Issue 23

Intel patches nine-year-old critical CPU vulnerability

Intel has a vulnerability in the Management Engine part of their chipsets. It allows for network access, encryption bypass, memory access, and more nastiness. 
Consumer devices shouldn't be exposed though, and it only affects devices with 'Active Management Technology' turned on, which it isn't by default.
A firmware update is available. Hackernews discussion here.


Massive Google Docs phishing attack got access to Gmail contacts

Yesterday a massive automated phishing campaign spread across Gmail. Users were tricked into giving an app called 'Google Docs' access to their accounts, after which it sent itself to all their contacts. Within an hour Google put a stop to it. By then it had spread to approximately 1 million users.


Russian-controlled telecom briefly hijacks financial services’ Internet traffic

On Wednesday there was a seven-minute window where traffic to a bunch of financial institutions, among which MasterCard and Visa, was redirected through Russian servers.


New CAA record specifies who can issue certificates for your domain

You can now set a 'CAA' record in your DNS configuration where you specify which service is allowed to issue certificates for your domain. Sort of like an SPF header but for SSL. Certificate Authorities are mandated to adhere to it.


Shodan releases free tool to look for command & control servers of botnets

Shodan, the famous port-scanning search engine, released 'Malware Hunter'. It's a free scanning tool that tries to find command & control (C2) servers for botnets. Take a look at it here.


NATO, US and EU participate in wargame to attack and defend fictional nation

A very cool wargame called 'Locked Shields' was held in Estonia this week, involving teams from the EU, US and NATO attacking and defending the fictional country of 'Berylia'.


New OWASP Top 10 released, adding guidelines on API and web defence

Two items about access controls were combined, and 'undocumented redirects and forwards' was dropped off. In favor of adding 'Insufficient Attack Protection' and 'Underprotected APIs'. The full release candidate can be found here (pdf).


Cloudflare releases TLS feature to verify connecting clients

Instead of having only the client validate the server, the server can now limit connections to only allow clients with a valid certificate. For example to only allow valid IoT devices to connect to their vendor.


NIST is releasing a new set of guidelines around passwords

They recommend to: remove periodic password changes, pay less attention to password complexity rules, and recommend screening passwords against a list of most-used passwords.
Yes, please, to all of those.


Stealing sensitive browser data with the Ambient Light Sensor API

I'm not sure how exploitable it is, but it gets points for originality. This research shows how to use a phone's ambient light sensor to detects things like which websites you visited. It feels like a stretch, but interesting nonetheless.