The Mirai worm was responsible for hijacking millions of IoT devices and using them to cause some of the biggest DDoS attacks so far, blowing 620 Gbps of data towards Brian Krebs' site last September, and 1.2 Tbps to Dyn last October. In this blogpost, Brian explains at length how he believes he discovered the real-life identity of its author, known as Anna-Senpai, to be Paras Jha. It's a long read, and sometimes hard to follow due to numerous names and aliases being used, but I found it well worth the time.
Two researchers have discovered a Twitter botnet of as much as 350.000 accounts. It was created in 2013 and has since been doing, well, not much. They suggest however that if its controller wakes them up, it could do some serious harm. The botnet is dubbed the 'Star Wars botnet', because the accounts randomly tweet passages from Star Wars novels.
After the uproar caused by the Guardian article on a vulnerability in WhatsApp, a group of well-known cryptographers are asking the Guarding to no longer use the term 'backdoor' for this issue, which they feel is misplaced and has done harm to an otherwise extremely secure messaging option for the masses.
Facebook enabled support for physical two-factor devices such as the Yubikey.
Heartbleed, an OpenSSL vulnerability that allows an attacker to snoop on encrypted web traffic, caused a major media blitz about three years ago. Unfortunately, to this day, there are still 200.000 machines out in the open that can be comprised this way.
For a refresher on what exactly Heartbleed was, see the official website here.
Google has announced that they have started their own Root Certificate Authority, instead of relying on a third party. They published their own root keys, but having other browsers and services integrate those takes time, so they also bought two existing root certificates from GlobalSign. Hackernews discussion can be found here.
Most of us realise that, as cars become more dependant on software, security is a huge concern. Many car manufacturers like Ford and Tesla already have the ability to do over-the-air (OTA) updates to their cars. Several universities have now come together to publish Uptane, a protocol on how to securely perform car OTA updates.
Researchers showed an attack where they record video from someone unlocking their phone (but not filming the screen), after which they extrapolate up to five possible patterns based on the person's finger movements from afar. Ironically, complex unlock patterns were easier to break, since they gave the researchers more data to work with.
Cisco WebEx, a video conferencing application used by over 20 million people, has a vulnerability that allows for remote code execution. Previous patches proved insufficient, and so far only Chrome has a patch in the extension's 1.0.7 version. If you use Firefox or IE on Windows and you have this extension, you might want to disable it for now. Microsoft Edge on Windows and all browsers on Mac are deemed safe.
If your website asks for personal information or passwords, and isn't using HTTPS, Firefox will show a warning icon. They aim to eventually do this for any and all HTTP pages.
Mikko Hypponen, a very well-known security researcher, is doing an AMA (Ask Me Anything) on Reddit as I write this. He also did a AMA-like session on Quora last month, which is also an interesting read.