Issue 27

Wormable code-execution bug found in Samba

A vulnerability was found in Samba, the Linux SMB equivalent. Better patch up. The second part of this article explains nicely how the exploit is used.


Microsoft issues out-of-band malware engine update

This one isn't as bad as the one from a few weeks back, but still plenty important for an out-of-band update to be issued. It was found yet again by Project Zero, this time through fuzzing.


Samsung Galaxy S8 iris scanner can be fooled with a printed photo

All you need is a high-res picture of the user's iris, a laser printer and a contact lens.


Shadow Brokers launches 0-day exploit subscription service for $21,000 per month

They call it the 'Wine of the Month Club'.


Target to pay $18.5 million to 47 states in security breach settlement

The settlement is for a data breach in 2013, affecting 110 million customers. On top of that Target has spent $202 million on legal fees and related costs. Ouch.


'Cloak and dagger' vulnerability on Android reported

The researchers make use of two legitimate permissions to overlay the user screen with their own window to enable click-jacking, password stealing, etc. This video shows it in action. Google responds with a "won't fix", pointing instead to Android O.


Pacemaker research finds over 8.000 security vulnerabilities

The paper looked at pacemaker programmers, devices used to set pacemaker parameters and monitor their functions. They focused especially on those using radio frequencies for remote control.


Police arrests gang that planted banking Trojan on 1 million phones

They were called the Cron gang, after the malware they used. Quite fascinating to read how to operated.


Hacker used hacked press release information to trade stocks, sentenced to 30 months

Good example of using hacking skills in an illegal way, I'm surprised this doesn't show up more. This hacker broke into a set of press companies and looked at press releases that were going out soon. He then used this information to buy or sell stocks, making roughly $30 million.


LastPass’s new cloud backup option

Lastpass has added a cloud backup option for their multifactor authentication. Sophos tries to see if that makes any sense from a security point of view.


Cybercriminals regularly battle each other on the Dark Web

Trend Micro set up four honeypots simulating cybercrime activity. They monitored attacks by competitors, of which there were many.


Unmanaged SSH keys are a serious enterprise risk

An interview with Tatu Ylonen, inventor of SSH, on how the lack of care given to SSH keys poses a huge risk in pretty much every company using servers.