Not so long ago quantum computers seemed like science-fiction, where as now are seen as 'merely an engineering challenge'. NIST is taking the admirable initiative to get started early on new encryption schemes, since many of our current encryption technologies would be very easily breakable using quantum computing technology.
Last week Signal was blocked by Egypt and the UAE. This week Open Whisper Systems released a new version that uses 'domain fronting' to get around such censorship. Essentially it let's all message traffic go over HTTPS to google.com, which allows redirects to the Signal servers. This makes messages indistinguishable from regular Google traffic. It would also work with CDN's like Akamai, Cloudflare and Amazon Cloudfront, making it virtually impossible to block all paths without shutting down most of the working Internet in those countries.
PHPMailer, a component powering registration and contact forms in an estimated 9 million websites, is found vulnerable to remote code execution. This affects all sites using Drupal, Wordpress, Joomla, Yii, and a host of others. One patch came out, but was circumvented a few days later. The latest patch, 5.2.21, came out on December 28th and should fix all issues.
Another reason to spin up the updates on your PHP boxes; CheckPoint discovered three zero-day exploits in PHP 7's serialisation mechanism. Two of them leave the server open to complete compromise, a third can be used to DoS the corresponding website. The PHP team issues updated on October 13 and December 1st, but one issue remains unpatched.
Apple had announced that by the 1st of January 2017, all apps should communicate with their backends and third parties over HTTPS, using an iOS component called ATS. However, on December 22nd only 5 percent of apps had gotten around to implementing the change. Apple cancelled the deadline and has yet to post a new one.
A very interesting initiative was launched called 'Security Without Borders'. It's an expanding group of security people that want to dedicate part of their time to help with security needs. Their website offers a contact form where one can request assistance, for example a security assessment if you're a human rights activist.
It never ceases to amaze me how crazy our world has become. Apparently there exists an app that helps soldiers with the calculations for aiming their artillery. Russian hackers put malware in this app, and used it to track the exact position of the Ukranian artillery units.
The hacker group responsible is known as Fancy Bear, also known as APT28. This is the same group that was implicated in the DNC hack around the US elections.
NIST is offering a lengthy guidebook where it explains to companies and federal agencies how to react to security incidents, ranging from ransomware to public data leaks. The pdf can be found here.
In a depression feat of economics, crackers are moving away from selling stolen medical data. One person's medical record used to be worth about 50$ on the market, where it's now between $1.5 and $10.
Why? Because of a saturated market.
Just in 2015 about 112 million US citizens, about a third of the population, have had their medical data stolen.
Due to an easy-to-exploit flaw in their web application, all people that applied to become a verified marihuana seller have had their information made public. The applications include name, date and place of birth, drivers license details, phone numbers, physical address and even fingerprints. Around 11.000 people are estimated to be impacted.