Issue 37

WannaCry-killer Marcus Hutchins pleads not guilty to malware claims

Marcus, aka 'MalwareTech', is the guy responsible for the domain-based kill switch that stopped WannaCry in its tracks. He was arrested by the FBI when boarding a plane in Las Vegas leaving Defcon, allegedly being responsible for creating and selling the Kronos banking malware.
There is a lot of confusion here, as hardly anyone can imagine it being true. His official indictment can be found here. To be continued.


Attacker using typo-squatting to trick users into installing malicious npm packages

Someone called HackTask was found uploading packages to the Javascript repository with very similar names to popular libraries. For example uploading 'cross-env', mimicking 'crossenv'. The malicious version would steal environment variables and send them to a server under the attackers control. Npm's blogpost here.


Self-driving cars can be tricked into misreading street signs

Fascinating attack vector: changing street signs to fool self-driving cars and potentially harming the drivers and/or causing chaos. Simply by, for example, turning a stop sign into a speed limit sign.


Researchers pull off DNA-based malicious code injection attack

Speaking of fascinating attack vectors. In the not-quite-practical-but-cool category. Synthesise a DNA strand to cause a buffer overflow in a DNA sequencing machine.


Firefox Send: experimental file sending service

Mozilla has released an experimental service that allows you to securely encrypt and send files up to 1Gb. Each file expires after one download or 24 hours. Their announcement can be read here.


Update all the things \o/

It might make sense to start grouping updates when relevant, for easier reading :)

Dieter Van der Stock


Set of vulnerabilities in solar panel inverters can cause power outage

Since my day job is in the solar industry, I find this extra interesting ^^
The electrical grid requires a constant balance of supply and demand. This researcher found a a set of critical vulnerabilities in a much-used brand of inverters, which convert solar DC power to AC grid power. If, on a sunny moment, he would deploy those exploits, he could cause a huge outage causing potentially billions in damages.


Another popular Chrome extension hijacked through phishing

The extension in question is Web developer for Chrome, which a few of us might actually use (around a million people do). It was briefly turned into malware but is now back to normal. The author advises to re-install to be certain.


Hackers find fresh wordpress sites within 30 minutes

Something I've never thought about before is how they find a new site so quickly. One way is to monitor the Certificate Transparency report, an open standard where one can see which new SSL certificates were just issued.


Tor developer busts myths, announces new features

A write-up of a talk by Roger Dingledine, co-founder of Tor, at Defcon. He disputes some common beliefs, like that most of Tor traffic is criminal/dark web, and announces some upcoming improvements, like beefing up the underlying encryption.


Radio navigation set to make global return as GPS backup, because cyber

Currently all ship navigation depends solely on GPS. Because of the relative ease of jamming, which apparently happens quite often already, work is underway to implement a backup system.


The 10 Windows group policy settings you need to get right

I'm not a Windows admin myself, but this looks like a useful and short list of best-practices.


Starting the Avalanche – Netflix TechBlog

Interesting post by Netflix on application-level DDos attacks in a microservice architecture. They describe what it is, why it is so effective, how they test for it in their signature Chaos Monkey way and how one would defend against it.