InfoSec Week 12, 2018

Facebook, Google, Cisco, WhatsApp and other industry partners get together to create Message Layer Security as an open standard for end-to-end encryption with formal verification. Messaging Layer Security is now an IETF working group as well.

Long read about the takedown of Gooligan, Android botnet that was stealing OAuth credentials back in 2016.

The Israeli security company CTS Labs published information about a series of exploits against AMD chips just one day after they have notified the AMD.

Russia orders company behind the Telegram messaging application to hand over users’ encryption keys.

Hacker behind Guccifer 2.0 pseudonym, known for providing WikiLeaks with stolen emails from the US Democratic National Committee, was an officer of Russia’s military intelligence directorate.

Fascinating in depth blog about the breaking security of the Ledger cryptocurrency hardware wallet.

There was a Facebook bug which made persistent XSS in Facebook wall possible by embedding an external video using the Open Graph protocol.

Two part series about the password cracking Chinese hardware "encrypted" hard drives. PIN recovered.

Documents leaked by Edward Snowden reveal that the NSA worked to “track down” Bitcoin users.

Dark Web Map - a visualization of the structure of 6.6k Tor's onion services, a.k.a. hidden services, a.k.a. the dark web.

InfoSec Week 11, 2018

A cyberattack on a Saudi Arabian petrochemical company was probably planed with the physical explosion in mind. They have attributed Iran, and didn't mention Stuxnet at all, so a little bit one-sided view of this cyberwarfare exchange.

There is a critical vulnerability in Credential Security Support Provider protocol (CredSSP) that affects all versions of Windows. Due to cryptographic flaw, man-in-the-middle attack could allow remote procedure calls attack and data exfiltration against the RDP and WinRM.

A vulnerability (CVE-2018-1057) in Samba allows authenticated users to change other users' password.

Kubernetes vulnerability (CVE-2017-1002101) allows containers using subpath volume mounts with any volume type to access files/directories outside of the volume, including the host’s filesystem. Updated version is already available.!topic/kubernetes-announce/6sNHO_jyBzE

Quite good exchange on the encryption policy and the government backdoor proposals between the US National Academy of Sciences and the Electronic Frontier Foundation. Relevant for all democratic regimes.

Kaspersky has discovered PlugX remote access tool (RAT) malware installed across the pharmaceutical organizations in Vietnam, aimed at stealing drug formulas and business information.

Encrypted Email Service provider ProtonMail is being blocked by internet service providers in Turkey.

CTS-Labs security researchers has published a whitepaper identifying four classes of potential vulnerabilities of the Ryzen, EPYC, Ryzen Pro, and Ryzen Mobile processor lines.

Adam Langley's blog post about the inability of the TLS 1.3 to snoop on proxy traffic.

Hacker Adrian Lamo dies at 37. He was known for his involvement in passing information on whistleblower Chelsea Manning, a former US Army soldier who leaked sensitive information to the WikiLeaks.

To find assault suspect, police in the Raleigh, North Carolina used search warrants to demand Google accounts not of specific suspects, but from any mobile devices that veered too close to the scene of a crime in specific time.

Kaspersky releases Klara, a distributed system written in Python, designed to help threat intelligence researchers hunt for new malware using Yara rules.

Nice paper about the simple manual cipher that should be resistant against the modern cryptanalysis.
LC4: A Low-Tech Authenticated Cipher for Human-To-Human Communication

InfoSec Week 10, 2018

Google is contracted by the US Defense Department to apply its artificial intelligence solutions to drone strike targeting.

PacketLogic Deep Packet Inspection (DPI) devices manufactured by Sandvine are being used to deploy government spyware in Turkey and Syria, and redirect Egyptian Users to affiliate advertising networks and browser cryptocurrency miners.

The researchers from Purdue University and the University of Iowa have discovered new attacks against the 4G LTE wireless data communications technology for mobile devices. The attack an be used to for impersonating existing users, device location spoofing, fake emergency and warning message delivery, eavesdropping on SMS communications, and more.

Blog about the irresponsible handling of the sensitive data by airlines on-line booking system.

Wire messenger application passed an extensive application level security audit by X41 D-Sec and Kudelski Security. No critical vulnerabilities were found in the iOS, Android or the web part.

With the older firmware, it was possible to extract private keys from the cryptocurrency Ledger Nano hardware wallet.

password_pwncheck is an enterprise Kerberos, Windows AD and Linux PAM password quality checking tool. It is able to check against breached lists like Have I Been Pwned and others.

The Harpoon is a command line tool to automate threat intelligence and open source intelligence tasks.

InfoSec Week 9, 2018

Wandera security researchers spotted a new sophisticated Android RedDrop malware hidden in at least 53 Android applications. It can intercept SMS, record audio and exfiltrate data to the remote server.

There is an experimental support for forward secure post-quantum Extended Hash-Based Signatures (XMSS) in the OpenSSH protocol.

Blog by Matthew Green on the probable encryption key handling by Apple in the China mandated cloud. Not really satisfied explanation, only guesses, as Apple is silent about the exact key handling methodology.

Cloudflare detected new Memcached based amplification DDoS attack vector. The attacker just implants a large payload on an exposed memcached server, then, the attacker spoofs the "get" request message with target Source IP address. The memcached server could be really huge - around 1MB.

A group of computer scientists from the US and China published a paper proposing the first-ever trojan for a neural network. It's called PoTrojan and is triggered by special network input. After that, the network start to work differently.

The Cisco Talos team analyzed attribution claims around Olympic Destroyer malware. The result is to not imply blindly to Russia. Attribution is hard.

New KeePassXC version 2.3.0 was released. There are lots of new features, like new Argon2 key derivation function, SSH agent integration, browser plugin.

Trustico SSL certificate reseller revoked 23000 customer certificates by sending private keys(?!) over email to the Digicert certification authority.

There are rumors that major U.S. government contractor Cellebrite is able to unlock all current iPhone models.

An advertising network has been using a well-known malware trick, a Domain Generation Algorithm (DGA), to bypass ad blockers and deploy in-browser cryptocurrency miners since December 2017.

A novel technique is using hardware branch predictor side channel attack to bypass ASLR protection:
"Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR"

InfoSec Week 8, 2018

Fraudsters are impersonating authors and publishing computer generated books so they can launder money via Amazon.

Crooks made over $3 million by installing cryptocurrency miners on Jenkins Servers by exploiting Java deserialization RCE vulnerability (CVE-2017-1000353) in the Jenkins.

Tesla's Kubernetes installed in the Amazon AWS infrastructure was compromised by hackers.They have set up private cryptocurrency mining pool there.

The co-founder of WhatsApp, Brian Acton, has given $50 millions to support Signal messenger and create a self-sustaining foundation. Very good news for this donation funded privacy technology.

Hackers are exploiting the CISCO ASA vulnerability (CVE-2018-0101) in attacks in the wild.

Security Researcher Troy Hunt published half a billion passwords collected and processed from various breaches. There is also API for this dataset, and some statistics about the password usage.

There is a critical vulnerability in Mi-Cam baby monitors that let attackers spy on infants. At least 52k users are affected.

Public key cryptography explained in the form of Ikea instructions. Check other images as well!

InfoSec Week 7, 2018

The Fidelis Cybersecurity researcher Jason Reaves demonstrated how covertly exchange data using X.509 digital certificates. The proof of concept code is using SubjectKeyIdentifier and generating certificates on the fly.

The "UDPoS" Point of Sale malware is using DNS traffic to exfiltrate stolen credit card data.

Talos analyzed malware threat targeting Olympic computer systems during the opening ceremony. The main purpose was information gathering and destroying the system.

Zero-day vulnerability in the Bitmessage messaging client was exploited to steal Electrum cryptocurrency wallet keys.

Trustwave analyzed multi-stage Microsoft Word attack which is NOT using macros. Really creative technique.

Microsoft can't fix Skype privilege escalation bug without the massive code rewrite, so they postponed it for a while.

Facebook is advertising their Onavo VPN application, but there are a few reasons why it is really not a good idea to use it.

Facebook is spamming users via SMS registered for two factor authentication (2FA). Then posts their responses on a wall.

(Not only) Performance analysis of a Retpoline mitigation for Spectre vulnerability.

A guide on how to brutefoce Linux Full Disk Encryption (LUKS) volumes using Hashcat software.

Proof of concept of LibreOffice remote arbitrary file disclosure vulnerability. It is possible to silently send any files. All operating systems affected before 5.4.5/6.0.1 versions.

InfoSec Week 6, 2018

A buffer overflow vulnerability in older Starcraft version enabled modders to create new maps, so Blizzard tasked reverse engineer to safely emulate the bug in the newer, fixed version.
The author says it all: "This is a tale about what dedication to backward compatibility implies."

A bug in the Grammarly chrome extension (approx ~22M users) exposes user authentication token to all websites, so everybody collecting user data can access their cloud data at

With the release of Google Chrome 68, Chrome will mark all HTTP sites as a “not secure” in the status bar.

Article about the Australian startup Azimuth Security which sells hacking software to the "Five Eyes" police and intelligence agencies.
Rumors are that they are able to remotely hack Android devices and iPhones.

SEC Consult researchers found multiple vulnerabilities in their smart sex toys security review. Customer database, clear passwords, vulnerable remote controllers...

Metasploit integrated EternalRomance, EternalSynergy, and EternalChampion Windows (MS17-010) vulnerabilities leaked from the NSA by Shadow Brokers.

Someone leaked the source code of Apples' iBoot iOS trusted boot program on GitHub. It is a critical part of iOS system. Meanwhile, Apple filed a copyright takedown request with GitHub.

Hackers infected water utility SCADA systems in Europe with the cryptocurrency mining software.

Security researchers discovered vulnerabilities in an automated gas management system that allowed them to hijack credit card payments, steal card numbers and more.

APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was the victim of an APT attack.

InfoSec Week 5, 2018

A.P. Moller–Maersk Group, the world's largest container shipping company, reinstalled 45000 PCs and 4000 Servers to recover from the NotPetya ransomware attack.

The U.S. Secret Service is warning financial institutions that ATM jackpotting attacks are targeting cash machines in the United States. Attackers are able to empty Diebold Nixdorf and possibly other ATM machines with malware, endoscope and social engineering skills.

Microsoft disables Spectre software mitigation released earlier this month due to system instability.

Data from the fitness tracking app Strava gives away the location of sensitive locations like army bases.

China built African union building for free, but the building is riddled with microphones and computers are transmitting all voice data back to servers in Shanghai.

Journalist Marc Miller has interviewed one of the hackers of the ICEMAN group behind "Emmental" phishing campaign targeting bank clients.

Errata Security blog about the political nature of the cyber attack attribution. Mostly about the WannaCry and North Korea connection, but it is a good overview on attribution bias in general.

Great article about the largest malvertising campaign of a last year. So called Zirconium group operated up to 30 different ad agencies which enabled them to redirect users to the exploit kits, malware downloads and click fraud websites.

AutoSploit is an automated exploitation tool written in python. It is able to search for targets using API and exploiting them with Metasploit.

InfoSec Week 4, 2018

Electron applications designed to run on Windows that register themselves as the default handler for a protocol, like Skype, Slack and others, are vulnerable to the remote code execution vulnerability.

Dutch intelligence service AIVD provided the FBI with important information regarding Russian interference with the American elections. They have following the Cozy Bear APT for years.

Good blog about the exploitation of the Intel Management Engine 11 vulnerabilities. Researchers Mark Ermolov and Maxim Goryachy were able to debug and analyse most of the Intel ME processes.

It's possible to bypass the Cloudflare protection by scanning internet for misconfigured customers' servers.

It is possible for an unauthenticated attacker in the LAN network to achieve remote code execution (CVE-2018-5999) in the AsusWRT router as the root user.

The Tinder dating application is not using encryption when accessing data on a backend server. Your naked photos could be seen by a waitress in a restaurant. The geeky one.

Oracle has released patches for ten vulnerabilities in VirtualBox, which allows guest to host virtual machine escape.

The guy was able to obtain TLS certificates from the Let's Encrypt certification authority for domains that he does not own, due to the TLS-SNI-01 challenge workflow in a cloud environment. Shared hosting providers like Heroku, AWS CloudFront affected.

Blog by Joanna Rutkowska on a future Qubes Air operating system architecture roadmap. They want to provide compartmentalized secure Qubes OS as a service.

There is a cryptographic analysis of the WireGuard protocol. WireGuard is a layer 3 replacement for the IPsec, OpenVPN solutions. Interesting project.

Nice introduction on how to fuzz TCP servers by Robert Swiecki.

InfoSec Week 3, 2018

Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.

Nice article on Russia's hacking capabilities against the foreign critical infrastructure.

Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.

New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.

Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.

Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.

Page 1 / 7