Issue 40

Database of spambot Onliner found, holds over 700 million e-mails and millions of passwords

A researcher found the database on an open webserver. Troy Hunt has added the e-mails to his HaveIBeenPwned service.


Tech firms take down WireX Android botnet

WireX was used for DDoS purposes and consisted purely of Android phones running one of about 300 malicious apps. An ad-hoc group of companies like Akamai and Cloudflare banded together to bring it down.


Google BFP misconfiguration brought part of Japan offline

Due to a misconfiguration in their BGP tables (Border Gateway Protocol), Google started 'inviting' Internet traffic from large providers in Japan, only for it to go no where. The mistake was corrected in 8 minutes, the outage however lasted several hours.


8 out of 28 advisors on Trump's cybersecurity council resign

They state various recent events like Charlottesville and the Paris accords, but also his insufficient attention to cyber security issues, including the security of election systems.


Company offers $500,000 for Telegram, WhatsApp and Signal zero days

The company, Zerodium, buys and sells zero day exploits. They also offer $1.5 million for a remote iPhone jailbreaking exploit.


Someone published a list of telnet credentials for thousands of IoT devices

The list itself contains over 33,000 entries, although in reality it's only about 8,000 unique IP's. Also, only about 1,700 credentials still work, which might mean the others have already been taken over and had their passwords changed.


Apple iOS exploit takes complete control of kernel, patched in 10.3.2

If you're still running 10.3.1, you might want to upgrade. Multiple vulnerabilities were found in Apple's AVEDriver which accelerates video encoding on iOS devices. Apple asked the researcher to wait until now to disclose.


Drone maker DJI launches bug bounty program

The aim is to find vulnerabilities that leak personal information of drone users, expose pictures and videos of flights, cause app crashes or affect flight safety. Bounties will be between $100 and $30,000.


Explanation of security issues with mobile phone protocol SS7

Good straight forward article by the Guardian on the problems with SS7, and what, if anything, you can do about it.


Three's a crowd: Popular bug bounty companies are growing at an insane rate

Good article on the three big bug bounty companies (HackerOne, BugCrowd and Synack), how they operate, what their growth looks like and what their plans are.