Posts


Mar. 13, 2018

Regaxor: Fuzzing Regexes for Fun and Not‐So‐Much Profit

Regaxor: Fuzzing Regexes for Fun and Not‐So‐Much Profit

It all started with the public disclosure of a HackerOne report submitted to Keybase by another researcher. It was a minor character escaping issue, but one that probably had the highest impact of all vulnerability reports submitted to their program—given that it was issued their highest bounty payout at the time. I immediately noticed the ‘patch’ they implemented was insufficient, and it was only a matter of minutes before I submitted a new vulnerability report (as quickly and as fast as possible).

Mar. 13, 2018

Air gapping PCs won’t stop data sharing thanks to sneaky speakers

Air gapping PCs won’t stop data sharing thanks to sneaky speakers

In an academic paper published on Friday through preprint service ArXiv, researchers from Israel’s Ben-Gurion University of the Negev describe a novel data exfiltration technique that allows the transmission and reception of data – in the form of inaudible ultrasonic sound waves – between two computers in the same room without microphones.

Source: co.uk

Mar. 13, 2018

Questions for TSA after reports of laptop and phone searches on domestic flights

Questions for TSA after reports of laptop and phone searches on domestic flights

There are a growing number of reports of the Transportation Security Administration (TSA) searching the electronic devices of passengers on domestic flights in the US, according to the American Civil Liberties Union (ACLU), which has sued the federal agency for records. The ACLU Foundation of Northern California filed a lawsuit against the TSA on Monday demanding that the government disclose its policies for searching the computers and cellphones of domestic travelers, arguing that anecdotal accounts have raised concerns about potential privacy invasions.

Mar. 13, 2018

MOSQUITO Attack Allows Air-Gapped Computers to Covertly Exchange Data

MOSQUITO Attack Allows Air-Gapped Computers to Covertly Exchange Data

The team of security researchers—who last month demonstrated how attackers could steal data from air-gapped computers protected inside a Faraday cage—are back with its new research showing how two (or more) air-gapped PCs placed in the same room can covertly exchange data via ultrasonic waves. Air-gapped computers are believed to be the most secure setup wherein the systems remain isolated from the Internet and local networks, requiring physical access to access data via a USB flash drive or other removable media. Dubbed MOSQUITO, the new technique, discovered by a team of researchers at Israel’s Ben Gurion University, works by reversing connected speakers (passive speakers, headphones, or earphones) into microphones by exploiting a specific audio chip feature.

Mar. 13, 2018

Data breach victims can sue Yahoo in the United States: judge

Data breach victims can sue Yahoo in the United States: judge

Yahoo has been ordered by a federal judge to face much of a lawsuit in the United States claiming that the personal information of all 3 billion users was compromised in a series of data breaches.

Source: reuters.com

Mar. 12, 2018

China ALTERED its public vuln database to conceal spy agency tinkering – research

China ALTERED its public vuln database to conceal spy agency tinkering – research

In November 2017, Recorded Future published research examining the publication speed for China’s National Vulnerability Database (CNNVD). While conducting that research, we discovered that China had a process for evaluating whether high-threat vulnerabilities had operational utility in intelligence operations before publishing them to the CNNVD. In revisiting that analysis, we discovered that CNNVD had altered their initial vulnerability publication dates in what we assess is an attempt to cover up that evaluation process.

Mar. 12, 2018

‘Snitches Get Stitches:’ How Secure Phones for Criminals Are Sold on Instagram

‘Snitches Get Stitches:’ How Secure Phones for Criminals Are Sold on Instagram

On Saturday, Motherboard reported that the FBI has arrested the CEO of Phantom Secure, a company allegedly providing security-focused phones to international organized crime groups including the Sinaloa drug cartel. A key issue is whether Phantom deliberately created its product to help facilitate crime, which the criminal complaint alleges.

Source: vice.com

Mar. 12, 2018

Hacked Retail Robots Can Assault Customers With Porn and Demand Bitcoin

Hacked Retail Robots Can Assault Customers With Porn and Demand Bitcoin

In their March 9 paper, “Robots want bitcoins too,” IOActive security researches Lucas Apa and Cesar Cerrudo successfully created ransomware that could be used to compromise SoftBank Robotics’ NAO robot. Unlike traditional computer ransomware which threatens customers by encrypting their personal information, in the situation presented by the researches, companies that rely on these robots for service would be forced to make a decision: pay the ransom or cease business.

Mar. 12, 2018

20% of all Node.js modules found vunerable to injection attacks

20% of all Node.js modules found vunerable to injection attacks

If you’re using JavaScript on the server side (node.js), then you’ll want to understand the class of vulnerabilities described in this paper. JavaScript on the server side doesn’t enjoy some of the same protections as JavaScript running in a browser. In particular, Node.js modules can interact freely with the operating system without the benefit of a security sandbox.

The bottom line is this:

Mar. 12, 2018

The South America connection and the leadership on ATM Malware development

The South America connection and the leadership on ATM Malware development

Around the globe, the region where criminals had achieved expertise and have become highly professionals is Latin America. As a resulting of this criminal union to steal money directly from ATM, criminals and cybercriminals from Latin America have been developing brand new zero-day techniques and tools that are not found in any other place in the world.

Source: securityaffairs.co

Mar. 12, 2018

As the Ice Melts, Nuclear Submarines Train for Arctic War

As the Ice Melts, Nuclear Submarines Train for Arctic War

The US Navy submarines USS Connecticut and USS Hartford are meeting the British Royal Navy sub HMS Trenchant under an ice floe on the Arctic Sea. The subs, each with a crew of more than 100 sailors, combined are bringing along scores of researchers from government agencies and universities.

Source: vice.com

Mar. 12, 2018

Somebody’s watching! When cameras are more than just ‘smart’

Somebody’s watching! When cameras are more than just ‘smart’

The researchers at Kaspersky Lab ICS CERT decided to check the popular smart camera to see how well protected it is against cyber abuses. This model has a rich feature list, compares favorably to regular webcams and can be used as a baby monitor, a component in a home security system or as part of a monitoring system.

Source: securelist.com

Mar. 12, 2018

DJI Spark hijacking

DJI Spark hijacking

DJI drones have been on the radar of the hacker community for quite a long time. The interest of its members revolves mostly around unblocking some features of drones, setting control channels of drones to a higher frequency, and removing such restrictions as flight altitude limits or strictly set no-fly zones. Moreover, there are piles of publicly available info about jailbreaking drones.

The most useful know-hows produced by the community are gathered in several Github cross-referenced repositories. Those striving for knowledge may also check the community wiki dji.retroroms.info. For quite a while the website has been accessible as a web archive only, but now the wiki is available again.

Mar. 12, 2018

Fuzzing arbitrary functions in ELF binaries

Fuzzing arbitrary functions in ELF binaries

I decided to give a descent test to the LIEF project. Executable parsers are not a new thing but that one picked my curiosity (just like most Quarkslab projects) because it also provides dead simple instrumentation functions. To top it up, LIEF is easy to use and well documented, which is becoming a rare perk in the circus of infosec tools.

Source: github.io

Mar. 12, 2018

China eyes ‘black tech’ to boost security as parliament meets

China eyes ‘black tech’ to boost security as parliament meets

At a highway check point on the outskirts of Beijing, local police are this week testing out a new security tool: smart glasses that can pick up facial features and car registration plates, and match them in real-time with a database of suspects.

Source: reuters.com

Mar. 12, 2018

The military keeps encountering UFOs. Why doesn’t the Pentagon care?

The military keeps encountering UFOs. Why doesn’t the Pentagon care?

In December, the Defense Departmentdeclassified twovideos documenting encounters between U.S. Navy F-18 fighters and unidentified aircraft. The first video captures multiple pilots observing and discussing a strange, hovering, egg-shaped craft, apparently one of a “fleet” of such objects, according to cockpit audio. The second shows a similar incident involving an F-18 attached to the USS Nimitz carrier battle group in 2004.

Mar. 11, 2018

Governments rely on Sandvine network gear to deliver spyware and miners

Governments rely on Sandvine network gear to deliver spyware and miners

Researchers athuman rights research groupCitizen Lab have discovered that netizens in Turkey, Egypt and Syria who attempted to download legitimate Windows applications from official vendor websites (i.e. Avast Antivirus, CCleaner, Opera, and 7-Zip) have been infected with a nation-state malware.

Source: securityaffairs.co

Mar. 11, 2018

Master password in Firefox or Thunderbird? Do not bother

Master password in Firefox or Thunderbird? Do not bother

There is a weakness common to any software letting you protect a piece of data with a password: how does that password translate into an encryption key? If that conversion is a fast one, then you better don’t expect the encryption to hold. Somebody who gets hold of that encrypted data will try to guess the password you used to protect it.

Mar. 11, 2018

Senate Bill Meant To Punish Equifax Might Actually Reward It

Senate Bill Meant To Punish Equifax Might Actually Reward It

The Equifax data breach affected around 148 million Americans. As the Washington Post reported, the affected people’s compromised information includes even partial driver’s license data. According to Bloomberg, this has made Equifax somewhat of a pariah in Washington.

Ironically, however, the Senate bill designed to punish the consumer credit reporting agency might actually reward it. A last-minute change, an amendment to the bill offered by its author Senate Banking Committee Chairman Mike Crapo, might help Equifax make millions of dollars in revenue.

Mar. 10, 2018

The SEC Kills Crypto Exchanges

The SEC Kills Crypto Exchanges

It was only a matter a of time. There were clearly signs this was going to happen already out there when the SEC went after defunct “exchange” BitFunder. Today, the SEC made its biggest announcement yet: all the crypto exchanges are illegal unless they register with the SEC.

Why is this important? It turns out the entire $400B cryptocurrency ecosystem is based on trading altcoins or utility tokens.