According to the New York Times sources, Marriott customers' data were breached by Chinese hackers.
Attribution is hard, especially when investigating government related hacks. We have to wait for more information.
A Google+ API software update introduced in November had caused the Google+ API to broadcast user profiles to third-party developers, exposing the personal information of more than 52 million users.
Excellent journalistic piece about the location data industry. It's impossible to anonymize this kind of datasets. Really recommended!
Check Point researchers found 53 critical bugs in Adobe Reader and Adobe Pro by using WinAFL fuzzer.
The Cisco Talos team wrote about the various practical side-channel attack scenarios against the encrypted messaging apps like WhatsApp, Telegram, and Signal.
Study finds 5 out of 17 tested certification authorities are vulnerable to spoofing domain validation by using the IP fragmentation attack.
A team behind the open source automation tool Jenkins published a patch for a critical vulnerability that could allow permission checks to be bypassed through the use of specially-crafted URLs.
Microsoft took the first step in advocacy for the regulation of a facial recognition technology.
A recent variant of a Shamoon malware wiped around ten percent PCs of the Italian oil and gas company Saipem.
Russian State Duma is going to prohibit Russian servicemen from publishing personal information online.
Researcher Natalie Silvanovich from the Google Project Zero fuzzed WhatsApp application and (surprisingly) didn't find exploitable bugs, just a heap corruption.
Australian guys, there is a GitHub repository where you can ask legal questions about the terrible Assistance and Access Bill. The questions are answered by lawyers.
Apple included support for the WebAuthentication API in the latest Safari Release 71 (Technology Preview).
The new WebAuthentication as implemented supports USB-based CTAP2 devices.
Critical Kubernetes privilege escalation bug (CVE-2018-1002105) was found and patched during this week. When exploited, the bug allows anonymous users as well a authenticated one to use admin privileges over the cluster API.
There is an exploit published on a GitHub already.
British Telecom will not use Huawei's 5G kit within the core of the network due to security concerns.
Security agencies in Australia will gain greater access to encrypted messages due to a new legislative.
US National Security Archive published a complete index of all 1504 items in the declassified collection of NSA internal Cryptolog periodical.
Security researchers released attacks on 7 TLS implementations, making use of Bleichenbacher and Manger's attack.
The research with a name "The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations" also includes a TLS 1.3 downgrade attack.
Ransomware Infected 100k computers in China then demands WeChat Payment and is using XOR as an "encryption". Author was probably identified because he registered domain to his own name.
It looks like 13 years old Virut botnet is resurrected in the wild.
Great blog on how guy scammed the scammer to send him photo of his ID.
Nearly 250 Pages of internal Facebook documents, emails and statistics were posted online by the UK Parliament.
A User Data of the question-and-answer website Quora were compromised.
The records of 500 million customers of the Marriott International hotel group were compromised.
Interesting revisited paper: "From Keys to Databases -- Real-World Applications of Secure Multi-Party Computation."
GTRS - is a tool that uses Google Translator as a proxy to send arbitrary commands to an infected machine.
Memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation can screw you. Just answering a call from an attacker could completely compromise WhatsApp.
Great story about the spear phishing scheme against the MacEwan University in Canada. Investigators were able to track stolen money to China and back to the Canadian real estate investments.
Millions of Xiongmai video surveillance devices can be easily hacked. Devices can be discovered because of predictable cloud ID derived from the MAC address, then compromised by using malicious firmware images delivered by fake update server.
US Department of Defense published some findings from the weapons systems pentesting.
Weak passwords, port scans that caused the weapons system to fail, etc.
"Making sense of the alleged Supermicro motherboard attack" published by researchers at the University of Cambridge Computer Laboratory is explaining the possible technical aspects behind the recent Bloomberg story about the hardware backdoors shipped from China.
US Police used victims' Fitbit data to charge 90-Year-Old man in stepdaughter’s killing.
They knew about the suspect, but the Fitbit data made the investigation easier.
New Zealand can now fine travelers who refuse to unlock their digital devices for a search.
Microsoft patches zero day vulnerability (CVE-2018-8453) in the win32k.sys discovered by Kaspersky Lab back in August.
The exploit is used to target victims in the Middle East.
There are multiple severe vulnerabilities reported in the Juniper network devices.
Red Hat's Flatpak used for application distribution on Linux is implementing some questionable security practices.
Exploit for MikroTik router WinBox vulnerability gives full root access.
Congratulations to ICANN for the first-ever DNSSEC root key signing key rollover that took place on 11 October 2018.
Mozilla decided to delay distrust of the Symantec TLS certification authority from their browsers.
ADAPE-Script - Active Directory Assessment and Privilege Escalation Script can automate your AD recon and pentesting.
Linux had officially committed to implementing and obeying the Code of Conduct — which is immediately misused to remove top Linux coders.
Some of the Linux developers are now threatening to withdraw the license to all of their code.
Bug in Twitter sent users' private direct messages to third-party developers who were not authorized to receive them. Some brand accounts should be affected.
Qualcomm accuses Apple of stealing chip secrets for the purpose of helping Intel overcome engineering flaws in its chips.
Australian government pushes for the smartphone spyware implanted by Telco vendors, manufacturers.
At least the sixth backdoor account was removed from Cisco devices this year.
This time it's "hardcoded credentials" in the Cisco Video Surveillance Manager (VSM) Software.
ESET researchers discovered, that the Kodi Media Player add-ons are misused for the cryptocurrency mining malware distribution.
According to a stackexchange post, "the Chinese police is forcing whole cities to install an Android spyware app Jingwang Weishi.
They are stopping people in the street and detaining those who refuse to install it."
Researchers proved that the security of PKCS #1 Digital Signatures is as secure as any of its successors like RSA-PSS and RSA Full-Domain.
There is a novel cache poisoning attack on WiFi by a remote off-path mitm attack vector.
Takes only 30 seconds and is using interesting multi-packet injection for timing side channel inference for injection. Works on Windows, OSX and Linux.
Purism project introduced their own security token called the Librem Key. They have partnered with the Nitrokey manufacturer, but the firmware provides additional functionality, like a challenge response mode where the key informs you if the bios running on a PC has validated itself to the key.
Google built a prototype of a censored search engine which should be used in China, that links users’ searches to their phone numbers.
According to a Swiss officials, two Russian spies caught in the Netherlands had been plotting a cyber attack on a Swiss defense lab analyzing the Novichok nerve agent used in the Salisbury poisoning.
Citizen Lab has published a new report about the Pegasus spyware created by Israeli cyber-security firm NSO Group.
The malware is operating on both Android and iOS devices, and the researchers identified 45 countries in which operators of NSO Group’s Pegasus spyware may be conducting operations.
Hackers were running cryptocurrency mining malware on the Indian government sites.
Every day this week, Cloudflare is announcing support for a new technology that uses cryptography.
They have introduced Onion service, BGP PKI (RPKI), IPFS node. Essentially, we can call them an active global adversary now.
The Western Digital My Cloud was affected by an authentication bypass vulnerability.
An unauthenticated attacker could exploit this vulnerability to authenticate as an admin user without needing to provide a password.
NSS Labs filed an antitrust suit against CrowdStrike, Symantec, ESET and the Anti-Malware Testing Standards Organization (AMTSO), because they found out that the "vendors have conspired to prevent testing of their products by placing clauses in their end user licensing agreements (EULA) that make testing of their products subject to their permission."
The new Necurs botnet spam campaign targets Banks with the malicious Wizard (.wiz) files used by Microsoft programs such as Word to guide users through complex or repetitive tasks.
Informative blog by the LineageOS engineers covering Qualcomm bootloader chain of trust to the point of Android OS being loaded.
GnuPG can now be used to perform notarial acts in the State of Washington.
A new CSS-based web attack will crash and restart your iPhone.
Interesting project - SlotBot: Hacking slot machines to win the jackpot with a buttonhole camera and brute-force search.
Tesla model S is using a 40bit challenge response scheme broken back in 2005. Researchers stole a car in ~6 seconds with precomputed tables.
This kind of bug is an law enforcement dream.
Very interesting read from Troy Hunt on the effectiveness of negative media coverage and shaming of bad security.
Researchers say that the developers of Adware Doctor, the fourth highest ranking paid app in the Mac App Store, have found a way to bypass Apple restrictions and sends the browsing history of its users to a server in China. Apple already removed the application from the Mac Store.
Apple has also removed most of the popular security applications offered by cyber-security vendor Trend Micro from its official Mac App Store after they were caught stealing users' sensitive data without their consent.
European Court of Human Rights rules that GCHQ Data collection violates the human rights charter.
The Iran government, at least since 2016, is is spying on its citizens, Kurdish and Turkish natives, and ISIS supporters, using mobile applications with a malware.
The operation has been named Domestic Kitten.
Researchers introduced previously overlooked side-channel attack vector called Nemesis that abuses the CPU’s interrupt mechanism to leak microarchitectural instruction timings from enclaved execution environments such as Intel SGX, Sancus, and TrustLite.
India’s controversial Aadhaar identity database software was hacked, ID database compromised.
The vulnerability could allow someone to circumvent security measures in the Aadhaar software, and create new entries.
Criminals are faking Google Analytics script to steal credential and stay under the radar.
The OpenSSL team released version 1.1.1. There are a lots of new features like TLS 1.3 support, side-channel hardening, new RNG, SHA3, Ed25519 support.
USB media shipped with the Schneider Electric Conext ComBox and Conext Battery Monitor solar products were infected with malware.
Two days after the proof-of-concept exploit for the Windows Task Scheduler vulnerability appeared online, malware developers have started using it.
Five Eyes, an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States, officially warns the tech world that they should build interception capabilities voluntarily or governments will legislate.
Security researchers from the Kaitiaki Labs presented exploitation techniques against the automation in the LTE mobile networks.
.NET Framework remote code injection vulnerability (CVE-2018-8284) enables low privileged SharePoint users to execute commands on the server.
A good blog post by a bug hunter Steven Seeley - Analyzing and Exploiting an Elevation of Privilege Vulnerability in Docker for Windows (CVE-2018-15514).
Thousands of MikroTik routers are forwarding owners’ traffic to unknown attackers.
A great insight into the world of WW2 women code breakers who unmasked the Soviet spies.
ProtonMail released a major new version (4.0) of OpenPGPjs which introduces streaming cryptography.
Bruce Schneier announced the publication of the latest book with the name "Click Here to Kill Everybody: Security and Survival in a Hyper-connected World".
There is a new collection of botnet source codes on GitHub.
There is an OpenSSH user enumeration attack against all software versions on all operating systems.
It's a timing attack with proof of concept already published.
The so-called RedAlpha malware campaign targeting the Tibetan community is deploying a novel “ext4” Linux backdoor. The group is using infrastructure registered with Tsinghua1 University, China and is believed to be conducted by Chinese state-sponsored actors in support of China’s economic development goals.
The Australia’s Assistance and Access Bill, introduced this week, want to jail people for up to 10 years if they refuse to unlock their phones.
A new research paper named "Piping Botnet - Turning Green Technology into a Water Disaster" demonstrate that the researchers were able to manipulate commercial smart IoT systems used for regulating water and electricity resources.
The guy with his BMW car encountered the theft attempt, where something that looked like a vandalism was actually a really smart attack against the modern alarm system.
Cloudflare analyzed the changes and improvements of a new TLS 1.3 (RFC 8446) standard that was finally published last week.
New Foreshadow attack demonstrates how speculative execution can be exploited for reading the contents of Intels' SGX-protected memory as well as extracting the machine’s private attestation key.
Practical dictionary attacks are possible against the main mode of IPsec IKEv1/v2 standard. Successful exploitation of a weak password requires only a single active man-in-the-middle attack.
If you are interested how cryptographic key management is practically done, I have written a blog Commercial Cryptographic Key Management in 2018, where I am explaining a little bit about the hardware, people and processes behind it.
Google published BrokenType, the font fuzzing toolset that helped find lots of vulnerabilities in the Windows kernel. It includes a font mutator, generator and loader.
A Comcast security flaws exposed more than 26 millions of customers’ personal information. Basically, an attacker could spoof IP address using "X-forwarded-for" header on a Comcast login page and reveal the customer’s location.
According to the Check Point Research, more than 150k computers are infected with the new variant of Ramnit botnet named Black. Botnet install second stage malware with the proxy functionality.
Malware infected Apple chip maker Taiwan Semiconductor Manufacturing. All of their factories were shut down last week, but they had already recovered from the attack.
A flaw in the Linux kernel may cause a remote denial of service [CVE-2018-5390]. Attack require less than 2 Kbps of traffic.
GDPR and other cookie consent scripts are used to distribute malware.
Interesting blog on how criminals in Iran make money by creating Android malware apps.
Let's Encrypt root CA certificate is now trusted by all major root programs. They were dependent on a cross-signing on some systems, so this is great news!
There is a really effective new attack on WPA PSK (Pre-Shared Key) passwords. Attackers can ask Access Point for the data required for offline cracking, no client traffic sniffing is needed anymore.
Innovative new research on a software implementation hardening was published with the name "Chaff Bugs: Deterring Attackers by Making Software Buggier".
The idea is simple, introduce a large number of non-exploitable bugs in the program which makes the bug discovery and exploit creation significantly harder.
Researchers from the University of Milan published padding oracle attack against Telegram Passport.
Don't roll your own cryptography schemes if other people depend on it...
A Handshake is a new experimental peer-to-peer root DNS. They have published resolver source code and have test network up and running. Looks like really promising project.
Samsung Galaxy S9 and S9+ devices, maybe others, are texting camera photos to random contacts through the Samsung Messages app without user permission.
Gentoo Linux distribution GitHub repository was compromised. Attacker removed out all the maintainers, who realized the intrusion only 10 minutes after he gained access. He add
rm -rf /* to build scripts, changed README and some minor things.
Since January 2017, Stylish browser extension has been augmented with spyware that records every single website that its 2 million other users visit, then sends complete browsing activity back to its servers, together with a unique identifier.
Digicert Withdraws from the CA Security Council (CASC), because they "feel that CASC is not sufficiently transparent and does not represent the diversity of the modern Certificate Authority (CA) industry. Improving the ecosystem requires broad participation from all interested stakeholders, and many are being excluded unnecessarily."
Great step Digicert!
CryptoCurrency Clipboard Hijacker malware discovered by Bleeping Computer monitors for more than 2.3 million Bitcoin addresses, then replace them in memory, with the attacker address.
Local root jailbreak, authorization bypass & privilege escalation vulnerabilities in all ADB broadband routers, gateways and modems. The patch is already available.
A Microsoft Security division published an analysis of the malware sample which exploited the Adobe Reader software and the Windows operating system using two zero-day exploits in a single PDF file.
Blog about why it is not helpful to use the Canvas Defender extension, a browser canvas fingerprinting countermeasure.
Blog about the cryptographic primitives used by the North Korean Red Star operating system. The OS is mostly uses AES-256 Rijndael with dynamic S-Box modifications, but the design is evolving and the latest version of the algorithm has more differences.
Interesting technique how to bypass web-application firewalls by abusing SSL/TLS. An attacker can use an unsupported SSL cipher to initialize the connection to the webserver which supports that cipher, but the WAF would not be able to identify the attack because it can't view the data.
Good introduction to the Linux ELF file format with some practical examples how sections look like, how to shrink the size during compilation and more.