Issue 35

Hackers stole $32M worth of Ethereum by abusing Parity wallet flaw

The flaw was in Parity's handling of multi-sig wallets (accounts that operate under the control of multiple people). $75M more was 'stolen' out of vulnerable wallets by the good guys in order to prevent them from being stolen by the bad guys, throwing up quite a bit of controversy. This article dives into the technical details.
And while writing this issue another Ethereum hack came to light, this time of $8.4M during Veritaseum's ICO.

thehackernews.com

 

Apple releases patches for dozens of security holes in iOS and macOS

It's time to run your updates. iOS 10.3.3 resolves 47 flaws, including several remote code execution vulnerabilities and the previously reported BroadPwn vulnerability. MacOS, WatchOS, Safari, iTunes and iCloud also got their fill.

theregister.co.uk

 

Tor is taking its bug bounty program public

There was already a bug bounty project, but it was invite only. It's now open to anyone on the HackerOne platform. Bounties go up to $4.000.

zdnet.com

 

Google Play Protect and 'Unverified app' screen

Google security efforts seem to be on a roll. The article above has more details on what Google Play Protect will do, both in Android O and in older versions of Android. For example: continuously scanning apps for malicious actions, and providing a 'Find My Device' feature. Google's own landing page here.
Google also added an 'unverified app' screen when applications that haven't been verified yet are installed.

helpnetsecurity.com

 

Google Groups misconfiguration leads to sensitive data leaks

Speaking of Google, something to keep an eye on in your own company: researchers found hundreds of Google Groups misconfigured as public, showing them PII data, salary information, and more from a couple of well known companies.

helpnetsecurity.com

 

Memcached - a story of failed patching & vulnerable servers

A post by Talos, the Cisco security group. Last year they found three high-level vulnerabilities in Memcached. A little under a year later they find that 79% of servers weren't patched yet, and 78% don't even have authentication enabled, leaving their memcached open to all.

talosintelligence.com

 

Microsoft releases its Security Risk Detection service

It's essentially a fuzzer-as-a-service platform. They're also releasing a Linux-based version.

microsoft.com

 

Profile of a hacker: The Real Sabu

Dark Reading writes a fun and short article on who Sabu, the 'leader' of Anonymous, was, and how he was caught.

darkreading.com

 

Technical overview of ten process injection techniques

A very technical article (to me, at least), providing a well written overview of various ways that malware can inject itself into a process.

endgame.com