News
Let's Encrypt milestone: 100 million certificates issued
Quite amazing in just 19 months time. Also, in that same timespan the percentage of page loads over HTTPS across the Web has gone from 40% to 58%.
Systemd flaw allows for arbitrary code execution
Systemd-resolved provides network name resolution and could be exploited by a malicious DNS server with a specially crafted TCP packet. Ubuntu, Fedora, Arch and some others are affected. Updates are available.
Microsoft bringing EMET back as a built-in part of Windows 10
EMET stands for Enhanced Mitigation Experience Toolkit, a tool that aims to make vulnerabilities harder to exploit.
Related, Windows 10 Fall Creators Update will also include protected folders to try and fight ransomware.
U.S. Senate committee wants to ban Kaspersky products from the Department of Defense
They suspect that Kaspersky is under influence of the Russian government, although no evidence has been shown so far.
Kaspersky's founder, Eugene Kaspersky, is willing to open it's source code to the US for review to show he has nothing to hide.
8tracks Internet radio service hacked: account information on 18 million users stolen
They say it wasn't their network that was breached. Rather it was an employee's Github account that was hacked, which had access to a system that made backups of the user database.
Azure AD Connect vulnerability allows attackers to reset admin passwords
Azure AD Connect allows a company to hook up existing Active Directory infrastructure to Azure. If you use this service you'll have to update to the latest version of Connect. You can find Microsoft's advisory here.
Researchers to release open-source firewall against SS7 attacks at Black Hat USA
The firewall aims to help telecom providers with defending against the myriad of SS7 vulnerabilities, which allow, among other things, to hijack two-factor text messages.
Scammers attempting to extort major companies with .feedback domains
These scammers have registered, among others, google.feedback. They ask the companies for money to receive the feedback or take the website down.
Companies are hiring cyber-security experts to help get merger & acquisition deals done
Bloomberg reports on an interesting trend where more and more M&A deals include an evaluation of cyber-security risks. This seems to have been prompted by Yahoo's breach making it worth $350 million less to Verizon.
Google Project Zero: hacker SWAT team vs. everyone
Great article from Fortune.com on Google's Project Zero, providing background on how it was started, how CloudBleed was handled, and how other companies look at the initiative. Worth the read. (Warning though: possible auto-playing video ahead).
The OpenVPN post-audit bug bonanza
Guido Vranken, the researcher who recently discovered a set of vulnerabilities in OpenVPN, makes a case for preferring automated fuzzing over manual code reviews. Afterwards he takes a deep technical dive in the vulnerabilities themselves.
Eternal Blues: A free EternalBlue vulnerability scanner
It's a free tool created by Elad Erez, Director of Innovation at Imperva. It scans your network to see if any machines are still vulnerable to the SMB exploit that gave us WannaCry and NotPetya. You can get the tool here.