Issue 17

Pwn2Own 2017

The 10th Pwn2Own event happened this week, with a set of interesting vulnerabilities being discovered. Including a virtual machine escape in VMware Workstation based on a Microsoft Edge vulnerability, netting a record breaking $105.000. Trend Micro, the sponsor of the event, provides a high-level overview here.

hackread.com

 

LastPass fixes three password theft vulnerabilities

Tavis Ormandy, the same Google Project Zero researcher who discovered CloudBleed a few weeks back, reported on vulnerabilities he found in Lastpass that could leak credentials. They have been fixed, and Lastpass released a well-written blogpost on the issue.

threatpost.com

 

Hackers threaten to wipe millions of Apple devices, demand ransom

A hacker group known as the Turkish Crime Family claims to have over 220 million compromised iCloud accounts in its possession. They demand $150.000 from Apple or they threaten to delete all data associated with those accounts.

csoonline.com

 

Google eliminates Android adfraud botnet Chamois

Google removed a set of apps that were part of what they call the Chamois botnet. They were used to show fraudulent ads and downloading other malicious apps.

threatpost.com

 

Global spam volume goes back up to deliver huge pump-and-dump scam

As a follow-up to news of a few weeks back that spam levels dropped significantly, it seems the Necurs botnet is active again and has been used for an old-school stock scam.

sophos.com

 

Your Mac is not malware-proof: a look at the threats and defenses

A blogpost from Sophos taking a look at the threat landscape for Mac users.

sophos.com

 

Burglars can easily make Google Nest security cameras stop recording

Two flaws were found in Nest security cameras that can disable the camera for a short while. The patch is said to be ready but not yet put live.

helpnetsecurity.com

 

New cloud-based keylogger slowly gaining momentum among criminals

This article takes a brief look at Nexuslogger, a cloud-based keylogger with a license fee and customer support.

grahamcluley.com

 

Password rules are bullshit

An informative blogpost/rant from Jeff Atwood (of Stack Overflow and Discourse) on the frustration with password rules and the advocacy for only looking at length as a parameter for password strength, with maybe some pragmatic extra measures.

codinghorror.com

 

View into Alexey's Beltan way of working

A very interesting view in how Alexey Beltan, a hacker on the FBI most wanted list, hacked several large West Coast tech companies. Reads like a script for a Mr. Robot monologue :-)

medium.com

 

forter/security-101-for-saas-startups: security tips for startups

This is a blogpost with all kinds of advise on what security measures to take as a startup. I found it to be a very useful resource with lots of pragmatic information. It's on Github so anyone can contribute.

github.com

 

Information warfare is not new

This article takes a fun look at how information warfare isn't new at all, neither is it Russian. Fascinating to see some examples of such warfare from Colonial times.

thestrategybridge.org