Issue 23

Intel patches nine-year-old critical CPU vulnerability

Intel has a vulnerability in the Management Engine part of their chipsets. It allows for network access, encryption bypass, memory access, and more nastiness. 
Consumer devices shouldn't be exposed though, and it only affects devices with 'Active Management Technology' turned on, which it isn't by default.
A firmware update is available. Hackernews discussion here.

threatpost.com

 

Massive Google Docs phishing attack got access to Gmail contacts

Yesterday a massive automated phishing campaign spread across Gmail. Users were tricked into giving an app called 'Google Docs' access to their accounts, after which it sent itself to all their contacts. Within an hour Google put a stop to it. By then it had spread to approximately 1 million users.

forbes.com

 

Russian-controlled telecom briefly hijacks financial services’ Internet traffic

On Wednesday there was a seven-minute window where traffic to a bunch of financial institutions, among which MasterCard and Visa, was redirected through Russian servers.

arstechnica.com

 

New CAA record specifies who can issue certificates for your domain

You can now set a 'CAA' record in your DNS configuration where you specify which service is allowed to issue certificates for your domain. Sort of like an SPF header but for SSL. Certificate Authorities are mandated to adhere to it.

ttias.be

 

Shodan releases free tool to look for command & control servers of botnets

Shodan, the famous port-scanning search engine, released 'Malware Hunter'. It's a free scanning tool that tries to find command & control (C2) servers for botnets. Take a look at it here.

thehackernews.com

 

NATO, US and EU participate in wargame to attack and defend fictional nation

A very cool wargame called 'Locked Shields' was held in Estonia this week, involving teams from the EU, US and NATO attacking and defending the fictional country of 'Berylia'.

irishtimes.com

 

New OWASP Top 10 released, adding guidelines on API and web defence

Two items about access controls were combined, and 'undocumented redirects and forwards' was dropped off. In favor of adding 'Insufficient Attack Protection' and 'Underprotected APIs'. The full release candidate can be found here (pdf).

networkworld.com

 

Cloudflare releases TLS feature to verify connecting clients

Instead of having only the client validate the server, the server can now limit connections to only allow clients with a valid certificate. For example to only allow valid IoT devices to connect to their vendor.

cloudflare.com

 

NIST is releasing a new set of guidelines around passwords

They recommend to: remove periodic password changes, pay less attention to password complexity rules, and recommend screening passwords against a list of most-used passwords.
Yes, please, to all of those.

passwordping.com

 

Stealing sensitive browser data with the Ambient Light Sensor API

I'm not sure how exploitable it is, but it gets points for originality. This research shows how to use a phone's ambient light sensor to detects things like which websites you visited. It feels like a stretch, but interesting nonetheless.

lukaszolejnik.com