Posts


May. 9, 2018

Root cause analysis of the latest Internet Explorer zero day – CVE-2018-8174

Root cause analysis of the latest Internet Explorer zero day – CVE-2018-8174

In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.

Source: securelist.com

May. 9, 2018

Introducing WebAuthn support for secure Dropbox sign in

Introducing WebAuthn support for secure Dropbox sign in

Introducing WebAuthn This cryptographic proof makes U2F security keys a very strong form of two-step verification, but adoption of U2F has been limited by browser and hardware support. We hope WebAuthn will change that.

It’s a new way to interact with security keys and other “authenticators” that standardizes and builds on key parts of U2F, the result of a collaboration between the W3C and FIDO Alliance. While for years only Chrome supported U2F, browser vendors have committed to bringing WebAuthn to Chrome, Firefox, and Edge. More and more devices will have WebAuthn support built in, bringing stronger security to the many users who don’t own special security keys.

May. 9, 2018

Stablecoin TrueUSD passes $12 million in circulation in just 2 months

Stablecoin TrueUSD passes $12 million in circulation in just 2 months

Whether it be Saga, SwissRealCoin, Havven, or a dozen other candidates, cryptocurrencies that are backed by real assets to help reduce volatility are becoming increasingly popular. Enter TrueUSD, which not only has a stablecoin, but has been putting it into action since launch. The result?

After less than two months on the market, TrustToken — a platform that securitizes real-world assets and currencies using blockchains — has announced that its TUSD stablecoin has organically amassed over $12 million in circulation. Stablecoins allows cryptocurrency traders to put their money into a non-volatile cryptocurrency. This gives them the benefits of an efficient store of value and cost-effective trading without the need to move cryptocurrency into and out of USD.

May. 9, 2018

Warriors’ Steph Curry will auction off celebrity CryptoKitties

Warriors’ Steph Curry will auction off celebrity CryptoKitties

CryptoKitties took off with its cute blockchain-based collectible kittens last fall. Now, it is bringing sports celebrities into mix, starting with collectibles from Golden State Warriors’ star basketball player Stephen Curry. The first-ever celebrity-branded CryptoKitty will go up for auction today.

CryptoKitties became a sensation after it debuted in November as a collectible game built on top of a blockchain and the Ethereum cryptocurrency. In March, the CryptoKitties maker, Axiom Zen game studio, spun out as a separate company and raised $12 million in funding from Andreessen Horowitz and Union Square Ventures. The Curry kitties will probably draw a lot of attention.

May. 9, 2018

Uhh, Google Assistant Impersonating a Human on the Phone Is Scary as Hell to Me

Uhh, Google Assistant Impersonating a Human on the Phone Is Scary as Hell to Me

The near future terror of this project has to do with how it could be used to further erode your privacy and security. Google has access to a lot of your information. It knows everything you browse on Chrome, and places you go on Google Maps.

If you’ve got an Android device it knows who you call. If you use Gmail it knows how regularly you skip chain emails from your mom. Giving an AI that pretends to be human access to all that information should terrify you.

May. 9, 2018

Critical vulnerability impacts Bitcoin Cash miners

Critical vulnerability impacts Bitcoin Cash miners

On Monday, Bitcoin ABC said in a security advisory that a critical vulnerability has been found in Bitcoin ABC version 0.17.0 which has the potential to cause an unintended split in the Bitcoin Cash network. In order to exploit the vulnerability, an attacker would need to construct a malicious transaction which could be accepted into Bitcoin ABC and consequently mined into a block. Once this block has been established, the block would then reject all other versions of Bitcoin Cash compliant implementations.

May. 8, 2018

Equifax reveals full horror of its data breach

Equifax reveals full horror of its data breach

Equifax has published yet more detail on the data lost in its now-infamous 2017 data breach. 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) breached, the company says, there were also 38,000 US drivers’ licenses and 3,200 passport details.

Source: co.uk

May. 8, 2018

UK police say 92-percent false positive facial recognition is no big deal

UK police say 92-percent false positive facial recognition is no big deal

New data about the South Wales Police’s use of the technology obtained by Wired UK and The Guardian through a public records request shows that of the 2,470 alerts from the facial recognition system, 2,297 were false positives. In other words, nine out of 10 times, the system erroneously flagged someone as being suspicious or worthy of arrest.

May. 8, 2018

Hundreds of big-name sites hacked, converted into drive-by currency miners

Hundreds of big-name sites hacked, converted into drive-by currency miners

A mass hacking campaign that targets a critical vulnerability in the Drupal content management system has converted more than 400 government, corporate, and university websites into cryptocurrency mining platforms that surreptitiously drain visitors’ computers of electricity and computing resources, a security researcher said Monday. Sites that were hacked included those belonging to computer maker Lenovo, the University of California at Los Angeles, the US National Labor Relations Board, the Arizona Board of Behavioral Health Examiners, and the city of Marion, Ohio, Troy Mursch, an independent security researcher, told Ars on Monday. The Social Security Institute of the State of Mexico and Municipalities, the Turkish Revenue Administration, and Peru’s Project Improvement of Higher Education Quality were also affected.

May. 8, 2018

Op-ed: Ray Ozzie’s crypto proposal—a dose of technical reality

Op-ed: Ray Ozzie’s crypto proposal—a dose of technical reality

In the debate over law enforcement access to encrypted devices, technical details matter. The rhetoric has been stark and, dismayingly often, divorced from technical reality. For example, two years ago we were told that only Apple could write software to open the phone of the San Bernardino terrorist; the technical reality turned out to be that an FBI contractor was able to do so.

May. 8, 2018

Even Privacy Advocates Are Tracking You Online

Even Privacy Advocates Are Tracking You Online

Its website, CAPrivacy.org, is pretty much what you’d expect. There are creepy fictional videos portraying people’s birth date, physical location, and potentially embarrassing info about their online purchases (hair loss prevention shampoo) and the apps they use (online poker). Below the videos, there’s a motivating message: “It’s your personal information.

Take back control!” There is one surprising aspect, though. Each time someone visits, software gleans what information it can about her, then sends that information to Facebook, including her IP address, what web pages she was on before and after visiting, and so on.

May. 8, 2018

SynAck targeted ransomware uses the Doppelgänging technique

SynAck targeted ransomware uses the Doppelgänging technique

The Process Doppelgänging technique was first presented in December 2017 at the BlackHat conference. Since the presentation several threat actors have started using this sophisticated technique in an attempt to bypass modern security solutions. In April 2018, we spotted the first ransomware employing this bypass technique – SynAck ransomware.

It should be noted that SynAck is not new – it has been known since at least September 2017 – but a recently discovered sample caught our attention after it was found to be using Process Doppelgänging. Here we present the results of our investigation of this new SynAck variant.

May. 6, 2018

Ticketmaster to trial facial recognition technology at live venues

Ticketmaster to trial facial recognition technology at live venues

The company suggested a number of other ways it may use the technology, including to serve more personalized offers and product tie-ins while attendees move around the venue. It would also allow for “development of deeper customer relationships” between fans, artists, venues, and teams. Moreover, Ticketmaster touts the technology as boosting safety and security, as it allows venues to know exactly who is in attendance — though an e-ticket tied to an individual’s mobile device would presumably offer a similar benefit.

May. 6, 2018

That New Memory Smell: Tech Can Tell if Your Flash is New or Recycled

That New Memory Smell: Tech Can Tell if Your Flash is New or Recycled

Flash is designed to last a decade or more of use. A lot of the gadgets that rely on it are not. Shady recyclers have spotted opportunity in that mismatch, stripping out used chips and selling them as new.

But engineers at the University of Alabama have come up with a straightforward electronic examination that can tell if a flash chip is new or recycled, even if that chip has only seen 5 percent or less of its life. And the technique is so straightforward that a smartphone app could run it on its own memory.

May. 6, 2018

Researchers link a decade of potent hacks to Chinese intelligence group

Researchers link a decade of potent hacks to Chinese intelligence group

Researchers said Chinese intelligence officers are behind almost a decade’s worth of network intrusions that use advanced malware to penetrate software and gaming companies in the US, Europe, Russia, and elsewhere. The hackers have struck as recently as March in a campaign that used phishing emails in an attempt to access corporate-sensitive Office 365 and Gmail accounts. In the process, they made serious operational security errors that revealed key information about their targets and possible location.

May. 6, 2018

Idaho State University Lost Enough Weapons-Grade Plutonium to Make a Dirty Bomb

Idaho State University Lost Enough Weapons-Grade Plutonium to Make a Dirty Bomb

On Friday, the Nuclear Regulatory Commission announced that Idaho State University may face an $8,500 fine after losing one gram of weapons-grade plutonium. Although this quarter-sized amount of plutonium is nowhere near enough to make a nuclear weapon, it is enough to make a dirty bomb that spreads radiation, according to the Associated Press.

Source: vice.com

May. 6, 2018

Telegram’s billion-dollar ICO has become a mess

Telegram’s billion-dollar ICO has become a mess

The company recently canceled the public sale piece of its ICO, the Wall Street Journal reported this week, after it raised $1.7 billion from private sale investors, according to SEC filings. But the issues date back further.

Source: techcrunch.com

May. 6, 2018

Half a million pacemakers need a security patch

Half a million pacemakers need a security patch

The US Food and Drug Administration (FDA) last month approved a firmware patch for pacemakers made by Abbott’s (formerly St Jude Medical) that are vulnerable to cybersecurity attacks and which are at risk of sudden battery loss.

Source: sophos.com

May. 6, 2018

Internet Shortcut used in Necurs malspam campaign

Internet Shortcut used in Necurs malspam campaign

This attack relies on the file:// protocol to load and execute a remote script from a samba (SMB) share. This is noteworthy because typically the attachment is used as a downloader, but instead here we see one additional step that pushes this function one degree further thanks to the .url shortcut.

Source: malwarebytes.com

May. 4, 2018

Australia’s Commonwealth Bank lost 20 Million customer records

Australia’s Commonwealth Bank lost 20 Million customer records

According to thebroadcaster ABC, the data were supposed to have been destroyed when a sub-contractor after the dismantled a data centre. The sub-contractor did not provide the bank the documentation to confirm this the disruption of the magnetic data tapes, anyway the bank tried to downplay the situation confirming that the records don’t include passwords, PINs or other financial or sensitive information.