To say that this is a big one, is an understatement. The linked article from Ars Technica explains the problems very well, but as a tl;dr:
- Any user program on an Intel based device can extract all kernel memory. Which means SSL keys, passwords, files, the whole shebang.
- Example: you could start a VM on any cloud hosting service, clear all its memory, including from other VM's, move to another shared server and do it again, and so forth.
- Patches are being issued by all major vendors to fix this, at the potential cost of speed.
- Harder to exploit, but affects all processors (not just Intel).
- Can really only be fixed by differently architecting new processors.
- The vulnerabilities have their own website with a high-level explanation and a link to the research that discovered them: link
- This Twitter-thread feels like a good short write-up on how the vulnerabilities work. It gets very technical very fast though: link
An LPE gives a hacker who already has access to a system the ability to gain root access. It's a pretty serious vulnerability, but not remotely executable. Apple will probably issue a fix with the next big patch cycle.
For a technical deep-dive, the researcher has a very detailed write-up of the exploit.
Researchers found a slew of GPS tracking services, used by products like pet collars and car trackers, which are leaking geolocation and device data. They have a list of vulnerable domains. I don't recognise any of them but maybe you do.
The extension, which has 105.000 users, uses Coinhive to mine crypto without the user's permission. Google hasn't taken the extension down so far.
If you run VMware’s vSphere Data Protection, you'll want to update, as it fixes three remote code execution vulnerabilities.
A pretty good infographic with basic GDPR information by the EU themselves.
The author wants to remind everyone that GDPR is not the only security-related legislation that becomes active in May 2018. There's also NIS, which forces EU countries to boost work on national cyber security, cross-border collaboration and oversight of critical sectors like energy, transport and health.
(From what I know though, NIS is a directive, which means that each country must adopt it in their own law. Where as GDPR is de-facto law across the EU the moment it becomes active.)
An article explaining that Cloudflare uses a wall of lava lamps to generate randomness for their crypto. Pretty cool :-) For a more technical explanation, check out Cloudflare's blogpost about it.
Interesting article by the Guardian on how South Korea trains a set of young white-hat hackers to defend the country against cyber attacks.
A trip down data-breach lane, including gems like Equifax, WannaCry and CCleaner.
Attackers only need to find and exploit one vulnerability in your web application to create havoc.