Issue 37

WannaCry-killer Marcus Hutchins pleads not guilty to malware claims

Marcus, aka 'MalwareTech', is the guy responsible for the domain-based kill switch that stopped WannaCry in its tracks. He was arrested by the FBI when boarding a plane in Las Vegas leaving Defcon, allegedly being responsible for creating and selling the Kronos banking malware.
There is a lot of confusion here, as hardly anyone can imagine it being true. His official indictment can be found here. To be continued.

theregister.co.uk

 

Attacker using typo-squatting to trick users into installing malicious npm packages

Someone called HackTask was found uploading packages to the Javascript repository with very similar names to popular libraries. For example uploading 'cross-env', mimicking 'crossenv'. The malicious version would steal environment variables and send them to a server under the attackers control. Npm's blogpost here.

threatpost.com

 

Self-driving cars can be tricked into misreading street signs

Fascinating attack vector: changing street signs to fool self-driving cars and potentially harming the drivers and/or causing chaos. Simply by, for example, turning a stop sign into a speed limit sign.

hackread.com

 

Researchers pull off DNA-based malicious code injection attack

Speaking of fascinating attack vectors. In the not-quite-practical-but-cool category. Synthesise a DNA strand to cause a buffer overflow in a DNA sequencing machine.

helpnetsecurity.com

 

Firefox Send: experimental file sending service

Mozilla has released an experimental service that allows you to securely encrypt and send files up to 1Gb. Each file expires after one download or 24 hours. Their announcement can be read here.

firefox.com

 

Update all the things \o/

It might make sense to start grouping updates when relevant, for easier reading :)

Dieter Van der Stock

 

Set of vulnerabilities in solar panel inverters can cause power outage

Since my day job is in the solar industry, I find this extra interesting ^^
The electrical grid requires a constant balance of supply and demand. This researcher found a a set of critical vulnerabilities in a much-used brand of inverters, which convert solar DC power to AC grid power. If, on a sunny moment, he would deploy those exploits, he could cause a huge outage causing potentially billions in damages.

hackread.com

 

Another popular Chrome extension hijacked through phishing

The extension in question is Web developer for Chrome, which a few of us might actually use (around a million people do). It was briefly turned into malware but is now back to normal. The author advises to re-install to be certain.

helpnetsecurity.com

 

Hackers find fresh wordpress sites within 30 minutes

Something I've never thought about before is how they find a new site so quickly. One way is to monitor the Certificate Transparency report, an open standard where one can see which new SSL certificates were just issued.

wordfence.com

 

Tor developer busts myths, announces new features

A write-up of a talk by Roger Dingledine, co-founder of Tor, at Defcon. He disputes some common beliefs, like that most of Tor traffic is criminal/dark web, and announces some upcoming improvements, like beefing up the underlying encryption.

threatpost.com

 

Radio navigation set to make global return as GPS backup, because cyber

Currently all ship navigation depends solely on GPS. Because of the relative ease of jamming, which apparently happens quite often already, work is underway to implement a backup system.

arstechnica.com

 

The 10 Windows group policy settings you need to get right

I'm not a Windows admin myself, but this looks like a useful and short list of best-practices.

techconnect.com

 

Starting the Avalanche – Netflix TechBlog

Interesting post by Netflix on application-level DDos attacks in a microservice architecture. They describe what it is, why it is so effective, how they test for it in their signature Chaos Monkey way and how one would defend against it.

medium.com