InfoSec Week 8, 2019

Posted Feb 22, 2019

Dutch security researcher Victor Gevers found misconfigured MongoDB database containing facial recognition and other sensitive information about the Uyghur Muslim minority in China. Looks like the company behind the database is Chinese surveillance company SenseNets.
https://www.zdnet.com/article/chinese-company-leaves-muslim-tracking-facial-recognition-database-exposed-online/

The UK’s GCHQ intelligence agency subsidiary, the National Cyber Security Centre, evaluated Huawei devices with the vendor and unofficially decided that the risk using Huawei devices in the infrastructure can be managed.
This is a quite interesting turning point as other US allies are banning Huawei devices from their networks.
https://www.bbc.com/news/business-47274643

If you want to know the alternatives for the PGP functionality, George Tankersley wrote a nice list for that.
https://blog.gtank.cc/modern-alternatives-to-pgp/

Open Privacy Research Society released an alpha version of Cwtch, decentralized, privacy-preserving, asynchronous multi-party messaging protocol that can be used to build other applications.
https://openprivacy.ca/blog/2019/02/14/cwtch-alpha/

Linux kernel through 4.20.10 version contain use after free arbitrary code execution vulnerability.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8912

Check Point researchers have discovered 19 years old critical vulnerability in the WinRAR software that can be exploited just by extracting an archive.
https://research.checkpoint.com/extracting-code-execution-from-winrar/

Tavis Ormandy discovered old stack buffer overflow vulnerability in the MatrixSSL implementation used primarily by the embedded devices.
https://www.openwall.com/lists/oss-security/2019/02/15/1

Really in-depth article about the discovery and exploitation of the local privilege elevation vulnerability in the LG kernel driver (CVE-2019-8372).
http://www.jackson-t.ca/lg-driver-lpe.html

Microsoft is finally deprecating weak SHA-1 hash family in their Windows update mechanism.
https://arstechnica.com/gadgets/2019/02/mandatory-update-coming-to-windows-7-2008-to-kill-off-weak-update-hashes/

Brian Krebs wrote an article about the recent widespread DNS hijacking attacks attributed to the Iranian hackers.
https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/

Independent Security Evaluators published a security comparison of the top five password managers which are working on Windows 10.
https://www.securityevaluators.com/casestudies/password-manager-hacking/