Nov. 8, 2020
The Federal Bureau of Investigation has sent out a security alert warning that threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and private businesses. US officials talk about all the methods the Chinese government and its agents have been using to target US companies and universities to steal intellectual property. Intrusions have taken place since at least April 2020, the FBI said inan alertsent out last month and made public this week on its website.
Nov. 3, 2020
A code error in the NHS Covid-19 app meant users had to be next to a highly infectious patient for five times as long as the NHS had decided was risky before being instructed to self-isolate, the Guardian has learned.
Source: theguardian.com
May. 18, 2019
Google’s Titan Security Key, launched in the U.S. market last August, is a USB dongle that offers an added layer of security features for Google accounts, such as two-factor authentication and protections from phishing attacks. Specifically impacted is the version of the Titan Security Key with Bluetooth Low Energy (BLE) – not the NFC version of the security keys. The vulnerability stems from a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, said Brand.
Dec. 10, 2018
Two months after disclosing an error that exposed the private profile data of almost 500,000 Google+ users, Google on Monday revealed a new leak that affects more than 52 million people. The programming interface bug allowed developers to access names, ages, email addresses, occupations, and a wealth of other personal details even when they were set to be nonpublic. The bug was introduced in a release that went live at an undisclosed date in November and was fixed a week later, Google officials said in a blog post.
Dec. 9, 2018
This wouldn’t be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren’t abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007. The bug narrows down to a malicious website embedding an iframe inside their source code. The iframe makes an HTTP authentication request on another domain.
Dec. 9, 2018
One small crypto programming error can lead to millions in lost funds. As you are about to learn, a bug in your code can equal disaster on the blockchain. These far-reaching consequences are all the more reason to make your project open-source.
Open-source projects gain added security because of the large number of developers checking the code for errors. That being said, even open-source projects contain programming mistakes. Let’s take a moment to examine the five biggest crypto programming errors in history.
Oct. 26, 2018
Several big-name Linux and BSD operating systems are vulnerable to an exploit that gives untrusted users powerful root privileges. The critical flaw in the X.org server—the open-source implementation of the X11 system that helps manage graphics displays—affects OpenBSD, widely considered to be among the most secure OSes. It also impacts some versions of the Red Hat, Ubuntu, Debian, and CentOS distributions of Linux.
Sep. 23, 2018
Earlier this week, a bug was found in the Bitcoin’s core code base. Developers got in the rush, and finally released a fix on Tuesday. The bug turned out to be Denial of Service bug (DoS).
Furthermore, if anyone exploited the vulnerability, this could be used to disconnect nodes, or even crash a whole segment of a network. This was enough to rush the developers into action. The bug could be exploited by any miner, to double spend any transaction.
Sep. 22, 2018
Six hundred microseconds. That is about the time that Matt Corallo wanted to shave off of block validation with his pull request in 2016 to Bitcoin Core. 600µs is a lot less than what is saved with more efficient block propagation, like XThin, Compact Blocks, or now Graphene over typical links, especially those that are of similar low-end quality in network speed like Raspberry Pis are in compute speed.
Sep. 19, 2018
Over the last 24 hours, the cryptocurrency community has been discussing a critical vulnerability that was found in the Bitcoin Core (BTC) reference client. A bug introduced in Bitcoin Core version 0.14, that also affects all subsequent versions, could have caused a great majority of current Core nodes to crash. According to the developer’s Optech newsletter, Core contributors released a patch that fixes Core version 0.16.2 and the latest 0.16.3 fix requires an immediate upgrade.
Sep. 16, 2018
Sabri Haddouche tweeted a proof-of-concept webpage with just 15 lines of code which, if visited, will crash and restart an iPhone or iPad. Those on macOS may also see Safari freeze when opening the link. The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use,Haddouche told TechCrunch.
He explained that nesting a ton of elements — such astags — inside a backdrop filter property in CSS, you can use up all of the device’s resources and cause a kernel panic, which shuts down and restarts the operating system to prevent damage. TechCrunch tested the exploit running on the most recent mobile software iOS 11.4.1, and confirm it crashes and restarts the phone. Thomas Reed, director of Mac & Mobile at security firm Malwarebytes confirmed that the most recent iOS 12 beta also froze when tapping the link.
Aug. 28, 2018
A new EOS bug has been discovered that allows users to use malicious code to steal RAM, which is a scarce resource in EOS blockchain. EOS,the fifth-largest cryptocurrency in terms of capitalization, has made headlines in connection with a new issue. A new EOS bug has been discovered that allows stealing resources directly from a user.
The resource in question is RAM, which is valuable in the EOS blockchain due to its scarcity. EOS is working on solving the issue and has provided a temporary fix in the meantime. The EOS blockchain aims to be a decentralized operating system and to allow the running of decentralized applications and smart contracts.
Aug. 28, 2018
I’m a big fan of Prometheus and Grafana. As a former SRE at Google I’ve learned to appreciate good monitoring, and this combination has been a winner for me over the past year. I’m using them for monitoring my personal servers (both black-box and white-box monitoring), for the Euskal Encounter external and internal event infra, for work I do professionally for clients, and more.
Jul. 3, 2018
Bad news for Samsung phone owners: some devices are randomly sending your camera roll photos to your contacts without permission. As first spotted by Gizmodo, users are complaining about the issue on Reddit and the company’s official forums. One user says his phone sent all his photos to his girlfriend.
The messages are being sent through Samsung’s default texting app Samsung Messages. According to reports, the Messages app does not even show users that files have been sent; many just find out after they get a response from the recipient of the random photos sent to them. A Samsung spokesperson tells The Verge it’s “aware of the reports” and that its technical teams are “looking into it.”
Jun. 2, 2018
The vulnerability has been present and exploitable in Steam for at least 10 years, according to Tom Court, a security researcher at Contextis, who wrote about the bug on Wednesday. Court said the bug left all 125 million Steam users vulnerable until March of this year, when Valve, the developers of Steam, patched it. In other words, by exploiting this bug, hackers could have executed code on the victim’s machine, effectively taking full control over it.
May. 30, 2018
The Git community has disclosed an industry-wide security vulnerability in Git that can lead to arbitrary code execution when a user operates in a malicious repository. This vulnerability has been assigned CVE 2018-11235 by Mitre, the organization that assigns unique numbers to track security vulnerabilities in software. Git 2.17.1 and Git for Windows 2.17.1 (2) were released today and include this fix.
May. 28, 2018
Oracle plans to drop support for data serialization/deserialization from the main body of the Java language, according to Mark Reinhold, chief architect of the Java platform group at Oracle. Serialization is the process of taking a data object and converting it into a stream of bytes (binary format), so it can be transported across a network or saved inside a database, only to be deserialized later and used in its original form. Serializing and deserializing data is not a problem by itself, or when the source of the data is known to be safe.
May. 24, 2018
A Portland family contacted Amazon to investigate after they say a private conversation in their home was recorded by Amazon’s Alexa — the voice-controlled smart speaker — and that the recorded audio was sent to the phone of a random person in Seattle, who was in the family’s contact list. A Portland family contacted Amazon to investigate after they say a private conversation in their home was recorded by Amazon’s Alexa — the voice-controlled smart speaker — and that the recorded audio was sent to the phone of a random person in Seattle, who was in the family’s contact list.
May. 22, 2018
A security hole in a Comcast service-activation website allowed anyone to obtain a customer’s Wi-Fi network name and password by entering the customer’s account number and a partial street address, ZDNet reported yesterday. The problem would have let attackers ‘rename Wi-Fi network names and passwords, temporarily locking users out’ of their home networks, ZDNet wrote. Obviously, an attacker could also use a Wi-Fi network name and password to log into an unsuspecting Comcast customer’s home network.
May. 17, 2018
A command injection bug in Red Hat’s DHCP client could allow an attacker to run any command on your computer. As root. RedHat Linux, together with its stablemates Fedora and CentOS, just patched a serious security bug.
RedHat-based Linux distros include a dhclient script as part of their NetworkManager package – until the latest NetworkManager security patch, this script could be tricked into running text provided in a DHCP reply as if it were a system command of its own. Technically, this sort of bug is known as a command injection vulnerability, because it allows you to sneak in a command where you are supposed to supply data. It’s also a root RCE, short for remote code execution, because you don’t need to login first, and because you get to run the remotely supplied code as a system administrator.