Issue 35

Hackers stole $32M worth of Ethereum by abusing Parity wallet flaw

The flaw was in Parity's handling of multi-sig wallets (accounts that operate under the control of multiple people). $75M more was 'stolen' out of vulnerable wallets by the good guys in order to prevent them from being stolen by the bad guys, throwing up quite a bit of controversy. This article dives into the technical details.
And while writing this issue another Ethereum hack came to light, this time of $8.4M during Veritaseum's ICO.


Apple releases patches for dozens of security holes in iOS and macOS

It's time to run your updates. iOS 10.3.3 resolves 47 flaws, including several remote code execution vulnerabilities and the previously reported BroadPwn vulnerability. MacOS, WatchOS, Safari, iTunes and iCloud also got their fill.


Tor is taking its bug bounty program public

There was already a bug bounty project, but it was invite only. It's now open to anyone on the HackerOne platform. Bounties go up to $4.000.


Google Play Protect and 'Unverified app' screen

Google security efforts seem to be on a roll. The article above has more details on what Google Play Protect will do, both in Android O and in older versions of Android. For example: continuously scanning apps for malicious actions, and providing a 'Find My Device' feature. Google's own landing page here.
Google also added an 'unverified app' screen when applications that haven't been verified yet are installed.


Google Groups misconfiguration leads to sensitive data leaks

Speaking of Google, something to keep an eye on in your own company: researchers found hundreds of Google Groups misconfigured as public, showing them PII data, salary information, and more from a couple of well known companies.


Memcached - a story of failed patching & vulnerable servers

A post by Talos, the Cisco security group. Last year they found three high-level vulnerabilities in Memcached. A little under a year later they find that 79% of servers weren't patched yet, and 78% don't even have authentication enabled, leaving their memcached open to all.


Microsoft releases its Security Risk Detection service

It's essentially a fuzzer-as-a-service platform. They're also releasing a Linux-based version.


Profile of a hacker: The Real Sabu

Dark Reading writes a fun and short article on who Sabu, the 'leader' of Anonymous, was, and how he was caught.


Technical overview of ten process injection techniques

A very technical article (to me, at least), providing a well written overview of various ways that malware can inject itself into a process.