May. 7, 2019
Chinese intelligence agents acquired National Security Agency hacking tools and repurposed them in 2016 to attack American allies and private companies in Europe and Asia, a leading cybersecurity firm has discovered. The episode is the latest evidence that the United States has lost control of key parts of its cybersecurity arsenal. Based on the timing of the attacks and clues in the computer code, researchers with the firm Symantec believe the Chinese did not steal the code but captured it from an N.S.A. attack on their own computers — like a gunslinger who grabs an enemy’s rifle and starts blasting away.
May. 5, 2019
A critical vulnerability in Cisco’s software-defined networking (SDN) software could allow an unauthenticated, remote attacker to connect to a vulnerable data-center switch and take it over, with the privileges of the root user. The bug (CVE-2019-1804), which has a CVSS severity rating of 9.8 out of 10, exists in the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software, which is part of Cisco’s SDN approach. Enterprises use ACI to deploy and control applications across their infrastructure, including their multicloud footprints, with consistent policies – in theory boosting security and high availability.
May. 5, 2019
Hundreds of developers have had had Git source code repositories wiped and replaced with a ransom demand. The attacks started earlier today, appear to be coordinated across Git hosting services (GitHub, Bitbucket, GitLab), and it is still unclear how they are happening. What it is known is that the hacker removes all source code and recent commits from vitcims’ Git repositories, and leaves a ransom note behind that asks for a payment of 0.1 Bitcoin (~$570).
May. 4, 2019
On Monday, February 11, CVE-2019-5736 was disclosed. This vulnerability is a flaw in runc, which can be exploited to escape Linux containers launched with Docker, containerd, CRI-O, or any other user of runc. But how does it work?
Dive in! Processes interact with the operating system to perform a variety of operations (for example, reading and writing files, taking input, communicating on the network, etc.) via system calls, or syscalls. Syscalls can perform a variety of actions.
Apr. 28, 2019
On Thursday, April 25th, 2019, we discovered unauthorized access to a single Docker Hub database storing a subset of non-financial user data. Upon discovery, we acted quickly to intervene and secure the site. We want to update you on what we’ve learned from our ongoing investigation, including which Hub accounts are impacted, and what actions users should take.
During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as GitHub and Bitbucket tokens for Docker autobuilds. We are asking users to change their password on Docker Hub and any other accounts that shared this password.
Mar. 6, 2019
Ghidra is a software reverse engineering (SRE) framework developed by NSA’s Research Directorate for NSA’s cybersecurity mission. It helps analyze malicious code and malware like viruses, and can give cybersecurity professionals a better understanding of potential vulnerabilities in their networks and systems.
Source: nsa.gov
Mar. 2, 2019
We’re used to thinking of computer processors as orderly machines that proceed from one simple instruction to the next with complete regularity. But the truth is, that for decades now, they’ve been doing their tasks out of order and just guessing at what should come next. They’re very good at it, of course.
So good in fact, that this ability, called speculative execution, has underpinned much of the improvement in computing power during the last 25 years or so. But on 3 January 2018, the world learned that this trick, which had done so much for modern computing, was now one of its greatest vulnerabilities. Throughout 2017, researchers at Cyberus Technology, Google Project Zero, Graz University of Technology, Rambus, University of Adelaide, and University of Pennsylvania, as well as independent researchers such as cryptographer Paul Kocher, separately worked out attacks that took advantage of speculative execution.
Mar. 2, 2019
Sensor-based automatic control technology is now used in hundreds of applications as varied as vehicle accident prevention, agricultural monitoring, and self-balancing robots. But as sensor interaction with the environment increases to enable control systems to “see,”“listen,”and “sense”their environment more accurately, the potential for cyber attacks also grows. To counter this danger,Mitsubishi Electric has developed what it believes is the first sensor-security technology for detecting inconsistencies that appear in sensor measurementswhen a system is under attack.
Feb. 10, 2019
On Thursday, Bezos published emails in which the Enquirer’s parent company explicitly threatened to publish intimate photographs of Bezos and his mistress, which wereapparently exchanged between the two through their iPhones, unless Bezos agreed to a series of demands involving silence about the company’s conduct. In a perfect world, none of the sexually salacious material the Enquirer was threatening to release would be incriminating or embarrassing to Bezos: it involves consensual sex between adults that is the business of nobody other than those involved and their spouses. But that’s not the world in which we live: few news events generate moralizing interest like sex scandals, especially among the media.
Feb. 9, 2019
Troubled Canadian crypto exchange QuadrigaCX owes its customers $190 million and cannot access most of the funds, according to a court filing obtained by CoinDesk. In a sworn affidavit filed Jan. 31 with the Nova Scotia Supreme Court, Jennifer Robertson, identified as the widow of QuadrigaCX founder Gerald Cotten, said the exchangeowes its customers roughly $250 million CAD ($190 million) in both cryptocurrency and fiat. The company previously announced it hadfiled for creditor protectionon its website, but the filing itself provides greater details about its predicament.
Feb. 9, 2019
In January, Motherboard revealed that AT&T, T-Mobile, and Sprint were selling their customers’ real-time location data, which trickled down through a complex network of companies until eventually ending up in the hands of at least one bounty hunter. Motherboard was also able to purchase the real-time location of a T-Mobile phone on the black market from a bounty hunter source for $300. In response, telecom companies said that this abuse was a fringe case.
Feb. 9, 2019
ClusterFuzz has found more than 16,000 bugs in Chrome and more than 11,000 bugs in over 160 open source projects integrated with OSS-Fuzz. It is an integral part of the development process of Chrome and many other open source projects. ClusterFuzz is often able to detect bugs hours after they are introduced and verify the fix within a day.
Source: googleblog.com
Feb. 8, 2019
This weekend at the excellent FOSDEM gathering there were no less than three presentations on DNS over HTTPs. Daniel Stenberg presented a keynote session “DNS over HTTPS – the good, the bad and the ugly” (video), Vittorio Bertola discussed “The DoH Dilemma” while Daniel, Stéphane Bortzmeyer and I formed a DNS Privacy Panel expertly moderated by Jan-Piet Mens. I want to thank Daniel, Jan-Piet, Rudolf van der Berg, Stéphane & Vittorio for proofreading & improving this post, but I should add this does not imply an endorsement from anyone!
Feb. 8, 2019
A scammer was found to be manually abusing YouTube’s automated copyright system in an effort to hold YouTube channels ransom. By submitting multiple fake copyright “flags” on videos, the scammer was able to bring at least two YouTube accounts to the brink of automatic deactivation under YouTube’s “three strikes” policy, even getting past YouTube employees who double-checked the suspicious claim. According to YouTube, anti-abuse teams initially identified the requests as suspicious and asked for more information.
Feb. 2, 2019
Back in 2011, when the venture capitalist Marc Andreessen said that “software is eating the world,” it was still a fresh idea. Now it’s obvious that software permeates our lives. From complex electronics like medical devices and autonomous vehicles to simple objects like Internet-connected lightbulbs and thermometers, we’re surrounded by software.
And that means we’re all more exposed to attacks on that software than everbefore. Every year, 111 billion lines are added to the mass of software code in existence, and every line presents a potential new target. Steve Morgan, founder and editor in chief at the research firm Cybersecurity Ventures, predicts that system break-ins made through a previously unknown weakness—what the industry calls “zero-day exploits”—will average one per day in the United States by 2021, up from one per week in 2015.
Jan. 29, 2019
The question of who controls the ability to merge code changes into Bitcoin Core’s GitHub repository tends to come up on a recurring basis. This has been cited as a “central point of control” of the Bitcoin protocol by various parties over the years, but I argue that the question itself is a red herring that stems from an authoritarian perspective—this model does not apply to Bitcoin. It’s certainly not obvious to a layman as to why that is the case, thus the goal of this article is to explain how Bitcoin Core operates and, at a higher level, how the Bitcoin protocol itself evolves.
Jan. 27, 2019
Newly leaked internal documents obtained by Motherboard detail how Instagram polices content published through its Instagram Stories feature, which allows users to publish short videos and static images that generally stay on profiles for 24 hours. The fact that they often have multiple discrete parts can make it particularly difficult to moderate stories, the documents show. In particular, the documents show how Instagram’s moderators have to grapple with the context of a story.
Jan. 27, 2019
You’ve decided to tackle a high-end luxury apartment, the kind of building with multiple Picassos in the penthouse. You could spend weeks or months casing the place, studying every resident’s schedule, analyzing the locks on all the doors. You could dig through trash for hints about which units have alarms, run through every permutation of what the codes might be.
Or you could also just steal the super’s keys. According to a Justice Department indictment Thursday, that is effectively what China has done to the rest of the world since 2014. That’s when the country’s elite APT10—short for “advanced persistent threat”—hacking group decided to target not just individual companies in its long-standing efforts to steal intellectual property, but instead focus on so-called managed service providers.
Jan. 27, 2019
A couple of researchers demonstrated how to bypass vein based authentication using a fake hand build from a photo. If you consider vein based authentication totally secure, you have to know that a group of researchers demonstrated the opposite at the Chaos Communication Congress hacking conference. Vein based authentication scan invisible vein pattern (i.e. shape, size, and position of a user’ s veins) of the palm, back of the hand, fingers, etc, to identify the user.
Jan. 7, 2019
The US National Security Agency will release a free reverse engineering tool at the upcoming RSA security conference that will be held at the start of March, in San Francisco. The software’s name is GHIDRA and in technical terms, is a disassembler, a piece of software that breaks down executable files into assembly code that can then be analyzed by humans. The NSA developed GHIDRA at the start of the 2000s, and for the past few years, it’s been sharing it with other US government agencies that have cyber teams who need to look at the inner workings of malware strains or suspicious software.