News
Several critical vulnerabilities and backdoors found in AMD chips
They fall into several classes referred to as RyzenFall, MasterKey, Fallout, and Chimera. They are verified independently by other security researchers, but AMD has yet to officially verify them. They seem pretty bad though.
Large backlash on irresponsible disclosure of AMD flaws
The public disclosure of the above mentioned AMD issues happened only 24 hours after AMD was made aware. The CEO of the company that disclosed them explains that he prefers it this way: let the public know there are issues, but keep the actual technical details for the vendor only until they can fix it.
Intel's upcoming 'Cascade Lake' processors will have built-in Spectre protection
One could say 'duh', but they've now officially said so. The new CPU's are redesigned to have "protective walls" between potentially malicious code and places where speculative execution is taking place.
Facebook makes outbound links HTTPS
This is a pretty significant boost to security. If an HTTP link is shared on Facebook they will automatically make it HTTPS if the target website supports it.
Current coinminer campaigns target Redis, Windows servers and Solr
There are currently two large coinminer operations underway: one targeting old Redis servers and Windows servers vulnerable to EternalBlue, and one targeting older Solr versions.
Let's Encrypt launches support for wildcard certificates
Let's Encrypt continues to be awesome. You can now get a free certificate that covers all your subdomains (i.e. put HTTPS on 'domain.com', but also 'admin.domain.com' and 'help.domain.com'). Verification happens through DNS TXT records.
Expected security improvements in Android P
In short : blocking of app traffic that doesn't use HTTPS, restricting microphone and camera usage in the background, saving of backup encryption keys client-side and better consistency in fingerprint UI looks.
Update all the things \o/
Non-inclusive list of updates I came across:
- Microsoft's Patch Tuesday happened, fixing 75 vulnerabilities, 15 of which are rated critical: link
- Samba released a new version fixing two serious security issues: link
- Cisco fixed two critical issues in its Secure Access Control Systems (ACS) and Prime Collaboration Provisioning (PCP) software: link
- If you're somehow still using Flash, their new updates fixes a remote code execution issue: link
Firefox removes two privacy-exposing API's
The API's to detect face proximity and ambient light will be removed. They weren't really useful for most people, yet could be (very creatively) used to determine things like browser history.
Securing Windows workstations: developing a secure baseline
I don't know much about Windows security, but this article seems to list a great set of pointers on securing Windows workstations.
Here's a list of 29 different types of USB attacks
If you want to dig into how screwed you are if an attacker gets physical access to your USB ports, this is the post for you.
How to hide your ports with port knocking
I found this interesting because I didn't realise this was a thing: only opening your SSH port after the visitor tries to connect to certain others ports in a certain order, like a combination lock. Not sure how practical this is to use, but fun to know about. The article explains how to make this happen with iptables.
Daily Hackernews digest
Just a reminder that if you read Hackernews too, I started a newsletter that sends a daily digest based on upvotes.
Sponsorships
Discover security flaws in your website before attackers exploit them
Attackers only need to find and exploit one vulnerability in your web application to create havoc.
Securing your company Macs
Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.