InfoSec Week 43, 2018
Posted
A zero-day vulnerability in the jQuery File Upload plugin is actively exploited for at least three years. Patch now!
https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/
https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206
A massive ad fraud scheme involving more than 125 Android apps and websites exploited Android Phones to steal millions.
Literally, almost everybody is doing this scheme against the smartphone users these days.
https://www.buzzfeednews.com/article/craigsilverman/how-a-massive-ad-fraud-scheme-exploited-android-phones-to
Kaspersky Lab analyzed complex DarkPulsar backdoor administrative module for a malware leaked by the ShadowBrokers.
They have found around 50 victims located in Russia, Iran and Egypt, mostly companies working in the nuclear energy, telecommunications, IT, aerospace and R&D.
https://securelist.com/darkpulsar/88199/
Haaretz investigation reveals Israel has become a leading exporter of tools for spying on civilians.
Dictators around the world use them eavesdrop on human rights activists, monitor emails, hack into apps and record conversations.
https://www.haaretz.com/israel-news/.premium.MAGAZINE-israel-s-cyber-spy-industry-aids-dictators-hunt-dissidents-and-gays-1.6573027
The consultancy firm McKinsey helping Saudi Arabia identify influential Saudis who opposed the government’s line on Twitter.
Some of those individuals were later imprisoned & targeted with sophisticated spyware.
https://www.nytimes.com/2018/10/20/us/politics/saudi-image-campaign-twitter.html
Companies building “Smart home” products refuse to say whether law enforcement is using their products to spy on citizens.
https://techcrunch.com/2018/10/19/smart-home-devices-hoard-data-government-demands/
Mozilla announces experimental partnership with the ProtonVPN.
They will offer a virtual private network (VPN) service to a small group of Firefox users.
https://blog.mozilla.org/futurereleases/2018/10/22/testing-new-ways-to-keep-you-safe-online/
The UK grassroots internet provider is testing a data only SIM card that blocks any non-Tor traffic from leaving the phone.
https://motherboard.vice.com/en_us/article/d3qqj7/sim-card-forces-data-through-tor-brass-horn-communications
That feeling when you can steal a Tesla by relay attack (or key cloning?), but you have to Google how to unplug the charger.
https://gizmodo.com/hackers-allegedly-caught-on-video-stealing-tesla-model-1829905478
An insightful review of Android’s secure backup practices published by NCC Group.
https://www.nccgroup.trust/us/our-research/android-cloud-backuprestore/?research=Public+Reports
Endpoint security pioneer Joanna Rutkowska leaves Qubes OS, joins the Golem project.
https://www.qubes-os.org/news/2018/10/25/the-next-chapter/
Matthew Green wrote a post on password-based authenticated key exchange (PAKE )and the new OPAQUE protocol.
Quite useful techniques more people should know about.
https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/
Signal Desktop leaves message decryption key in the plain text.
https://www.bleepingcomputer.com/news/security/signal-desktop-leaves-message-decryption-key-in-plain-sight/
Trail of Bits published a useful guide to the post-quantum cryptography.
https://blog.trailofbits.com/2018/10/22/a-guide-to-post-quantum-cryptography/