Issue 47

 

KRACK attacks: breaking WPA2

Two Belgian researchers (jeej Belgium) have been able to break the Wifi encryption standard WPA2. Depending on the specifics of each implementation, they can listen in on traffic, catch credentials or change website content. Pretty much all wifi enabled devices will need to be updated.
The link above points to the website of the researchers, providing a great explanation. This post gives a good pragmatic overview of the consequences.
krackattacks.com

 

Flaw discovered in widely used TPM encryption chip

The 'Trusted Platform Module', or TPM, is a chip designed to secure encryption keys in many PC's and smartcards. With the flaw an attacker can work out the private key from having just the public key. Which is, well, horrible. All the affected devices will need firmware updates or be replaced. 
The link article above gives a good high-level overview, this article dives into more details.
sophos.com

 

Microsoft bug tracking database hacked back in 2013

It happened four years ago but only now came out in interviews. A breach like this is especially bad since it gives the attackers a list of yet unpatched bugs which they can then start exploiting elsewhere. A good reminder to all of us to keep our bug tracking systems very secure.
reuters.com

 

Google rolls out 'advanced protection' for Google accounts

It forces you to use hardware security keys, prevent OAuth access from external services, and has a much more elaborate account recovery process in case you loose access.
I presumed it was aimed at high-level targets like politicians or whistleblowers, but apparently anyone can opt-in.
wired.com

 

Update all the things

  • Flash released an out-of-band update for a zero day that is being actively exploited in the wild: link
  • Oracle patches 250 vulnerabilities across its products, including 22 in Java: link
  • Lenovo quietly rolled out fixes to four critical vulnerabilities to many of its Android products: link

 

Exploding Git repositories

Fun experiment of a 'Git bomb'. The repository looks normal, but when you check it out it starts to grow until you run out of RAM or CPU. Some people on Hackernews had fun with it, growing it to 24 gigs or even 65 gigs of RAM until it crashed :-)
kate.io

 

Richard Branson on social engineering scams worth millions

Virgin's Richard Branson shares two stories of high-level cons that he was the subject of. One friend lost $2 million, thinking he was actually helping Branson out, and Branson himself avoided a con worth $5 million.
virgin.com