News
Eight Chrome extensions hijacked to deliver malicious code to 4.8 million users
Just a head's up that the extensions hacking is still ongoing. Latest victims are Chrometana, Infinity New Tab, Web Paint, Social Fixer, TouchVPN and Betternet VPN. Google is adding countermeasures to Chrome that detect malicious behaviour by extensions.
Sony's PSN Twitter and Facebook feed hacked
It's the same group, called OurMine, that also hacked HBO's accounts recently. They claim to also have a copy of the PSN (Sony Playstation Network) database, but no evidence of that has been seen yet.
P.S.: If you want to keep track of what happens with HBO, here's a helpful timeline.
Describing DDoS pulse wave attacks
Recently a number of attacks have been spotted where DDoS attacks go from 0 to 300+ Gbps in a matter of seconds, then go off again. It shows a high level of control, and is probably used to attack multiple targets simultaneously.
Hacker publishes key to decrypt firmware of iOS Secure Enclave Processor (SEP)
That processor manages cryptographic operations, separately from the rest of iOS. No user data is at risk at this time, it just allows researchers to take a look at the processor up close to look for vulnerabilities.
President Trump announces move to elevate Cyber Command
The cyber warfare division used to exist as a subgroup under the 'Strategic Command' military body, but it is now upgraded to its own stand-alone Cyber Command, making the importance of it in future military operations clear.
Google launches Chrome Enterprise subscription service for Chrome OS
This is for Chromebooks that are used in an enterprise context. It features compatibility with on-premise Active Directory infrastructure and more fine-grained IT and security controls.
Brief look at new security features in iOS11
The lock screen allows for more access (notifications, replies, etc) should you want that. Keychain is more prevalent. And more granularity of location services being forced on apps. The article doesn't include another feature, which is to tap the power button five times to disable Touch ID.
Facebook awards $100K to researchers for credential spearphishing detection method
The detection algorithm has a surprisingly low false positive rate. I'm very interested to see if this evolves in to some kind of tool that any of us might use.
Foxit to fix PDF reader zero days by friday
Two vulnerabilities were found in the Foxit PDF reader. However, they didn't want to patch because the exploits could be stopped by turning on their 'Safe Reading Mode' feature. This caused a bit of a stir, and now they have said they will fix it after all.
Robot hacking seems to become a viable threat vector in the future
In a this-will-surprise-no-one study, IOActive researchers took a look at various robots that are used to work with humans or industrial equipment. They can easily be exploited in various ways, which includes causing physical harm.
Review of hardware security keys
This post looks at the various options for hardware-based 2fa devices, like Yubikey and HyperFido. Hackernews discussion here.
security.txt: a "standard" that allows websites to define security policies
Interesting proposal for a robots.txt-like format where you can describe things like security contacts, allowed scope for security researchers, bounty payments, etc.
Personal information security best practices
A nice, down to earth post that describes basic personal security practices like 2fa, hard drive encryption, password managers, etc. It's worth looking at as inspiration on what you'll teach your family next :-)