Issue 63

Wordpress update breaks auto-update, and Wordpress DoS method remains unpatched yet exploited in the wild

Wordpress had a pretty rough week. If you run a WP installation, you probably have to update manually for once to fix the auto-update bug.
Also, a researcher found a very easy way to DoS a Wordpress setup, which Wordpress themselves seem unwilling to fix. An unofficial patch is available.


iBoot source code anonymously published on Github

iBoot is the application responsible for booting iOS, and a prime target for jailbreaks. The leaked code is a few years old and the fact that it's now public doesn't pose a serious risk though, but it made headlines though and might aid malware developers.


One Monero mining botnet targeting Windows, another targeting Redis and OrientDB servers

The above article describes the Smominru botnet which has infected of 500.000 Windows machines. This article describes another botnet named DDG, which has infected over 4000 Redis and OrientDB hosts.
The botnets seem quite succesful. Smominru has netted its creators over $2.8 million, adding $8.500 to the take per day. And DDG has made over $925.000 so far.


Grammarly: auth tokens are accessible to all websites

Grammarly is a grammar checking browser extension used by about 22 million people. As part of its functionality it reads and stores documents. Any site could get your auth token and log in to your Grammarly account. It's now fixed, make sure you run the latest version.


AutoSploit: automated mass exploitation of remote hosts using Shodan and Metasploit

This tool allows you to specify a search instruction, say a certain version of Apache. It will then use Shodan (the Internet-wide portscanner) to gather public machines that use this module, and will then run the relevant Metasploit modules to try and hack them. No rocket science, but quite controversial.


NSA exploits ported to work on all Windows versions released since Windows 2000

Speaking of Metasploit, a researcher has ported several NSA exploits, known as EternalChampion, EternalRomance and EternalSynergy, to all Windows versions since Windows 2000, and made them available in the Metasploit framework.


Mixpanel Analytics collected password data by accident

It really seemed to have been a bug, and they are now blocking such incoming data server side, but you might want to update your Mixpanel SDK nonetheless.


Google Chrome to mark all HTTP sites "Not Secure" starting July 2018

The first step was to do this for all HTTP sites that contained password or payment fields. The next step is to do it for -all- sites starting in July.


All Ledger hardware wallets vulnerable to man in the middle attack

They point to the fact that any time a wallet address is created to transfer funds to, it could be changed to a different address by malware on your system. I'm not super sure this qualifies as an actual vulnerability, but at least it's a reminder to verify the actual address before you transfer funds. Their report explains it pretty well.


speed47/spectre-meltdown-checker: Spectre & Meltdown vulnerability/mitigation checker for Linux

Open-source shell script that checks if your Linux installation is vulnerable to Spectre and Meltdown.



Discover security flaws in your website before attackers exploit them

Attackers only need to find and exploit one vulnerability in your web application to create havoc.


Securing your company Macs

Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.