying on civilians.
Dictators around the world use them eavesdrop on human rights activists, monitor emails, hack into apps and record conversations.
The consultancy firm McKinsey helping Saudi Arabia identify influential Saudis who opposed the government's line on Twitter.
Some of those individuals were later imprisoned & targeted with sophisticated spyware.
Companies building "Smart home" products refuse to say whether law enforcement is using their products to spy on citizens.
Mozilla announces experimental partnership with the ProtonVPN.
They will offer a virtual private network (VPN) service to a small group of Firefox users.
The UK grassroots internet provider is testing a data only SIM card that blocks any non-Tor traffic from leaving the phone.
That feeling when you can steal a Tesla by relay attack (or key cloning?), but you have to Google how to unplug the charger.
An insightful review of Android's secure backup practices published by NCC Group.
Endpoint security pioneer Joanna Rutkowska leaves Qubes OS, joins the Golem project.
Matthew Green wrote a post on password-based authenticated key exchange (PAKE )and the new OPAQUE protocol.
Quite useful techniques more people should know about.
Signal Desktop leaves message decryption key in the plain text.
Trail of Bits published a useful guide to the post-quantum cryptography.
Linux had officially committed to implementing and obeying the Code of Conduct — which is immediately misused to remove top Linux coders.
Some of the Linux developers are now threatening to withdraw the license to all of their code.
Bug in Twitter sent users' private direct messages to third-party developers who were not authorized to receive them. Some brand accounts should be affected.
Qualcomm accuses Apple of stealing chip secrets for the purpose of helping Intel overcome engineering flaws in its chips.
Australian government pushes for the smartphone spyware implanted by Telco vendors, manufacturers.
At least the sixth backdoor account was removed from Cisco devices this year.
This time it's "hardcoded credentials" in the Cisco Video Surveillance Manager (VSM) Software.
ESET researchers discovered, that the Kodi Media Player add-ons are misused for the cryptocurrency mining malware distribution.
According to a stackexchange post, "the Chinese police is forcing whole cities to install an Android spyware app Jingwang Weishi.
They are stopping people in the street and detaining those who refuse to install it."
Researchers proved that the security of PKCS #1 Digital Signatures is as secure as any of its successors like RSA-PSS and RSA Full-Domain.
There is a novel cache poisoning attack on WiFi by a remote off-path mitm attack vector.
Takes only 30 seconds and is using interesting multi-packet injection for timing side channel inference for injection. Works on Windows, OSX and Linux.
Purism project introduced their own security token called the Librem Key. They have partnered with the Nitrokey manufacturer, but the firmware provides additional functionality, like a challenge response mode where the key informs you if the bios running on a PC has validated itself to the key.
Google built a prototype of a censored search engine which should be used in China, that links users’ searches to their phone numbers.
According to a Swiss officials, two Russian spies caught in the Netherlands had been plotting a cyber attack on a Swiss defense lab analyzing the Novichok nerve agent used in the Salisbury poisoning.
Citizen Lab has published a new report about the Pegasus spyware created by Israeli cyber-security firm NSO Group.
The malware is operating on both Android and iOS devices, and the researchers identified 45 countries in which operators of NSO Group’s Pegasus spyware may be conducting operations.
Hackers were running cryptocurrency mining malware on the Indian government sites.
Every day this week, Cloudflare is announcing support for a new technology that uses cryptography.
They have introduced Onion service, BGP PKI (RPKI), IPFS node. Essentially, we can call them an active global adversary now.
The Western Digital My Cloud was affected by an authentication bypass vulnerability.
An unauthenticated attacker could exploit this vulnerability to authenticate as an admin user without needing to provide a password.
NSS Labs filed an antitrust suit against CrowdStrike, Symantec, ESET and the Anti-Malware Testing Standards Organization (AMTSO), because they found out that the "vendors have conspired to prevent testing of their products by placing clauses in their end user licensing agreements (EULA) that make testing of their products subject to their permission."
The new Necurs botnet spam campaign targets Banks with the malicious Wizard (.wiz) files used by Microsoft programs such as Word to guide users through complex or repetitive tasks.
Informative blog by the LineageOS engineers covering Qualcomm bootloader chain of trust to the point of Android OS being loaded.
GnuPG can now be used to perform notarial acts in the State of Washington.
A new CSS-based web attack will crash and restart your iPhone.
Interesting project - SlotBot: Hacking slot machines to win the jackpot with a buttonhole camera and brute-force search.
Hackers have poisoned the Arch Linux PDF reader package named “acroread” that was found in a user-provided Arch User Repository (AUR). They have put downloader malware inside.
Hackers took over the maintainer account of the eslint-scope and eslint-config-eslint npm packages and published malicious versions which were downloading some juicy scripts from the pastebin.com. https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
Backend of the TimeHop iOS application was compromised, personal records of the 21 million customers leaked.
Nice journalism about how few researchers found the names and addresses of soldiers and secret agents using Strava fitness application when the company published tracking maps on the internet.
Lexington Insurance Company and Beazley Insurance Company are suing Trustwave over a 2009 breach. Trustwave supposedly failed to detect malware that caused a breach.
This will be huge precedent in the whole industry.
One email to a North American Network Operators mailing list led to a concerted effort to kick a notorious BGP hijacking factory off the Internet.
It looks like that the Carbanak banking malware source code was leaked.
Researchers found spying malware signed using digital certificates stolen from D-Link and other Taiwanese tech-companies.
The German Interior Minister is preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations.
According to the Citizen Lab, Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware sold by Israeli firm Cyberbit.
Elcomsoft wrote an insight about the drastically degraded security of the Apples iOS 11 operating system.
Chinese drone maker D.J.I. is potentially sharing collected data with the Chinese government.
Crooks are installing cryptocurrency miners by using typosquatting npm package names. They are searching for the unregistered package names with the difference of one bit from a well known packages.
Swiftype written a good blog about their infrastructure risk assessment and threat modeling.
Nvidia published a paper about the clustering of a benign and malicious Windows executables using neural networks.
Bucket Stream - Find interesting Amazon S3 Buckets by watching certificate transparency logs.
Sysdig Inspect – a powerful interface for container troubleshooting and security investigation
NSA's XKeyscore spying tool is used to fish Microsoft Windows crash reports out of the Internet traffic. They have used it against the Mexico's Secretariat of Public Security.
Researchers from the Exodus Intelligence wrote remote exploit against the Android and iOS operating system, using Broadcom’s Wi-Fi chipset bug.
"Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit."
Great blog about chaining 4 vulnerabilities on the GitHub Enterprise in order to achieve remote code execution!
Trend Micro researchers analyzed infection chain used by JS_POWMET fileless malware.
Researchers used antivirus cloud-based sandbox to exfiltrate data from the endpoint.
The Google team has blocked a new "Lipizzan" Android spyware family from the Google Play.
Microsoft won't patch a 20 years old SMBv1 SMBloris memory handling bug, that could be exploited by attackers to execute a Denial of Service attack on a web servers.
Private notes application Standard Notes got a cryptography audit.
Framework for Testing WAFs (FTW) is a project created by researchers from ModSecurity and Fastly to help provide rigorous tests for WAF rules. It uses the OWASP Core Ruleset V3 as a baseline to test rules on a WAF.
A new malware called MacDownloader, attributed to the Iran, targeting macOS systems spotted in the wild. Spreading as an Adobe Flash installer or a Bitdefender Adware Removal Tool, depend on social engineering. After installation, it attempts to exfiltrate OS X keychain database as well as the other system information.
Google Project Zero investigated inner-working of Real-Time Kernel Protection (RKP) used by Samsung KNOX using a fully updated Galaxy S7 Edge. They have presented multiple vulnerabilities which allow them to subvert each of RKP’s security mechanisms.
A former National Security Agency contractor Harold T. Martin III is accused of carrying out theft of 50 terabytes of classified information.
"The indictment against Harold T. Martin III is expected to contain charges of violating the Espionage Act by "willfully" retaining information that relates to the national defense, including classified data such as NSA hacking tools and operational plans against "a known enemy" of the United States, according to individuals familiar with the case."
Google Chrome 56 lets websites connect to Bluetooth devices and harvest information from them through the browser. Summary of the Web Bluetooth API security model written by Chrome team's Jeffrey Yasskin can be found on Medium.
Doctor Web detects new Mirai trojan fork able to use Windows machines when scanning the internet for the other targets.
CRYSIS ransomware family is targeting a US healthcare sector via remote desktop (RDP) brute force attacks.
A new ransomware known as "Serpent" is targeting Danish recipients using emails linking to malicious Microsoft Office documents.
Multiple proponents of Mexico’s 2014 soda tax aimed at reducing consumption of sugary drinks in Mexico were targeted by spyware.
The malicious program is developed by an Israeli cyberarms dealer NSO Group.
Keybase introduced an end-to-end crypto app for secure interactive messaging which works with already established 3rd party accounts.
Interesting solution to the key exchange problem, other solutions usually use a Trust On First Use (TOFU). Just to note, only "exploding" messages have forward secrecy.
Wire’s encrypted messaging protocol got audited. Kudelski Security and X41 D-Sec found it to have "high security, thanks to state-of-the-art cryptographic protocols and algorithms, and software engineering practices mitigating the risk of software bugs."
A great story about the Russian "research" company which reverse engineered older slot machines in order to predict the output. And they are cashing in on it...
Brother and sister arrested in Italy for spying on top public officials, businessmen and institutions. They wrote a VB.NET malware with RAT / spyware features. They infected high level targets via spear-phishing and pivoted on their email to infect more higher level targets. They had terrible OPSEC, bought some domains and hosting with real names.
BuzzFeed article about Trump claims that the Russian Security Service FSB has "capabilities" against the Telegram messaging app. Security researcher Frederic Jacobs wrote about this back in April 2016.
https://www.fredericjacobs.com/blog/2016/04/29/more-on-sms-logins/ https://twitter.com/i/web/status/819127046588813313 https://www.buzzfeed.com/kenbensinger/these-reports-allege-trump-has-deep-ties-to-russia
At 33rd Chaos Communication Congress, security researcher Claudio Guarnieri launched open initiative "Security Without Borders".
"Security Without Borders will provide digital security assistance to organizations to harden infrastructure against attacks, perform incident response to secure organizations, engage in public education, and produce research on the threats posed to activists. Among our members we count penetration testers, malware analysts, reverse engineers, vulnerability researchers, and software developers."
3 BYTES long RSA key secures implanted cardiac devices, and yes, it's also backdoored.
As Matthew Green said on Twitter: "But in case 24-bit RSA isn't bad enough, the manufacturers also included a hard-coded 3-byte fixed override code. I'm crying now."
Public statement: "The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."
Security company Emsisoft spotted a new ransomware named Spora, that allows potential victims to pay for immunity from future attacks.
From the article: "You can choose to only recover your files or pay for removal of the ransomware and immunity from future attacks at an extra cost." It has also very interesting intel gathering technique, which is later used for the monetisation.
Google has released a toolkit for a transparent and secure way to look up public keys. "Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable." This solves an open problem in messaging.
Company E-Sports Entertainment Association refused to pay $100,000 to hackers, so they published customer dataset online.
Popular browsers and extensions can be tricked into leaking private information using hidden text boxes. https://github.com/anttiviljami/browser-autofill-phishing
Fake "Migrant Helpline" donations emails delivers malware.