Intel has a vulnerability in the Management Engine part of their chipsets. It allows for network access, encryption bypass, memory access, and more nastiness.
Consumer devices shouldn't be exposed though, and it only affects devices with 'Active Management Technology' turned on, which it isn't by default.
A firmware update is available. Hackernews discussion here.
Yesterday a massive automated phishing campaign spread across Gmail. Users were tricked into giving an app called 'Google Docs' access to their accounts, after which it sent itself to all their contacts. Within an hour Google put a stop to it. By then it had spread to approximately 1 million users.
On Wednesday there was a seven-minute window where traffic to a bunch of financial institutions, among which MasterCard and Visa, was redirected through Russian servers.
You can now set a 'CAA' record in your DNS configuration where you specify which service is allowed to issue certificates for your domain. Sort of like an SPF header but for SSL. Certificate Authorities are mandated to adhere to it.
Shodan, the famous port-scanning search engine, released 'Malware Hunter'. It's a free scanning tool that tries to find command & control (C2) servers for botnets. Take a look at it here.
A very cool wargame called 'Locked Shields' was held in Estonia this week, involving teams from the EU, US and NATO attacking and defending the fictional country of 'Berylia'.
Two items about access controls were combined, and 'undocumented redirects and forwards' was dropped off. In favor of adding 'Insufficient Attack Protection' and 'Underprotected APIs'. The full release candidate can be found here (pdf).
Instead of having only the client validate the server, the server can now limit connections to only allow clients with a valid certificate. For example to only allow valid IoT devices to connect to their vendor.
They recommend to: remove periodic password changes, pay less attention to password complexity rules, and recommend screening passwords against a list of most-used passwords.
Yes, please, to all of those.
I'm not sure how exploitable it is, but it gets points for originality. This research shows how to use a phone's ambient light sensor to detects things like which websites you visited. It feels like a stretch, but interesting nonetheless.