Wow did I underestimate this one! I told myself it would take quite some time to build a reliable exploit once I found a bug in Adobe Reader. There are so many mitigations to work through once you have an exploitable crash.

Amongst others: Data Execution Protection (DEP: prevents your code from being executed), Address Space Layout Randomization (ASLR: where in memory is my code anyway?), Sandboxing (you need to escape this one, it limits what your code can do). Itâs hard to end up with reliable code execution.

…

In 1983, Soviet Lieutenant Colonel Stanislav Petrov sat in a bunker in Moscow watching monitors and waiting for an attack from the US. If he saw one, he would report it up the chain and Russia would retaliate with nuclear hellfire. One September night, the monitors warned him that missiles were headed to Moscow.

But Petrov hesitated. He thought it might have been a false alarm.

…

The startup is called Crowdfense and is based in the United Arab Emirates. In an unusual move in the normally secretive industry of so-called zero-days, Crowdfense sent out a press release to reporters on Tuesday, advertising what it calls a bug bounty.

Source: vice.com

…

Law enforcement appears to have seized Anon-IB, possibly the most infamous site focused on revenge porn—explicit or intimate images of people shared without their consent. Although it’s unclear whether Anon-IB members will make a replacement site, the apparent seizure is still a significant blow against people who share revenge porn.

Source: vice.com

…

In one of the most important patent decisions in years, the Supreme Court has upheld the power of the Patent Office to review and cancel issued patents. This power to take a “second look”is important because, compared to courts, administrative avenues provide a much faster and more efficient means for challenging bad patents. If the court had ruled the other way, the ruling would have struck down various patent office procedures and might even have resurrected many bad patents.

…

Kromtech Security said that it found the unprotected data on March 30, adding that it included a treasure-trove of information ranging from “full names, (street) addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver’s licenses and other IDs,” according to the researchers.

Source: threatpost.com

…

Any key card will do. Even old and expired, or discarded keys retain enough residual data to be used in the attack. Using a handheld device running custom software, the researchers can steal data off of a key card — either using wireless radio-frequency identification (RFID) or the magnetic stripe.

That device then manipulates the stolen key data, which identifies the hotel, to produce an access token with the highest level of privileges, effectively serving as a master key to every room in the building.

…

Gaining access to Alexa turned out to be surprisingly easy. Checkmarx attached their malicious code to a seemingly innocuous app. The company used a simple calculator app for demonstration purposes.

Getting Alexa to continue recording after the benign script in the app was executed proved more difficult. Checkmarx had two problems to solve. Alexa needed to keep listening after the benign response was given without alerting the user, and it had to record what it heard.

…

A source at an International Organization for Standardization (ISO) meeting of expert delegations in Wuhan, China, told WikiTribune that the U.S. delegation, including NSA officials, refused to provide the standard level of technical information to proceed.

Source: wikitribune.com

…

Update your Careem passcode, and then update your password on any other accounts using the same or similar details. Make your new one good and strong. Here’s how.

And if we’ve said it once, we’ve said it a million times: reusing passwords is really, truly a terrible idea. So don’t! Watch out for spearphishers.

Unsolicited communications that try to get personal information out of you, or send you to a site that wants your account credentials, should be greeted with your hairiest of eyeballs. Don’t click on links or download attachments from unfamiliar emails. Keep an eye on your bank account and credit card statements for suspicious activity.

…

Today’s most widely used stable cryptocurrency, called Tether, claims to back each unit of its currency with a dollar of hard currency reserves. However, the company has a poor transparency record, causing critics to wonder if Tether might not actually have reserves backing all of the cryptocurrency in circulation as it claims.

Source: arstechnica.com

…

European law enforcement are today celebrating the dismantling of a website police claim sold Distributed Denial of Service (DDoS) attacks and helped launch up to 6 million of them for as many as 136,000 registered users. Four alleged administrators of the webstresser.org service were arrested on Tuesday in the U.K., Canada, Croatia and Serbia, whilst the site was shut down and its infrastructure seized in Germany and the U.S., Europol announced Wednesday.

…

The broad definition of a BGP leak would be IP space that is announced by somebody not allowed by the owner of the space. When a transit provider picks up Cloudflare’s announcement of 1.1.1.0/24 and announces it to the Internet, we allow them to do so. They are also verifying using the RIR information that only Cloudflare can announce it to them.

Source: cloudflare.com

…

If you open the booby-trapped document, which is denoted by Qihoo as containing some unspecified sort of shellcode, Internet Explorer is apparently activated in the background, ultimately leading to an executable program being downloaded and executed without any visible warning.

Source: sophos.com

…

Last week, an unknown party quietly leaked portions of GrayKey code onto the internet, and demanded over $15,000 from Grayshift—ironically, the price of an entry-level GrayKey—in order to stop publishing the material. The code itself does not appear to be particularly sensitive, but Grayshift confirmed to Motherboard the brief data leak that led to the extortion attempt.

Source: vice.com

…

Amazon lost control of a small number of its cloud services IP addresses for two hours on Tuesday morning when hackers exploited a known Internet-protocol weakness that let them to redirect traffic to rogue destinations. By subverting Amazon’s domain-resolution service, the attackers masqueraded as cryptocurrency website MyEtherWallet.com and stole about $150,000 in digital coins from unwitting end users. They may have targeted other Amazon customers as well.

…

The attackers don’t seem to have compromised MyEtherWallet itself. Instead, they attacked the infrastructure of the internet, intercepting DNS requests formyetherwallet.comto make the Russian server seem like the rightful owner of the address. Most of the affected users were employing Google’s 8.8.8.8 DNS service.

However, because Google’s service isrecursive, the bad listing was likely obtained through Amazon’s “Route 66” system.

Source: altcoinreport.co

…

Last month, a series of Freedom of Information Act requests to the CIA unearthed a trove of documents related to the agency’s in-house board games, used to train agents in intelligence gathering and other clandestine activities. The documents included detailed rulebooks and pages of cut-out components and cards, and it seemed only a matter of time before gamers with a printer and some scissors started playing the once-classified games themselves.

…

The attackers used BGP—a key protocol used for routing internet traffic around the world—to reroute traffic to Amazon’s Route 53 service, the largest commercial cloud provider who count major websites such as Twitter.com as customers.

Source: doublepulsar.com

…

Amazon added a new delivery location to the ever-growing number of spots it can leave your packages: inside your car. The company announced an expansion of its Amazon Key in-home delivery service that now lets Prime members get packages deposited in their cars at no extra cost. The service is available today in 37 cities across the country for Prime members with eligible vehicles and active subscriptions to connected car services.

…