35-year-old vulnerability has been discovered in the SCP file transfer utility. According to the advisory impact section, "Malicious scp server can write arbitrary files to scp target directory, change the target directory permissions and to spoof the client output."
Multiple U.S. government websites SSL certificates have expired and some sites are inaccessible due to properly used HTTP Strict Transport Security.
There's nobody there to renew them due to a government shutdown.
Researchers found a new kind of Windows malware using encrypted messaging app Telegram to receive "encrypted" instructions. Nothing innovative with the malware sample, but what is really interesting is, that telegram messages are coupled with unique IDs and malware analysts from the Forcepoint Labs were able to retroactively scrape all the messages issued by the malware operator.
Not sure what kind of channel was used by the bot, but it looks really suspicious to be able to scrape old messages.
The researchers at the CanSecWest Vancouver conference will be able to participate in the annual Pwn2Own challenge. This year also in car hacking as Tesla Model 3 will be available.
One of last surviving Navajo code talkers, Alfred Newman, has passed away at 94. Newman, with many others, developed during World War II an unbreakable code for military transmissions using the unwritten Navajo language.
Security researcher Troy Hunt updated his service Have I Been Pwn with 772,904,991 new email addresses and lots of passwords after finding 87GB of leaked passwords and email addresses by the MEGA cloud storage provider.
There was a massive data breach at the Oklahoma Securities Commission with millions of files containing decades worth of confidential case file intelligence from the agency and sensitive FBI investigation source materials leaked.
Hackers broke into an SEC database and made millions from inside info.
Malicious former employee installed Raspberry Pi in the company network closet, but the Reddit crowd helped with the investigation.
Great blog post about the factors in authentication. The more factors to be used, the bigger headache from the enrollment procedures.
Noise Protocol Framework Explorer created by Nadim Kobeissi now supports generating secure implementations in Go for any arbitrary Noise Handshake Pattern.
CERT Poland (CERT Polska) opens access to its malware database (MWDB).
Sennheiser's HeadSetup software is installing a root certificate into the OS Trusted CA Certificate store.
They have also put a private key on a device, the same one for all users, which allows any user to perform a man-in-the-middle SSL attacks against SSL communication.
German chat platform Knuddels.de (Cuddles) has been fined 20k€ for storing user passwords in plain text.
What is interesting is that the regional GDPR data watchdog wanted to avoid bankrupting the company. "The overall financial burden on the company was taken into account in addition to other circumstances".
Crooks are using new attack vector to spread malware, they are requesting maintainer access to a widely-used open source projects on github, then pushing compromised version to millions of people.
Two international cybercriminal Rings dismantled and eight defendants indicted for causing tens of millions of dollars in losses in the digital advertising fraud.
They have produced Boaxxe/Miuref & Kovter malware.
Cisco Talos has discovered DNSpionage malware targeting governments and companies in the Middle East using phishing attack.
The U.S. Treasury Department has sanctioned two Iranians allegedly involved in Bitcoin ransomware scheme SamSam.
They have basically put Bitcoin addresses on the Office of Foreign Assets Control’s (OFAC) sanctions list.
Scammers are changing the contact details for banks on Google Maps.
Almost all VPN browser extensions are in fact just a proxy and are vulnerable to a different level of IP leaks and DNS leaks.
Google, Mozilla are working on letting web apps edit local user files despite warning it could be really dangerous.
The German Federal Office for Information Security, BSI, publishes Microsoft Windows 10 telemetry analysis.
BlackBerry purchased Cylance, the machine-learning based anti-malware company for $1.4 billion dollars.
They plans to integrate Cylance's anti-malware solution into the BlackBerry Spark platform.
The Sequoia team introduced the first release of a new Rust implementation of the OpenPGP licensed under GPL 3.0.
A Comcast security flaws exposed more than 26 millions of customers’ personal information. Basically, an attacker could spoof IP address using "X-forwarded-for" header on a Comcast login page and reveal the customer’s location.
According to the Check Point Research, more than 150k computers are infected with the new variant of Ramnit botnet named Black. Botnet install second stage malware with the proxy functionality.
Malware infected Apple chip maker Taiwan Semiconductor Manufacturing. All of their factories were shut down last week, but they had already recovered from the attack.
A flaw in the Linux kernel may cause a remote denial of service [CVE-2018-5390]. Attack require less than 2 Kbps of traffic.
GDPR and other cookie consent scripts are used to distribute malware.
Interesting blog on how criminals in Iran make money by creating Android malware apps.
Let's Encrypt root CA certificate is now trusted by all major root programs. They were dependent on a cross-signing on some systems, so this is great news!
There is a really effective new attack on WPA PSK (Pre-Shared Key) passwords. Attackers can ask Access Point for the data required for offline cracking, no client traffic sniffing is needed anymore.
Innovative new research on a software implementation hardening was published with the name "Chaff Bugs: Deterring Attackers by Making Software Buggier".
The idea is simple, introduce a large number of non-exploitable bugs in the program which makes the bug discovery and exploit creation significantly harder.
Researchers from the University of Milan published padding oracle attack against Telegram Passport.
Don't roll your own cryptography schemes if other people depend on it...
A Handshake is a new experimental peer-to-peer root DNS. They have published resolver source code and have test network up and running. Looks like really promising project.
Samsung Galaxy S9 and S9+ devices, maybe others, are texting camera photos to random contacts through the Samsung Messages app without user permission.
Gentoo Linux distribution GitHub repository was compromised. Attacker removed out all the maintainers, who realized the intrusion only 10 minutes after he gained access. He add
rm -rf /* to build scripts, changed README and some minor things.
Since January 2017, Stylish browser extension has been augmented with spyware that records every single website that its 2 million other users visit, then sends complete browsing activity back to its servers, together with a unique identifier.
Digicert Withdraws from the CA Security Council (CASC), because they "feel that CASC is not sufficiently transparent and does not represent the diversity of the modern Certificate Authority (CA) industry. Improving the ecosystem requires broad participation from all interested stakeholders, and many are being excluded unnecessarily."
Great step Digicert!
CryptoCurrency Clipboard Hijacker malware discovered by Bleeping Computer monitors for more than 2.3 million Bitcoin addresses, then replace them in memory, with the attacker address.
Local root jailbreak, authorization bypass & privilege escalation vulnerabilities in all ADB broadband routers, gateways and modems. The patch is already available.
A Microsoft Security division published an analysis of the malware sample which exploited the Adobe Reader software and the Windows operating system using two zero-day exploits in a single PDF file.
Blog about why it is not helpful to use the Canvas Defender extension, a browser canvas fingerprinting countermeasure.
Blog about the cryptographic primitives used by the North Korean Red Star operating system. The OS is mostly uses AES-256 Rijndael with dynamic S-Box modifications, but the design is evolving and the latest version of the algorithm has more differences.
Interesting technique how to bypass web-application firewalls by abusing SSL/TLS. An attacker can use an unsupported SSL cipher to initialize the connection to the webserver which supports that cipher, but the WAF would not be able to identify the attack because it can't view the data.
Good introduction to the Linux ELF file format with some practical examples how sections look like, how to shrink the size during compilation and more.
Yet another high severity attack against the Intel CPUs. Unpatched systems can leak SIMD, FP register state between privilege levels. These registers are used for private keys nowadays.
The cost of a patch is more expensive context switches because the fix has to unload and reload all SIMD, FP state.
The team behind the CopperheadOS, hardened Google-free Android fork, has imploded. Guys, CEO and CTO (main and probably the only developer) are blaming each other.
Chromium devs are planning to enforce TLS protocol invariants by rolling new TLS 1.3 versions every six weeks.
According to the developers: "Every six weeks, we would randomly pick a new code point. These versions will otherwise be identical to TLS 1.3, save maybe minor details to separate keys and exercise allowed syntax changes. The goal is to pave the way for future versions of TLS by simulating them (“draft negative one”)."
The Kromtech Security Center found 17 malicious docker images stored on Docker Hub for an entire year. With more than 5 million pulls, containers were primarily used to mine cryptocurrency.
At least 74 persons, mostly Nigerians, were arrested due to crimes related to the business e-mail compromise schemes.
Good summary of the existing inter-service authentication schemes. Bearer, hmac based tokens etc.
There is an Ancient "su - hostile" vulnerability in Debian 8 & 9. Doing "su - hostile" may lead to the root privilege escalation. Default sudo -u probably is
There is a critical command injection vulnerability in the macaddress NPM package.
Blog about the crafting remote code execution via server-side spreadsheet injection.
An implementation flaw in multiple cryptographic libraries allows a side-channel based attacker to recover ECDSA or DSA private keys. Lots of libraries affected, like LibreSSL, Mozilla NSS, OpenSSL, etc.
Wandera security researchers spotted a new sophisticated Android RedDrop malware hidden in at least 53 Android applications. It can intercept SMS, record audio and exfiltrate data to the remote server.
There is an experimental support for forward secure post-quantum Extended Hash-Based Signatures (XMSS) in the OpenSSH protocol.
Blog by Matthew Green on the probable encryption key handling by Apple in the China mandated cloud. Not really satisfied explanation, only guesses, as Apple is silent about the exact key handling methodology.
Cloudflare detected new Memcached based amplification DDoS attack vector. The attacker just implants a large payload on an exposed memcached server, then, the attacker spoofs the "get" request message with target Source IP address. The memcached server could be really huge - around 1MB.
A group of computer scientists from the US and China published a paper proposing the first-ever trojan for a neural network. It's called PoTrojan and is triggered by special network input. After that, the network start to work differently.
The Cisco Talos team analyzed attribution claims around Olympic Destroyer malware. The result is to not imply blindly to Russia. Attribution is hard.
New KeePassXC version 2.3.0 was released. There are lots of new features, like new Argon2 key derivation function, SSH agent integration, browser plugin.
Trustico SSL certificate reseller revoked 23000 customer certificates by sending private keys(?!) over email to the Digicert certification authority.
There are rumors that major U.S. government contractor Cellebrite is able to unlock all current iPhone models.
An advertising network has been using a well-known malware trick, a Domain Generation Algorithm (DGA), to bypass ad blockers and deploy in-browser cryptocurrency miners since December 2017.
A novel technique is using hardware branch predictor side channel attack to bypass ASLR protection:
"Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR"
The "Janus" Android vulnerability (CVE-2017-13156) allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. The vulnerability allows attackers to inject malware into legitimate application and avoiding detection.
According to the research by Hanno Böck, Juraj Somorovsky and Craig Young, the Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption still works on almost 3% of the Alexa top million most visited websites. The researchers were even able to sign a message using Facebook’s private TLS key. Vendors like Citrix, F5, Cisco, and multiple SSL implementations are affected.
HP had a keylogger in the Touchpad driver, which was disabled by default, but could be enabled by setting a registry value.
There is a remote root code execution flaw (CVE-2017-15944) in the Palo Alto Networks firewalls.
Researchers from the Group-IB spotted the operations of a Russian-speaking MoneyTaker group that stole as much as $10 million from US and Russian banks.
Recorded Future analyzed costs of various cybercriminal services sold on the dark market.
Internet traffic for organizations such as Google, Apple, Facebook, Microsoft, Twitch were briefly rerouted to Russia.
Microsoft started rolling out an update for Malware Protection Engine to fix a remotely exploitable bug discovered by the British intelligence agency.
Avast open-sources RetDec machine-code decompiler for platform-independent analysis of executable files. It's based on LLVM.
Wireless network sniffer Kismet now supports the DJI DroneID UAV telemetry extensions.
Wazuh - Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
It supports log management and analysis, integrity monitoring, anomaly detection and compliance monitoring.
Wifiphisher is an automated victim-customized phishing attacks against Wi-Fi clients.