Issue 34

GSoap exploit: commonly used library in security camera's found vulnerable to remote code execution

The researchers call the vulnerability 'Devil's Ivy'. The only way to fix it is through a firmware upgrade. 
Brian Krebs' report states that it'll be hard to exploit en-masse, but it's very serious nonetheless.

senr.io

 

New IBM mainframe is designed to encrypt all the things

The new IBM Z wants to give financial institutions the processing power to encrypt all their transactions, up to 12 billion per day. It can encrypt a whopping 13 gigabytes of data per second per chip, and has an average of 24 chips per mainframe.

wired.com

 

Android malware 'GhostCtrl' can do many unusual things

It's based on the malware-as-a-service OmniRAT. It has some advanced capabilities, like controlling the infrared transmitter, use the text-to-speech function, terminate ongoing calls, and more.

helpnetsecurity.com

 

Hacker allegedly steals $7.4 million in Ethereum by hacking ICO website

Coindash, a trading platform for ether, launched its ICO (Initial Coin Offering, sort of an investment run) this week. However, right when the ICO started, someone changed the address where the money was supposed to be sent. More than $7.4 million was 'invested' in to the hacker's own wallet.

vice.com

 

Google wants you to bid farewell to SMS authentication

Which, considering the vast amount of issues with SMS security, is really good news. They'll nudge SMS-based 2fa users to their own 'Google prompt' 2fa solution. The usual authenticator apps still remains an option of course.

sophos.com

 

Two-factor authentication is a mess

Speaking of 2fa, an article by the Verge states what we've all come to realise: "get two-factor authentication" is good advice, but it's not enough. And no one really seems to know how to fix it.
There's no solutions in this article, but if you want to read a rant and agree with it, it's a good place to go.

theverge.com

 

Researchers recover AES256 encryption key from a PC's electromagnetic emissions

This is in a closed lab setup, but fascinating nonetheless. They use a technique knows as Van Eck phreaking to determine the encryption key based on power consumption spikes, detected through EM waves. When the devices is 30 centimeters removed from the computer it takes 50 seconds to get the key.

bleepingcomputer.com

 

LastPass announces family accounts

It will support unlimited sharing for up to six family members, and have the emergency access feature available. You'll be able to merge existing accounts. Early access is starting soon.

lastpass.com

 

A deep dive into AWS S3 access controls

Considering the multitude of S3-related data leaks, including the last one of Dow Jones customers, this seems useful.
It seems AWS has noticed the rise in issues as well. I got an automated e-mail this week reminding me of two buckets which were publicly accessible (by design, fortunately).

detectify.com

 

Cisco patches another critical bug in WebEx extension

if you use WebEx in your company, time to update. And while your at it, thank Tavis Ormandy. Again.

threatpost.com

 

Objective-See: free OS X security tools

Nice useful toolset by Patrick Wardle, Chief Security Researcher at Synack. OverSight, for example, notifies you when audio or video recording was activated.

objective-see.com

 

Cybersecurity Humble Book Bundle

A little under eleven days remaining. You can get a good pile of great security books for a really good price. See Hackernews for discussions on the offered books.

humblebundle.com

 

5+ billion passwords in order of most popular

Github repository holding a giant set of passwords, dug out from previous leaks, ordered by popularity. Could be useful to validate newly chosen passwords against in your own applications.

github.com