Issue 39

Eight Chrome extensions hijacked to deliver malicious code to 4.8 million users

Just a head's up that the extensions hacking is still ongoing. Latest victims are Chrometana, Infinity New Tab, Web Paint, Social Fixer, TouchVPN and Betternet VPN. Google is adding countermeasures to Chrome that detect malicious behaviour by extensions.


Sony's PSN Twitter and Facebook feed hacked

It's the same group, called OurMine, that also hacked HBO's accounts recently. They claim to also have a copy of the PSN (Sony Playstation Network) database, but no evidence of that has been seen yet.
P.S.: If you want to keep track of what happens with HBO, here's a helpful timeline.


Describing DDoS pulse wave attacks

Recently a number of attacks have been spotted where DDoS attacks go from 0 to 300+ Gbps in a matter of seconds, then go off again. It shows a high level of control, and is probably used to attack multiple targets simultaneously.


Hacker publishes key to decrypt firmware of iOS Secure Enclave Processor (SEP)

That processor manages cryptographic operations, separately from the rest of iOS. No user data is at risk at this time, it just allows researchers to take a look at the processor up close to look for vulnerabilities.


President Trump announces move to elevate Cyber Command

The cyber warfare division used to exist as a subgroup under the 'Strategic Command' military body, but it is now upgraded to its own stand-alone Cyber Command, making the importance of it in future military operations clear.


Google launches Chrome Enterprise subscription service for Chrome OS

This is for Chromebooks that are used in an enterprise context. It features compatibility with on-premise Active Directory infrastructure and more fine-grained IT and security controls.


Brief look at new security features in iOS11

The lock screen allows for more access (notifications, replies, etc) should you want that. Keychain is more prevalent. And more granularity of location services being forced on apps. The article doesn't include another feature, which is to tap the power button five times to disable Touch ID.


Facebook awards $100K to researchers for credential spearphishing detection method

The detection algorithm has a surprisingly low false positive rate. I'm very interested to see if this evolves in to some kind of tool that any of us might use.


Foxit to fix PDF reader zero days by friday

Two vulnerabilities were found in the Foxit PDF reader. However, they didn't want to patch because the exploits could be stopped by turning on their 'Safe Reading Mode' feature. This caused a bit of a stir, and now they have said they will fix it after all.


Robot hacking seems to become a viable threat vector in the future

In a this-will-surprise-no-one study, IOActive researchers took a look at various robots that are used to work with humans or industrial equipment. They can easily be exploited in various ways, which includes causing physical harm.


Review of hardware security keys

This post looks at the various options for hardware-based 2fa devices, like Yubikey and HyperFido. Hackernews discussion here.


security.txt: a "standard" that allows websites to define security policies

Interesting proposal for a robots.txt-like format where you can describe things like security contacts, allowed scope for security researchers, bounty payments, etc.


Personal information security best practices

A nice, down to earth post that describes basic personal security practices like 2fa, hard drive encryption, password managers, etc. It's worth looking at as inspiration on what you'll teach your family next :-)