InfoSec Week 1, 2019
Posted
Let’s Encrypt recapitulated the last year in the operation of their ACME based certification authority, and summarized the challenges that they will work on in 2019.
They intend to deploy multi-perspective validation, checking multiple distinct Autonomous Systems for domain validation, preventing potential BGP hijacks. They also plan to run own Certificate Transparency (CT) log.
https://letsencrypt.org/2018/12/31/looking-forward-to-2019.html
According to the consultant Nathan Ziehnert, “CenturyLink 50 hour outage at 15 datacenters across the US — impacting cloud, DSL, and 911 services was caused by a single network card sending bad packets.”
https://twitter.com/GossiTheDog/status/1079144491238469638
Great blog by Artem Dinaburg, where he is resurrecting 30 years old fuzzing techniques from the famous research papers to run them on on the current Linux distro. Successfully.
https://blog.trailofbits.com/2018/12/31/fuzzing-like-its-1989/
An article by Wired about the fake murder for hire services on dark web and a freelance security researcher that took them down. As it turned out, some clients killed their targets themselves.
https://www.wired.co.uk/article/kill-list-dark-web-hitmen
Multiple newspaper publishers in the US were hit by a ransomware attack, delaying their operations.
https://www.latimes.com/business/technology/la-fi-tn-ryuk-hack-20190101-story.html
The European Union starts running bug bounties on Free and Open Source Software.
https://juliareda.eu/2018/12/eu-fossa-bug-bounties/
Foxit Readers’ proof of concept exploit for the Use-After-Free vulnerability (CVE-2018-14442) was published on Github.
https://github.com/payatu/CVE-2018-14442
Attacker launched multiple servers that return an error message to the connected Electrum clients, which then turn them into a fake update prompt linking to a malware.
https://github.com/spesmilo/electrum/issues/4968
Adam Langley published blog about the zero-knowledge attestation when using FIDO based authentication. It could prevent a single-vendor policy some sites started to require.
https://www.imperialviolet.org/2019/01/01/zkattestation.html
Interesting blog post by Wouter Castryck on “CSIDH: post-quantum key exchange using isogeny-based group actions”.
https://www.esat.kuleuven.be/cosic/csidh-post-quantum-key-exchange-using-isogeny-based-group-actions/
The security researcher Bruno Keith published a a proof of concept for a remote code execution vulnerability in Microsoft Edge browser (CVE-2018-8629).
https://securityaffairs.co/wordpress/79264/hacking/microsoft-edge-poc-exploit.html
If you are interested in older car hacking/tuning, check this article about overcoming the speed limitation on an old Japanese Subaru Impreza STi.
https://p1kachu.pluggi.fr/project/automotive/2018/12/28/subaru-ssm1/
Jonathan “smuggler” Logan published study on the future of black markets and cryptoanarchy named “Dropgangs, or the future of darknet markets”.
https://opaque.link/post/dropgang/