Wednesday, 14 April 2021

YT$AW: FBI Cleans Up Exchange Servers, NSA Tips Microsoft 4 More Bugs - Security Boulevard

Feds Fix Fails Your tax dollars at work: The FBI and NSA have been helping fix the mess caused by the recent Microsoft Exchange hacking, and trying to prevent a further round of it.

Monday, 12 April 2021

Son of Stuxnet? Iran Nuke Site Hacked ‘by Israel’ (Again) - Security Boulevard

Crystal Ball ain’t so Crystal Clear: Iran’s Nantaz nuclear centrifuge facility went dark yesterday. I can’t stand it—I know you planned it.

Thursday, 8 April 2021

Facebook Sucks: Huge 500M-User Breach ‘Is Your Fault’ - Security Boulevard

GDPR: Coming for Mark’s Money: Last week’s revelation of a half-billion-user leak is still reverberating around the news cycle. Despite Facebook’s attempts to make it go away, new inconvenient truths keep appearing.

Cryptominers flooding GitHub—and other cloudy dev services - TechBeacon

“This is why we can’t have nice things.” Owners of public GitHub projects have been noticing weird stuff recently: Random users are forking repos, then pull-requesting a change that includes an obfuscated GitHub Action.

Monday, 5 April 2021

Apple Fiddles While App Store Burns: $1M Bitcoin Scam FAIL - Security Boulevard

Tim’s Security Halo Slips: Phillipe Christodoulou got ripped off to the tune of more than a million dollars. An iPhone app stole 17.1 bitcoins from his Trezor hardware wallet.

Thursday, 1 April 2021

Ubiquiti Accused of Lying to Help Stock Price - Security Boulevard

UI PR FAIL: Ubiquiti disclosed a breach in January, implying it was the fault of a “third party.” But this week, an insider says the company lied: “It was catastrophically worse,” said the anonymous source.

PHP backdoored via Git hack: It’s no joke, so don't be a fool - TechBeacon

PHP Group will close its doors. The foolish moral of the story: How much of your infrastructure is built on badly funded open-source projects?

Tuesday, 30 March 2021

SolarWinds Hack: U.S. Govt Failure is Deeply Worrying - Security Boulevard

Your Tax Dollars at Work: The U.S. government is doing a piss-poor job of protecting Americans from foreign hackers. That’s the eye-catching conclusion made by a pair of Associated Press scribblers this week.

Friday, 26 March 2021

Alan Turing, WWII Cryptanalyst and Computer Pioneer, on New £50 Note - Security Boulevard

FAQ: About $69. The new 50 pound #banknote honors #AlanTuring. Breaker of Nazi #encryption, a father of computing and #AI pioneer, he’s immortalized on the latest plastic frogskin for England, Wales and Northern Ireland (Scotland issues its own fiat currency).

Thursday, 25 March 2021

Dark patterns outlawed in Californian data-sale opt-outs - TechBeacon

California has added new regulations to the CCPA—the state’s Consumer Privacy Act. It now prohibits dark patterns that prevent users opting out of having their personal data sold.

Tuesday, 23 March 2021

Biden ‘Will Cyberattack Putin’ (Because SolarWinds) - Security Boulevard

MAD World: White House sources confirm that President Joe Biden has authorized retaliation against the Russian government for the recent hacking attributed to Russia. No word of when nor how, but it’s said to be “devastating.”

Friday, 19 March 2021

Dirt Cheap DDoS for Hire, via D/TLS Amplification - Security Boulevard

Dirty Deeds: DDoS D/TLS — A new way of sending powerful denial of service traffic emerged this week. Malefactors are now misusing servers that talk Datagram Transport Layer Security (D/TLS).

Thursday, 18 March 2021

Another reason to stop SMS 2FA—think about this - TechBeacon

NNID abuse in NANP: SMS as a second factor in 2FA/MFA is a bad idea. Really bad. But you’ve heard me say so many, many, many times.

Tuesday, 16 March 2021

Hacker Site Hacked: WeLeakInfo Leaks Info - Security Boulevard

Blowback Karma

Friday, 12 March 2021

150,000 Verkada Cams Hacked, but it Gets Worse - Security Boulevard

After Tuesday’s horrifying news of the @VerkadaHQ data breach, now we learn that countless employees and interns routinely had full access to customers’ video feeds.😱 “Super admin” access was often abused, with no effective auditing, sources say.🧐

Thursday, 11 March 2021

Intel’s fully homomorphic encryption chip: Big science—bigger wait - TechBeacon

What if a public cloud could process encrypted data without knowing the #encryption key? That’s the “data-in-use encryption” problem. And it’s a hard one.

Tuesday, 9 March 2021

Huge Fallout from Microsoft Incompetence: Let’s Exchange Exchange - Security Boulevard

Nuclear Option: Drop Microsoft Email

Thursday, 4 March 2021

Chinese Exchange Hack: At Best, Microsoft is Incompetent - Security Boulevard

At Worst, Microsoft is Manipulative

Spectre returns to haunt us: Exploit hides in plain sight - TechBeacon

Specter of Spectre: scary

Tuesday, 2 March 2021

Unknown Hacker Grabs Gab’s Data, DDoSecrets Doesn’t Leak it - Security Boulevard

The Gift that Keeps on Giving

Friday, 26 February 2021

‘Dangerous’ RCE in VMware: Patch, or the Puppy Gets It

Music of the vSpheres

Thursday, 25 February 2021

China stole NSA zero day—4+ years before Shadow Brokers leak - TechBeacon

APT31 vs. S32: FIGHT!

Friday, 19 February 2021

SolarWinds Hack: ‘All is Well,’ Microsoft Shrugs - Security Boulevard

“Trust Us (Except Don’t)”

Thursday, 18 February 2021

Oracle is Said to Help China Find Dissidents and Jail Minorities - Security Boulevard

When Larry Met δΉ 

Lesson from supply chain attacks: Beware 'dependency confusion' - TechBeacon

After Alex Birsan’s $130,000 bug-bounty haul last week, hundreds of bogus npm packages have popped up out of nowhere. They appear to have been published by copycat researchers—some of whom have less-than-pure intentions.

The moral of the story? Make sure the code you’re importing really is the code you think you’re importing.

Monday, 15 February 2021

Internal Leak of 4,887 Users: Yandex Employee Fate Unknown - Security Boulevard

$YNDX Stays Schtum

Friday, 12 February 2021

Thursday, 11 February 2021

There are no good app stores. Not iOS nor Android. Change my mind - TechBeacon

The moral of the story? Watch out for scam clones of your app, and for bad reviews targeting similarly named apps.

Tuesday, 9 February 2021

Water Supply Poisoned by Hacker in Oldsmar, Fla. - Security Boulevard

TeamViewer Vulnerability Probed

Thursday, 4 February 2021

The SolarWinds Story Keeps Getting Worse: China Too? - Security Boulevard

Time to Ring the Changes?

Stolen: perl.com and other domains—was Web.com socially engineered? - TechBeacon

“How you dune?”

Monday, 1 February 2021

Bad Security Bug in GnuPG: C Language Blamed (Yet Again) - Security Boulevard

Rabbits, White Rabbits

Friday, 29 January 2021

BlastDoor: iOS 14’s Shield Over Zero-Click Attacks - Security Boulevard

Talk Nerdy to Me

Thursday, 28 January 2021

This is HUGE: Cops Nuke Emotet Crimeware C2 - Security Boulevard

Hey. Where’d Heodo Go?

APT team attacks white hats: Google fingers North Korea - TechBeacon

The moral of the story?
Social engineering isn’t only for normies. Whether you’re an IT puke, an agile Dev(Sec)Ops sprinter, or a 1337 haxor: Question everything.

Wednesday, 27 January 2021

ADT Installer Hacks Home Cams for Sexual Thrills - Security Boulevard

Deep in the Heart of Texas

Friday, 22 January 2021

FBI to Investigate Parler, New Russian Host will be Revoked - Security Boulevard

Don’t Mess with Texas National Guard

Thursday, 21 January 2021

Trump Hates Cloud, Because China Cyber? - Security Boulevard

Parting Shot at IaaS

Old macOS component defeats malware researchers for 5 years - TechBeacon

Legacy bites Apple

Monday, 18 January 2021

Capitol Rioters ID’ed With Help From Dating Apps - Security Boulevard

Don’t Tread On My Statue

Friday, 15 January 2021

Revealed: Sophisticated ‘Watering Hole’ Attack – But By Whom? - Security Boulevard

Project Zero Keeps Schtum

Thursday, 14 January 2021

Scraped Parler data reveals countless Capitol perps - TechBeacon

The moral of the story? Protect your object references. And throttle attempts to scrape. And strip metadata. And don’t render deleted objects.

Monday, 11 January 2021

Hackers Didn’t Only Use SolarWinds to Break In, Says CISA - Security Boulevard

CISA Is Watching

Thursday, 7 January 2021

WhatsApp/Facebook Data Sharing: Pants On Fire? - Security Boulevard

Pinky Swear

SolarWinds hack: Who’s to blame? It’s complicated. - TechBeacon

US? SWI? MSFT? PE?

Monday, 4 January 2021

Zyxel’s Ridiculous Backdoor: Happy New Year, Now Patch Your Gear - Security Boulevard

Taiwanese Trash or Deliberate Door?