News
WannaCry-killer Marcus Hutchins pleads not guilty to malware claims
Marcus, aka 'MalwareTech', is the guy responsible for the domain-based kill switch that stopped WannaCry in its tracks. He was arrested by the FBI when boarding a plane in Las Vegas leaving Defcon, allegedly being responsible for creating and selling the Kronos banking malware.
There is a lot of confusion here, as hardly anyone can imagine it being true. His official indictment can be found here. To be continued.
Attacker using typo-squatting to trick users into installing malicious npm packages
Someone called HackTask was found uploading packages to the Javascript repository with very similar names to popular libraries. For example uploading 'cross-env', mimicking 'crossenv'. The malicious version would steal environment variables and send them to a server under the attackers control. Npm's blogpost here.
Self-driving cars can be tricked into misreading street signs
Fascinating attack vector: changing street signs to fool self-driving cars and potentially harming the drivers and/or causing chaos. Simply by, for example, turning a stop sign into a speed limit sign.
Researchers pull off DNA-based malicious code injection attack
Speaking of fascinating attack vectors. In the not-quite-practical-but-cool category. Synthesise a DNA strand to cause a buffer overflow in a DNA sequencing machine.
Firefox Send: experimental file sending service
Mozilla has released an experimental service that allows you to securely encrypt and send files up to 1Gb. Each file expires after one download or 24 hours. Their announcement can be read here.
Update all the things \o/
It might make sense to start grouping updates when relevant, for easier reading :)
- Microsoft patches 48 vulnerabilities, of which 27 allow for remote code execution.
- Firefox fixed three critical issues (and makes Flash click-to-run by default, woop woop)
- Google patches 49 vulnerabilities in Android, 10 of which being remote code execution bugs.
Set of vulnerabilities in solar panel inverters can cause power outage
Since my day job is in the solar industry, I find this extra interesting ^^
The electrical grid requires a constant balance of supply and demand. This researcher found a a set of critical vulnerabilities in a much-used brand of inverters, which convert solar DC power to AC grid power. If, on a sunny moment, he would deploy those exploits, he could cause a huge outage causing potentially billions in damages.
Another popular Chrome extension hijacked through phishing
The extension in question is Web developer for Chrome, which a few of us might actually use (around a million people do). It was briefly turned into malware but is now back to normal. The author advises to re-install to be certain.
Hackers find fresh wordpress sites within 30 minutes
Something I've never thought about before is how they find a new site so quickly. One way is to monitor the Certificate Transparency report, an open standard where one can see which new SSL certificates were just issued.
Tor developer busts myths, announces new features
A write-up of a talk by Roger Dingledine, co-founder of Tor, at Defcon. He disputes some common beliefs, like that most of Tor traffic is criminal/dark web, and announces some upcoming improvements, like beefing up the underlying encryption.
Radio navigation set to make global return as GPS backup, because cyber
Currently all ship navigation depends solely on GPS. Because of the relative ease of jamming, which apparently happens quite often already, work is underway to implement a backup system.
The 10 Windows group policy settings you need to get right
I'm not a Windows admin myself, but this looks like a useful and short list of best-practices.
Starting the Avalanche – Netflix TechBlog
Interesting post by Netflix on application-level DDos attacks in a microservice architecture. They describe what it is, why it is so effective, how they test for it in their signature Chaos Monkey way and how one would defend against it.