Issue 13

Cloudflare reverse proxies leaking private data

An extremely serious issue has been discovered with regards to Cloudflare, the CDN used pretty much everywhere. It seems that due to an error in html parsing large chunks of data of various sites were sent as part of regular HTTP responses to other requests.
In short: various regular HTTP responses showed private messages from chat apps and dating sites, passwords, hotel bookings, everything. These responses are aggressively cached all over the Internet, making these data dumps show up in Google search results. Worth reading the entire thread in the link.
Cloudflare has been great at responding and handling the issue quickly. Their post-mortem can be found here. Hackernews discussion here.


Google Online Security Blog: Announcing the first SHA1 collision

Google announced that they successfully achieved a SHA-1 collision. As most of you probably know, having the same hash for two different documents should be infeasible, and it's something that a lot of security depends on. They admit that brute forcing is still near impossible, but with some pre-conditions their 'shattered' methodology makes it achievable. They consider this proof that SHA-1 urgently needs to be replaced with SHA-256, something that Google has been crusading to for a while.
After waiting for 90 days they will release the code that allowed them to do this. They've also created a website dedicated to their attack.


The Netflix Tech Blog: Introducing Netflix Stethoscope

Netflix has open-sourced Stethoscope, an application that tracks security-related attributes from a user's device and gives them recommendations for improving their security. It currently tracks, among other attributes, wether disk encryption, automatic updates, and screen lock are enabled and wether the device is rooted. It's on Github here, and a Hackernews discussion can be found here.


More Yahoo users warned of malicious account access via forged cookies

Yahoo has disclosed news on a wide-spread attack where attackers gained entry into their internal systems and used proprietary code they found to forge cookies that allowed them access to accounts without needing a password. E-mails have been sent out to affected accounts detailing the problem.
However, some entrepreneurial hackers have capitalised on the news to start sending out phishing e-mails about the attack, asking users to click a link to "verify ownership'. More information on that here.


Verizon, Yahoo agree to lowered $4.48 billion deal following cyber attacks

In a move that surprises no one, Verizon has lowered its purchasing price for Yahoo by $350 million because of the recent security breaches.


Good news and bad news on the Microsoft patch front

There were some rumblings this week with regards to Microsoft's updates cycle. At the last minute they cancelled their usual 'Patch Tuesday'. This patch would include a long-awaited fix for a SMB exploit, and one for a high-level graphics driver exploit that Google's Project Zero discovered. The latter only gives 90 days to the vendor to fix the issue before the exploit is made public. Because of the delay in Patch Tuesday, Google has now made the exploit public without there being any fix available. Controversy all over.
To make it all a bit weirder, Microsoft did release an out-of-band set of updates for Flash this week, fixing thirteen vulnerabilities.


Global spam drops by more than half – now what?

For some reason, since right before Christmas, spam levels have dropped by more than half. No one seems really sure why, but the most likely explanation is that a notorious botnet called Necurs, consisting of an estimated 6 million devices, has gone quiet for the last few months, although not entirely inactive.


Men who sent SWAT team, heroin to my home sentenced (Brian Krebs)

Brian Krebs talks about two people that have just received sentences. One wanted to send heroin to his home and call the police when it arrived. The other sent a heavily-armed police force to his home. The life of Brian, eh.


Chrome hack prompts users to download 'missing font' to install malware

A clever new method of luring users to download malware: show a prompt that looks like a Google-native window, saying that a font for the website you are visiting isn't found. Click 'Update' to proceed.


Certified Malice

An interesting article discussing the impact of Let's Encrypt on malicious sites. So far Let's Encrypt has issued 709 certificates containing "Paypal" in the name. Having a valid certificate helps phishing sites trick users into thinking it's safe (the green lock is there so it must be fine). It's not easy, however, to find a good way around this.


Sure, you might have bought the car, but does someone else (still) control it?

Charles Henderson, a researcher at IBM, makes an interesting point about 'smart cars'. When they are sold to a second owner, the vendors often don't have a process in place to remove existing smartphone users. The researcher was able to follow and unlock his car through the mobile app for years.


Penetration Testing Tools Cheat Sheet

For those who are into pentesting, here is an awesome giant cheat sheet, giving a high-level overview of the typical commands one would need while performing a penetration test.