Issue 58

Meltdown and Spectre: Every modern processor has unfixable security flaws

To say that this is a big one, is an understatement. The linked article from Ars Technica explains the problems very well, but as a tl;dr:

Meltdown

  • Any user program on an Intel based device can extract all kernel memory. Which means SSL keys, passwords, files, the whole shebang.
  • Example: you could start a VM on any cloud hosting service, clear all its memory, including from other VM's, move to another shared server and do it again, and so forth.
  • Patches are being issued by all major vendors to fix this, at the potential cost of speed.

Spectre

  • Harder to exploit, but affects all processors (not just Intel).
  • Can really only be fixed by differently architecting new processors.

Extra

  • The vulnerabilities have their own website with a high-level explanation and a link to the research that discovered them: link
  • This Twitter-thread feels like a good short write-up on how the vulnerabilities work. It gets very technical very fast though: link
    arstechnica.com

 

MacOS local privilage escalation exploit (LPE) found

An LPE gives a hacker who already has access to a system the ability to gain root access. It's a pretty serious vulnerability, but not remotely executable. Apple will probably issue a fix with the next big patch cycle.
For a technical deep-dive, the researcher has a very detailed write-up of the exploit.
threatpost.com

 

Security flaws in gps trackers puts millions of devices' data at risk

Researchers found a slew of GPS tracking services, used by products like pet collars and car trackers, which are leaking geolocation and device data. They have a list of vulnerable domains. I don't recognise any of them but maybe you do.
hackread.com

 

Chrome Archive Poster extension installs crypto miner

The extension, which has 105.000 users, uses Coinhive to mine crypto without the user's permission. Google hasn't taken the extension down so far.
hackread.com

 

VMware issues 3 critical patches for vSphere Data Protection

If you run VMware’s vSphere Data Protection, you'll want to update, as it fixes three remote code execution vulnerabilities.
threatpost.com

 

GDPR infographic by the EU

A pretty good infographic with basic GDPR information by the EU themselves.
europa.eu

 

2018: The year of the NIS Directive

The author wants to remind everyone that GDPR is not the only security-related legislation that becomes active in May 2018. There's also NIS, which forces EU countries to boost work on national cyber security, cross-border collaboration and oversight of critical sectors like energy, transport and health.
(From what I know though, NIS is a directive, which means that each country must adopt it in their own law. Where as GDPR is de-facto law across the EU the moment it becomes active.)
helpnetsecurity.com

 

Encryption with lava lamps

An article explaining that Cloudflare uses a wall of lava lamps to generate randomness for their crypto. Pretty cool :-) For a more technical explanation, check out Cloudflare's blogpost about it.
atlasobscura.com

 

Best of the Best: the South Korean school for hackers hitting back against the North

Interesting article by the Guardian on how South Korea trains a set of young white-hat hackers to defend the country against cyber attacks.
theguardian.com

 

2017's top hacks and data breaches

A trip down data-breach lane, including gems like Equifax, WannaCry and CCleaner.
hackread.com

 

Sponsorship

Discover security flaws in your website before attackers exploit them

Attackers only need to find and exploit one vulnerability in your web application to create havoc.
netsparker.com