Issue 33

Broadcom Wi-fi chip vulnerability allows for remote code execution. iOS and Android devices vulnerable.

The vulnerability has been dubbed 'Broadpwn' and requires no user interaction. Android released a patch last week. It's unclear what the status is on iOS.

bleepingcomputer.com

Let's Encrypt will support free wildcard certificates starting January 2018

Making Let's Encrypt even more awesome. They'll depend on DNS validation, but they're looking into additional validation methods.

letsencrypt.org

14 million Verizon customer records exposed

They were found in an insecure S3 bucket, held by a third-party partner of Verizon called NICE Systems. Verizon tried to down-play it, but the data did hold PIN numbers to people's accounts, which attackers can use to hijack 2fa.

threatpost.com

Microsoft Patch Tuesday update fixes 19 critical vulnerabilities

Updating time. A total of 54 vulnerabilities, of which 19 were critical. Interestingly, one of those was for the Hololens, which was vulnerable to remode code execution through specially crafted Wi-fi packets.

threatpost.com

Google adds blocking and whitelisting of OAuth apps in GSuite

You can also see which apps already have access to Drive, Calendar, etc, and for how many users. If you're responsible for a GSuite environment be sure to take a look.

googleblog.com

Overview of current malware landscape (pdf)

Very interesting white-paper by Malwarebytes on what exploits and malware were most active and prevalent in the last quarter. If you want to get familiar with the names and relationships of all current malware, this is the document to read.

malwarebytes.com

How the CopyCat malware infected 14 million Android devices around the world

Check Point researchers released their findings on the CopyCat malware. At it's peak last year it had infected 14 million Android devices and rooted 8 million of them.
Using ads and fake app installs it generated around $1.5 million in revenue for the malware authors.

checkpoint.com

Taking control of all .io domains with a domain registration

Matthew Bryant writes how he was able to hijack the .io TLD. Some domains where listed as nameservers but weren't actually registered.

thehackerblog.com

What is CVE and how does it work?

Interesting write-up on, among other things, by whom a CVE number (the designation that new vulnerabilities get) is actually assigned.

itworld.com

How to defend your website with ZIP bombs

Apparently not new, but I hadn't heard about it yet and quite love the idea :)
To deflect script-kiddy scanners, create a 10gig text file, gzip it, and serve it as an HTTP response. The tool or browser on the other end unzips it and probably crashes.

haschek.at

Top 100 best Linux security tools

A long list of tools for vulnerability scanning, monitoring, intrusion detection, and much more.

linuxsecurity.expert

The most accurate hacking scene ever (YouTube video)

It's a scene out of Castle. I ran across this on a random Youtube stroll and couldn't stop laughing.

youtube.com

Sponsorship

Last Week in AWS

Weekly e-mail that filters through news and tools in Amazon's cloud ecosystem (and then makes fun of it ^^) It's always an entertaining read. Check it out!

lastweekinaws.com