Friday, 30 September 2022

Warning: N. Korean Job Scams Push Trojans via LinkedIn - Security Boulevard

슬기론 인민의 이 영광
Weird things are happening on LinkedIn. Scammers, believed to be working for North Korea, are creating fake profiles and targeting job applicants.

Thursday, 29 September 2022

“The OG App” Devs’ Facebook Ban | WFH vs. NYC Real Estate | Calif. Pay Law is GO - DevOps.com

The moral of the story: Misery acquaints a man with strange bedfellows

Wednesday, 28 September 2022

DevOps teams: BGP security is BAD. But you can fix it - ReversingLabs

“It’s always DNS” — unless it’s BGP: The security of the Border Gateway Protocol (BGP) is laughable. But we all rely on it every day. For everything.

Tuesday, 27 September 2022

Russia ‘Plans’ HUGE Cyberattack on Critical Infrastructure - Security Boulevard

Слава Україні — Героям Слава
The Ukrainian government has warned that Russia is planning a massive attack against critical infrastructure. And not just that of Ukraine, but also of its allies.

Monday, 26 September 2022

Alleged Russian RSOCKS Hacker: ‘Send Me to US’ - Security Boulevard

Къси Чорапи Селфи
The supposed owner of RSOCKS—a huge illegal botnet that provided anonymous proxy services to scrotes—wants to be extradited to the U.S. He claims to have information authorities here will want to hear.

Thursday, 22 September 2022

Wipro Fires 2-Job Staff | Python Bug from 2007 | Lite Layoffs - DevOps.com

The Moral of the Story: I wish my horse had the speed of your tongue

Rust finds its mojo: Move forward to memory-safe code - ReversingLabs

The time is now
It’s confirmed: The Linux kernel will have Rust support soon. Also this week, Microsoft’s Azure CTO said the age of C++ is over—Rust is the future.

Tuesday, 20 September 2022

Hate Site Hacked — Kiwi Farms is ‘Very, Very Owned’ - Security Boulevard

Doxxers Doxxed — Swatters Swatted?
Kiwi Farms, the notorious web forum for harassing feminists, the neurodivergent and LGBTQ+ people, has itself suffered the ultimate harassment. Its services were secretly infected for weeks by an injected script that exfiltrated data about its users.

Monday, 19 September 2022

Victims of Gym Phone Theft Lose $10,000 Each (Because SMS 2FA) - Security Boulevard

SMS 2FA: Go Away
A spate of thefts from gym lockers is reminding us that SMS based two-factor authentication (2FA) is utter, utter garbage. A fraudster is stealing phones and debit/ATM cards, using them to rack up big bills in London.

Friday, 16 September 2022

Uber Hacked: Its Security is ‘Awful’ and ‘Weak’ - Security Boulevard

People Prefer Proper Taxis: Fake taxi-cum-takeout service Uber was fully pwned this week. The company says it’s “responding to a cybersecurity incident,” whatever that means.

Thursday, 15 September 2022

Heat Cooks Twitter DC | AI Will Kill All Humans | Patreon Layoffs, CSAM Claim - DevOps.com

The Moral of the Story: Misery acquaints a man with strange bedfellows

Why Twitter security sucks: Half of staff has PII access - ReversingLabs

No locks on the doors:Peiter “Mudge” Zatko (pictured) was grilled by U.S. senators this week. Twitter’s former head of security has some damning things to say about the service’s DevOps security — or lack of it.

Tuesday, 13 September 2022

Retbleed Security Fix Makes Linux go 70% Slower - Security Boulevard

Must Try Harder:The Linux kernel workaround for the ‘Retbleed’ vulnerability is causing a huge slowdown in tests. Performance runs of VMware guests show results up to 70% worse on slightly old hardware.

Friday, 9 September 2022

Patreon Fires its Security Team — and the Internet Freaks Out - Security Boulevard

Not OK, Jack:Patreon, the notorious membership monetization platform, laid off its entire security team yesterday. Just like that. Ouch.

Thursday, 8 September 2022

How’s Facebook Work? They Don’t Know! | Cali. Pay Law | NASA RISC-V Launch - DevOps.com

The Moral of the Story: Long live the King

U.S. schools developers on supply chain security - ReversingLabs

Feds’ big yawndoc: The U.S. government is schooling developers in a new document, Securing the Software Supply Chain. The NSA, CISA and the Office of the Director of National Intelligence (ODNI) have the lead.

Tuesday, 6 September 2022

TikTok Hack: 2B Records Leak — but ByteDance Denies - Security Boulevard

For You Plague: TikTok was hacked, with over two billion records stolen. Or so says notorious leak group BlueHornet (a/k/a AgainstTheWest, AggressiveCurl). But TikTok says not.

Friday, 2 September 2022

Hackers Hail all Taxis in Moscow — HUGE Gridlock for 3 Hours - Security Boulevard

In Post-Soviet Russia, Taxi Order YOU:
Ukraine supporters hacked Russia’s biggest ride hailing app, Yandex Taxi. They sent every available cab to a single address, all at once.

Wednesday, 31 August 2022

Stable Diffusion Goes Public — and the Internet Freaks Out - DevOps.com

The Moral of the Story: What fools these mortals be

LastPass hacked (again): What devs can learn - ReversingLabs

LastChance for its reputation?
The latest LastPass hack: Bad actors stole source code and other secrets from the huge password-manager firm’s dev environment. But not, it stresses, anyone’s passwords — as far as it can tell.

Tuesday, 30 August 2022

0ktapus/‘Scatter Swine’ Hacking Gang Stole 10,000 Corp Logins via Twilio - Security Boulevard

Stop SMS 2FA Already: More on the Twilio débâcle from earlier this month: Researchers reveal the hackers swiped at least 9,931 user credentials from more than 130 organizations.

Thursday, 25 August 2022

Force Me Back to the Office? Apple ‘Hasn’t Learned Anything’ - DevOps.com

The Moral of the Story: The tempter or the tempted—who sins most?

Hyundai devs used sample code signing keys, making updates vulnerable - ReversingLabs

Hyundai: ‘Leading by example’
Developers of the entertainment unit in the Hyundai Ioniq didn’t seem to follow the sample code they were using. They reused an RSA code-signing key pair from an example, rather than generating their own.

Tuesday, 23 August 2022

Oracle’s HUGE Ad Data Graph is ‘Illegal Panopticon’ — 5 BILLION People Big - Security Boulevard

Does Redwood City Have Limits?
Oracle “illegally” collects and links data about you, selling it to the highest bidder—all without your consent. Online and offline, your privacy is invaded daily—so says a California class action lawsuit.

Monday, 22 August 2022

NSO Group Fires CEO — and 100 Staff — in Spyware ‘Streamlining’ - Security Boulevard

NSO CEO Go — NSO now ‘NO’?
NSO, notorious producer of the Pegasus nation-state spyware, is struggling. So it’s dumped its CEO, Shalev Hulio, and around 100 employees.

Friday, 19 August 2022

VPNs Don’t Work on iOS — and Apple Doesn’t Care - Security Boulevard

VPN: The P is for PR — bad PR
“VPNs on iOS are a scam.” That’s what an angry security researcher would have you believe. He’s fed up of reproducing and documenting a serious iOS bug that Apple just won’t fix.

Thursday, 18 August 2022

Agile Sucks (Redux) | Plus: DevOps on Mars - DevOps.com

The moral of the story: Summer’s lease hath all too short a date

Just for devs: Best of Black Hat and DEF CON - ReversingLabs

Hacker summer camp is back, baby: Lots happened in Vegas last week. Most of it should have stayed in Vegas. But some of it bears digging out from piles of mediocre nonsense.

Monday, 15 August 2022

Gmail Lets Candidates Spam You — FEC FAIL - Security Boulevard

Email is a Mass Noun: Politicians convinced the Federal Election Commission (FEC) that Google must give them a free pass through Gmail’s spam filters. They want la GOOG to ignore user preferences and deliver their “delightful” fundraising missives direct to your inbox.

Friday, 12 August 2022

Cisco Pwned by ‘Russian’ Gang — Data Leaked, Egg on Face - Security Boulevard

MFA FAIL: Cisco got hacked by a ransomware gang—a broker for the UNC2447 threat actor, linked to the Yanluowang crew (pictured). This was way back at the end of May, but Cisco’s only now talking about it.

Thursday, 11 August 2022

We Must Kill ‘Dinosaur’ JavaScript | Microsoft Open Sources 3D Emoji - DevOps.com

The moral of the story: The Devil hath power to assume a pleasing shape

DevOps: Fix your dangerous redirects! Amex shows how - ReversingLabs

And Snap shows how not: Recent ‘LogoKit’ spear phishing campaigns have misused open redirect URLs in web apps from Snapchat and American Express. When alerted, Amex quickly fixed the hole, but Snap’s is still open after more than a year.

Tuesday, 9 August 2022

Twilio Fails Simple Test — Leaks Private Data via Phishing - Security Boulevard

“Sophisticated” Sophistry: Twilio (NYSE:TWLO) customer data has leaked—after a simple phishing attack on employees. The firm isn’t saying how many end-users are affected, but it could run into the millions.

Monday, 8 August 2022

Slack App Leaked Hashed User Passwords for 5 YEARS - Security Boulevard

‘One Way’ Hash — Yeah, Right: Since 2017, if you’ve invited anyone to a Slack workspace, your password has leaked—albeit in the form of a salted hash. People are asking how this could have happened, and how it remained undetected for so long—more than five years.

Friday, 5 August 2022

US Emergency Alert System Has ‘Huge Flaw’ — Broadcasters Must Patch NOW - Security Boulevard

EAS FAIL: FEMA IPAWS The Emergency Alert System (EAS) run by FEMA and the FCC is vulnerable to hacking. Imagine the vast potential for panic and chaos if a fake alert was widely broadcast.

Thursday, 4 August 2022

Recession! DevOps Hiring Freeze | Data Centers Suck (Power) | Intel to ‘be’ Wi-Fi 7 - DevOps.com

The moral of the story: There’s no point in questioning authority if you aren’t going to listen to the answers

Post-quantum algo ‘SIKE’ dead: Did math geeks find key-encap back door? - ReversingLabs

NIST nixes PQC postulant: Here’s more on NIST’s search for post-quantum cryptography (PQC): This week, is it in trouble? Breathless headlines would have you believe it, because researchers found a way to easily break the SIKE key encapsulation algorithm.

Tuesday, 2 August 2022

FAIL: Nomad DeFi Bridge ‘Loses’ $190M of Worthless Tokens - Security Boulevard

I’ve Got a Bridge to Sell You: Cryptocurrency startup Nomad allowed thieves to steal all its fake money. It’s the latest dangerous DeFi API vulnerability in a long line of such failures.

Friday, 29 July 2022

Solved: Subzero Spyware Secret — Austrian Firm Fingered - Security Boulevard

DSIRF ‘is’ PSOA: MSFT—DSIRF GmbH codenamed ‘Knotweed’ by Microsoft and RiskIQ. This unknown Austrian company is accused of selling the powerful, pernicious spyware Subzero.

Thursday, 28 July 2022

Google ‘Delays Making Less Money’ — Third-Party Cookie Ban on Hold - Security Boulevard

#AdTech Digs in its Heels: Google’s plan to kill third-party cookies is delayed—yet again. It was going to be this year, then it was pushed back to next year and now we’re told it’ll be 2024 at the earliest.

Carbon aims to fix C++ memory safety (and other big flaws) - ReversingLabs

C++ WG no longer apt? C++ sucks: It’s no good on memory safety, it’s unergonomic, has far too much legacy cruft and suffers from gatekeepers who won’t move with the times. Enter: Carbon.

Tuesday, 26 July 2022

VW CEO Fired for Dev Fails | Fiber Shortage Hits | Google Fires Blake Lemoine - DevOps.com

The moral of the story: Sweetest things turn sourest by their deeds

Monday, 25 July 2022

Finally! Windows to Block Password Guessing — by Default - Security Boulevard

PSA: Keep RDP off the Net Brute-force guessing of Windows credentials is a common entry point for ransomware scrotes and other hackers. After almost 30 years, Microsoft is finally fixing the dumb default that allows criminals to try to log in again and again and again.

Thursday, 21 July 2022

MiCODUS Car Trackers are SUPER Vulnerable and Dangerous - Security Boulevard

$20 GPS IoT Garbage: An add-on vehicle tracker is incredibly insecure—to the point it’s dangerous to use. The MV720 and other products sold by MiCODUS are full of easily exploited bugs.

AI ethics for DevOps: Diversity and ‘Kill All Humans’ - ReversingLabs

Game’s over, losers! AI has a big ethics problem. And it’s down to Dev and Ops to fix it.

Tuesday, 19 July 2022

3 New WFH and Hybrid Work Trends That YOU Need to Grok - DevOps.com

The moral of the story: Many a true word hath been spoken in jest

Monday, 18 July 2022

Two-Faced Facebook: Foils Privacy Plugins by Encrypting URLs - Security Boulevard

“I’m committed to doing this well.” —M. Zuckerberg, 2019.
Facebook is rolling out a new link schema—to fight privacy browsers and privacy plugins. The updated URLs hide Facebook’s user-tracking IDs so they can’t be stripped off.

Thursday, 14 July 2022

Red Hat CEO: Out | Blind Users: Revolt | ARM: Google Joins Party - DevOps.com

The moral of the story: All things are ready, if our mind be so

Devs: Prep for PQC — post-quantum cryptography - ReversingLabs

NIST’s nice PQC picks: Experts agree we need new key-exchange and signature algorithms—so we can resist attacks from quantum computing. Several organizations have had a go at selecting some, but now the National Institute of Standards and Technology has weighed in.

Tuesday, 12 July 2022

Experian FAILs yet Again — Hackers can Change Your Email Address - Security Boulevard

Useless idiots: Credit reporting agency Experian has a nasty vulnerability: Bad actors can hijack your account simply by creating a new one with your stolen information.

Monday, 11 July 2022

US Gov’t Flip-Flops on NSO Group Sale to L3Harris - Security Boulevard

POTUS vs. CIA and FBI: NSO Group, notorious makers of the notorious Pegasus spyware, has been in acquisition talks with a huge U.S. government defense contractor you’ve never heard of: L3Harris Technologies, Inc. Doesn’t that give you a warm, tingly feeling inside?

Friday, 8 July 2022

STUPID Microsoft U-Turn: Unblocks Malicious Macros in Office - Security Boulevard

VBA FAIL 365: Microsoft stunned security professionals by reversing a change that prevents Office from auto-running macros. So don’t expect the malware problem to improve any time soon.

Thursday, 7 July 2022

Dev Job Phisher Steals $540M | Patch OpenSSL NOW | Systemd Dev Joins Microsoft - DevOps.com

Be great in act, as you have been in thought:

Devs: Don’t do DIY cryptography — Police CyberAlarm shows why - ReversingLabs

Wake up—don’t snooze: It’s a truism often repeated: Don’t roll your own cryptography! There are countless traps laying in wait for the unwary—so stick to trusted, tested libraries and beware the unknown unknowns.

Tuesday, 5 July 2022

‘ChinaDan’ Hacks 1 BILLION Police Records from Shanghai: 23TB of PII for Sale - Security Boulevard

CCP LOL—SHGA PII BBQ: “China’s Largest Data Leak” is causing a kerfuffle in Beijing. A hacker calling themself ChinaDan is holding 23 terabytes of personal data for ransom.

Thursday, 30 June 2022

Rust in Linux 5.20 | Deepfake Hiring Fraud | IBM WFH ‘New Normal’ - DevOps.com

The moral of the story: If we are true to ourselves, we can not be false to anyone

Copilot's rocky takeoff: GitHub ‘steals code’ - develop.secure.software

Robocode in disguise: Should you use GitHub Copilot? “No,” say open-source fans. “Heck no,” say lawyers. “Yeah,” say the sort of devs who do StackExchange copypasta without a second thought.

Tuesday, 28 June 2022

Russian Hackers Declare War on Lithuania — Killnet DDoS Panic - Security Boulevard

NATO Member Attacked: NATO member Lithuania is under attack from Russian hacking group Killnet. The attacks have been going on for the past week.

Monday, 27 June 2022

ADPPA US Privacy Law: Coming Soon in Wake of Roe v. Wade Redo - Security Boulevard

Welcome to Gilead: We could soon have a federal GDPR—or something similar, at least. Draft legislation is speeding its way through the House of Representatives.

Friday, 24 June 2022

NSA Wants To Help you Lock Down MS Windows in PowerShell - Security Boulevard

Make Monad Great Again: A new cheatsheet from four infosec agencies is making the rounds. The NSA and CISA, together with their cousins in the UK (NCSC) and New Zealand (GCSB), have dreamed up some new recommendations to secure your Windows PCs and servers.

Thursday, 23 June 2022

Cloudflare Outage Outrage | Yet More FAA 5G Stupidity - DevOps.com

The Moral of the Story: Look like the innocent flower, but be the serpent under it

Rejoice, devs and all! Privacy Pass standard nukes CAPTCHAs - develop.secure.software

IETF says I’m human:

Tuesday, 21 June 2022

Hacker Paige Thompson Could Face 45 Years in Prison — ‘Suicide by Law Enforcement’ - Security Boulevard

‘Ethical Hacker,’ Said Failed Defense Plea: Capital One hacker Paige A. Thompson has been found guilty. A jury didn’t buy the defense story of a mere ethical hacker embarrassing a big corporation.

Friday, 17 June 2022

HIPAA FAIL: ~33% of Hospital Websites Send PII to Facebook - Security Boulevard

#DeleteFacebook: A study shows many U.S. hospitals are leaking personal information to Facebook. Patients’ data is silently scarfed up by the Meta Pixel tracking widget.

Thursday, 16 June 2022

Cloud Giants Shun Wind Power? | LaMDA not Sentient? | MS IE RIP? - DevOps.com

The moral of the story: Brevity is the soul of wit.

Software supply chain alert: ‘7 million’ cleartext access tokens in Travis CI logs - ReversingLabs

Rotate your tokens!

Monday, 13 June 2022

Apple M1 Flaw Can’t be Fixed — PACMAN Panic - Security Boulevard

MIT ARM PAC Hack: Apple’s M1 chip isn’t as safe from buffer overflows as previously thought. M1 and other designs based on ARMv8.3 can have their protections neutered.

Friday, 10 June 2022

Tesla Fails Yet Again: Hackers can Steal Cars via NFC - Security Boulevard

NFC: ‘No F***ing Chance’ it’s Secure. Tesla Models 3 and Y can be unlocked and stolen via a bug in their NFC software. Late model S and X cars are probably vulnerable, too.

Thursday, 9 June 2022

DoJ, FBI, IRS Make Empty Boast: SSNDOB ‘Seized’ - Security Boulevard

Just a Speedbump on the Road to Crime: A collection of law enforcement agencies are gloating over their “seizure” of the notorious SSNDOB marketplace, which traded in stolen personal information. But the action seems too little, too late.

How to make C++ memory-safe? Chrome targets UAF bugs with garbage collection - develop.secure.software

Peace sign of the times:

Tuesday, 7 June 2022

Verizon’s Legionella Bugs | Bolt’s Dot-Bomb Echo | Yandex’s Russian CEO Quits - DevOps.com

The moral of the story: Life … is a tale told by an idiot—full of sound and fury, signifying nothing

Monday, 6 June 2022

Broken Windows: ‘Follina’ Flaw not Fixed — For 22 MONTHS - Security Boulevard

The Last Straw for Windows Users? A nasty zero-click, zero-day RCE bug remains unpatched. All supported versions of Windows, plus Windows 7, are affected.

Thursday, 2 June 2022

Tim Hortons ‘Misled’ Customers on Location Privacy — ‘Poorly Designed’ App Tracked Users 24×7 - Security Boulevard

You’ve Always Got Time for Privacy: Canadian coffee-and-doughnuts joint Tim Hortons has been politely rebuked by The Office of the Privacy Commissioner of Canada (OPC). Always fresh.

Proposal: It’s time to regulate and license devs - develop.secure.software

‘The end of IT as we know it’:

3xFAIL: IPv6 Fails | Fintech Fails | Firefox Fails - DevOps.com

The moral of the story: Better three hours too soon than a minute too late.

Thursday, 26 May 2022

Digital Driver’s License Fails Spectacularly — ‘Laughably Easy’ to Forge - Security Boulevard

ServiceNSW’s Reaction was NSFW: Is your state implementing a digital driver’s license? You’d better hope it does better than the Australian state of New South Wales.

Wednesday, 25 May 2022

Go Language is Popular? | VMware Sells to Broadcom? | Unlimited PTO? - DevOps.com

The moral of the story: I like this place and could willingly waste my time in it

Tuesday, 24 May 2022

Zola Wedding App ‘Hacked’ — Victims Lose BIG Money - Security Boulevard

2FA and PCI FAIL? A wedding planning startup, Zola, has been hacked—or so it seems. But the company denies this, blaming its users for reusing passwords.

Thursday, 19 May 2022

‘Incompetent’ Tesla Lets Hackers Steal Cars — via Bluetooth - Security Boulevard

Elon Needs Another Dead Cat: The Tesla Model 3 can be unlocked and stolen via a simple relay attack. The Model Y is probably vulnerable, too.

Tuesday, 17 May 2022

Apple Allows 50% Fee Rise | @ElonMusk Fans: 70% Fake | Microsoft Salaries up by 100%? - DevOps.com

The moral of the story: Expectation is the root of all heartache

Monday, 16 May 2022

Do You Want Secure Supply Chains? SHOW ME THE MONEY - Security Boulevard

1.5 Million Benjamins Needed: The Open Source Security Foundation and Linux Foundation have a plan to fix our broken software supply chains. OpenSSF has published the 10-step program and asked industry to pony up $150 million as a down payment.

Friday, 13 May 2022

MAJOR Justice Dept. Breach — ‘Time for Drastic Measures’ - Security Boulevard

DEA 2FA TLA BBQ: Criminals have access to Justice Department databases, we’re told. Scrotes can write fake data as well as read highly sensitive information, said a credible report.

Thursday, 12 May 2022

EU Has Lost the Plot, Will Ban Encryption — Think of the Children - Security Boulevard

Here We Go Again: The European Union “is failing to protect children.” This stunning admission came from socialist “commissioner,” Ylva Johansson (pictured). She says something must be done—and, yes, what they’re proposing is indeed something.

Tuesday, 10 May 2022

Agile/Scrum is a Failure – Here’s Why - DevOps.com

The moral of the story: The fault is not in our stars—but in ourselves

Monday, 9 May 2022

Putin’s ‘Victory Parade’ TV Show Hacked: ‘Blood on Your Hands’ - Security Boulevard

Vladimir vs. Volodymyr: Ukrainian hackers and their friends continue to pummel Russian computers. And it’s not just DDoS pranks: “Hundreds of millions of documents” are being leaked.

Friday, 6 May 2022

Biden Revs Up US Quantum Plans (Because China) - Security Boulevard

Don’t Say the C-Word: This week, the White House issued a memorandum and executive order that put a shedload of wood behind the quantum-computing arrow. The president wants industry to prep for the coming days when powerful quantum computers are reality. And he’s assembling a committee of experts.

Thursday, 5 May 2022

Twitter/Bluesky ADX Algorithm | Cloud Energy Use ‘Tripled’ | Apple Staff are Revolting - DevOps.com

The Moral of the Story: May the Fifth be with you

Tuesday, 3 May 2022

Spanish Govt. Hacked by NSO Pegasus Spyware (or was it?) - Security Boulevard

Dead-Cat Distraction? The prime minister and the defense minister of Spain were both infected with Pegasus last year. The notorious spyware, sold by NSO Group “only to governments,” was said to have caused large amounts of data to be exfiltrated to persons unknown.

Thursday, 28 April 2022

Ukraine Beats Russia in Cyberwarfare — at ‘Unprecedented Scale’ - Security Boulevard

Grip the Table Harder, Vlad: Russia is attacking Ukraine with cyberattacks and psyops. Microsoft PR is crowing about all the events Redmond has “observed.”