Issue 68

Several critical vulnerabilities and backdoors found in AMD chips

They fall into several classes referred to as RyzenFall, MasterKey, Fallout, and Chimera. They are verified independently by other security researchers, but AMD has yet to officially verify them. They seem pretty bad though.
threatpost.com

 

Large backlash on irresponsible disclosure of AMD flaws

The public disclosure of the above mentioned AMD issues happened only 24 hours after AMD was made aware. The CEO of the company that disclosed them explains that he prefers it this way: let the public know there are issues, but keep the actual technical details for the vendor only until they can fix it.
bleepingcomputer.com

 

Intel's upcoming 'Cascade Lake' processors will have built-in Spectre protection

One could say 'duh', but they've now officially said so. The new CPU's are redesigned to have "protective walls" between potentially malicious code and places where speculative execution is taking place.
techspot.com

 

Facebook makes outbound links HTTPS

This is a pretty significant boost to security. If an HTTP link is shared on Facebook they will automatically make it HTTPS if the target website supports it.
sophos.com

 

Current coinminer campaigns target Redis, Windows servers and Solr

There are currently two large coinminer operations underway: one targeting old Redis servers and Windows servers vulnerable to EternalBlue, and one targeting older Solr versions.
bleepingcomputer.com

 

Let's Encrypt launches support for wildcard certificates

Let's Encrypt continues to be awesome. You can now get a free certificate that covers all your subdomains (i.e. put HTTPS on 'domain.com', but also 'admin.domain.com' and 'help.domain.com'). Verification happens through DNS TXT records.
letsencrypt.org

 

Expected security improvements in Android P

In short : blocking of app traffic that doesn't use HTTPS, restricting microphone and camera usage in the background, saving of backup encryption keys client-side and better consistency in fingerprint UI looks.
helpnetsecurity.com

 

Update all the things \o/

Non-inclusive list of updates I came across:

  • Microsoft's Patch Tuesday happened, fixing 75 vulnerabilities, 15 of which are rated critical: link
  • Samba released a new version fixing two serious security issues: link
  • Cisco fixed two critical issues in its Secure Access Control Systems (ACS) and Prime Collaboration Provisioning (PCP) software: link
  • If you're somehow still using Flash, their new updates fixes a remote code execution issue: link

 

Firefox removes two privacy-exposing API's

The API's to detect face proximity and ambient light will be removed. They weren't really useful for most people, yet could be (very creatively) used to determine things like browser history.
sophos.com

 

Securing Windows workstations: developing a secure baseline

I don't know much about Windows security, but this article seems to list a great set of pointers on securing Windows workstations.
adsecurity.org

 

Here's a list of 29 different types of USB attacks

If you want to dig into how screwed you are if an attacker gets physical access to your USB ports, this is the post for you.
bleepingcomputer.com

 

How to hide your ports with port knocking

I found this interesting because I didn't realise this was a thing: only opening your SSH port after the visitor tries to connect to certain others ports in a certain order, like a combination lock. Not sure how practical this is to use, but fun to know about. The article explains how to make this happen with iptables.
medium.com

 

Daily Hackernews digest

Just a reminder that if you read Hackernews too, I started a newsletter that sends a daily digest based on upvotes.
hackernewsemail.com

 

Sponsorship

Discover security flaws in your website before attackers exploit them

Attackers only need to find and exploit one vulnerability in your web application to create havoc.
netsparker.com

 

Securing your company Macs

Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.
fleetsmith.com