News
WPA3 announced
It will include improved protection against weak passwords, improved setup for devices with a limited interface, and individualized data encryption in open networks. More details will be made available at launch later this year.
Mozilla confirms Meltdown and Spectre can be exploited via web content
Something I only read after I sent the last newsletter. It might be old news to some, but it's important enough to include. So, install those browser updates.
Also, WebKit has an elaborate post on how Meltdown/Spectre impacts them.
Serious vulnerabilities in Western Digital NAS drives
If you own one of those, you'll want to update fast. Among the problems is a hard-coded backdoor account (which interestingly is the same backdoor found in a D-Link device a few years back), and it seems trivial to exploit even if it's on a LAN.
New crypto-miner botnet targeting Linux servers
An interesting write-up showing how the botnet works. It's written in Python, spreads by brute forcing SSH accounts and exploiting a recent JBoss vulnerability, and uses Pastebin to retrieve new C&C addresses. The author has made about $60.000 in Monero in the last month.
Apple kind of does it again
But, luckily, not as serious this time at all. When you're already authenticated as an admin, someone can change your App Store settings using any password. Not terrifying, but of course not confidence inducing either.
Npm packages mistakenly taken down caused widespread issues
Npm's security process mistakenly identified a malicious account and pulled it from the registry. It was a false positive though, and many other packages that depended on it came down with it. The above link gives a short description, and they provided a more elaborate post-mortem here.
I’m harvesting credit card numbers and passwords from your site. Here’s how.
Speaking of npm, here's a thought-provoking post on how one could set up a nasty npm module that harvests credit card information. Without it being visible in the code on Github, disabling itself when dev tools are open, and more. Hackernews discussion on it here.
WhatsApp flaw could allow anyone to sneak into your private group chat
Sounds daunting and got quite a bit of press, but it has severe limitations. The attacker would have to hack into Whatsapp servers, wouldn't see old messages and everyone in the group would see a notification. Hopefully they'll fix it, but no reason to panic.
Microsoft brings end-to-end encryption to Skype
They're integrating the Signal protocol in a feature called 'Private Conversations'. In there all audio calls and text messages will be encrypted, as will attachments. Encrypted video calls and group chats aren't included yet.
Summary of the patch status for Meltdown / Spectre
Needless to say, you better be installing updates this week if you get them. This might be useful, its a Github repo that keeps tabs on all rolled-out updates.
The 2018 guide to building secure PHP software
Great resource on secure programming for PHP developers.
The state of Linux security in 2017
A nice overview of everything loosely related to Linux that happened last year in security.
Sponsorships
Is your website hackable?
Use the dead accurate Netsparker web application security scanner to do the work for you, including eliminating false positives.