PoC for bug available, based on test case from the commit that fixed the bug. Crashes the Chrome renderer process. worthdoingbadly.com/

⚠️ If you're using the 5.0 branch, update to version 5.0.1 now! ⚠️
Fixes for 7 vulnerabilities. Some allow site takeover, and also a pretty serious privacy leak.
zdnet.com/article/wordpress-pl

Good research by Checkpoint security researchers. Quit shocking results, they found over 50 vulnerabilities in reader in 50 days. One of the bugs was already reported and being exploited in the wild.
research.checkpoint.com/50-ado

Modus operandi:
1: attacker enters building and connects device to local network
2: remotely connect to device and scan network to gain access to additional resources
3: log into target system, use remote access SW to retain access
securelist.com/darkvishnya/891

Linux[.]org was hacked on friday. Attackers switched DNS servers to their own site. Web admin recognizes that he should have put multi-factor authentication on his registrar account, but also blames Whois. Euhm, what?
theregister.co.uk/2018/12/07/l

New zero-day (CVE-2018-15982) actively exploited in the wild.

TL;DR:

1) stop using Flash!
2) if 1 not possible, patch now!

thehackernews.com/2018/12/flas

It seems that VTech improved the communication about the vulnerability in one of its tablets (only after BBC watchdog probe).
Shall we still agree not to buy spying devices for your kids? bbc.com/news/technology-464405

Fake app offered to read users' heart rate and asked them to place their fingers on the Touch ID sensor to trick them in paying $90 for it. Already removed by Apple.
ubergizmo.com/2018/12/fake-hea

Atrium health breached. Breach caused by the org's 3rd party billing vendor. Unauthorized access between September 22 and September 29. Names, addresses, DOB, insurance policy information, medical record nrs, account balances stolen
zdnet.com/article/atrium-healt

Shall I? She is a coveted born again Christian, I think Mrs Elizabeth A. Johnson from Bahrain and I might be on the same wavelength...
The font is so gorgeous 😍😍😍💩

In other news I bought myself a lifetime Shodan subscription for only $5. The deal is on.

Smooth user experience PayPal. FFS, I have to wait minutes for the 2FA code via SMS before I can login. Come on, at least offer 2FA via authenticator Apps.
Another example of unbalanced vs.

Well written @wired piece about the real risks of using free wifi nowadays
TL;DR: If you're you're no high-value target you're probably safe as most (commonly used) websites are served over HTTPS.
wired.com/story/hotel-airport-

Not surprisingly I noticed that several people in the mail were in @haveibeenpwned in the same breach(es) as I was in.

Compared with Gmail, Microsoft Outlook does a poor job. This obvious mail was delivered in my inbox instead of in the spam folder and download of attachments isn't disabled either. Had to obfuscate the to addresses because of the crook violating 🤦‍♀️😜

Must be said that Google does a real god job at anti protection. Disabling the download of a malicious attachment is how you can really protect users from falling victim.

Russian banks hit by major attacks from 2 hacker groups.
The attack involved emails claiming to come from the Central Bank of Russia containing malicious .zip file attachments.
zdnet.com/article/russian-bank

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.