Wednesday 21 December 2022

AWS Saves Ukraine’s Data | WPF ‘is not Dead’ (yet) | Devs Quit for Cash - DevOps.com

The moral of the story: Everybody wants to be famous—but nobody wants to do the work

Tuesday 20 December 2022

DraftKings fantasy? How YOU can prevent credential stuffing attacks - ReversingLabs

I’ll choose a mask to look like you: There’s been a huge uptick in a type of low-effort hacking, where bad actors crack accounts of people who reuse passwords. They simply feed off of data from previous credential breaches.

Monday 19 December 2022

GitHub Secret Scanning is now Free (as in Beer) - Security Boulevard

Can You Keep a Secret? Microsoft’s GitHub source control service will help stop devs accidentally embedding secrets in public code repositories. A new free service will let you know if you’ve done something you shouldn’t have.

Friday 16 December 2022

Operation PowerOFF: DDoS Sites Denied Service (by US, UK, Europol) - Security Boulevard

FBI and Friends Pull the Plugs: Around 50 so-called booter DDoS sites have been nuked by international law enforcement. And seven of their alleged administrators have been charged.

Thursday 15 December 2022

EU Data Privacy: Try Again | SkyPilot: Choose Cheapest Cloud | WFH: Better Meetings - DevOps.com

The moral of the story: If you want the rainbow, you gotta put up with the rain

Wednesday 14 December 2022

Ahoy! More insecure code washes ashore with AlphaCode - ReversingLabs

Below-average code: Alphabet’s DeepMind brings us AlphaCode — another AI code-generating parlor trick. And, just like its large language model cousins, it can spit out buggy code.

Tuesday 13 December 2022

Rust: Officially Released in Linux 6.1 Kernel - Security Boulevard

Linus Counts to 6.1: At the weekend, Linus Torvalds hit the button, releasing Linux 6.1 to the world. Among other security features is support for writing parts of the kernel in Rust.

Friday 9 December 2022

TikTok Ban: Texas is Fourth State to Join; Indiana Sues

Data Stealers Wheeled Away: Four U.S. states have now banned TikTok on government workers’ devices: Maryland, South Carolina, South Dakota and now Texas.

Thursday 8 December 2022

Dead Downtown: It’s YOUR Fault | Pentagon’s FOUR Cloud Vendors | Apple Adds MORE Price Flexibility - DevOps.com

The moral of the story: Turn your wounds into wisdom

Wednesday 7 December 2022

ChatGPT: Parlor trick or Stack Overflow replacement? - ReversingLabs

Of all the friends I’ve had, you’re the first: Conversational AI language model ChatGPT can write code. But is it any good? Better than Copilot? Good enough to replace real people on Stack Overflow?

Tuesday 6 December 2022

APT41 Sent US Covid Cash to China — Wicked Panda - Security Boulevard

Keep Your Storied Pomp — Give Me Your Money: Chinese hackers stole tens of millions of dollars from PPP, the federal Paycheck Protection Program. So say Secret Service sources.

Monday 5 December 2022

Russia Hit by New ‘CryWiper’ — Fake Ransomware - Security Boulevard

Vlad sobs: A new wiper malware is destroying data on Russian government PCs. Dubbed CryWiper, the dastardly Trojan is targeting only certain agencies.

Friday 2 December 2022

More Lies: Anker’s Eufy Pants on Fire — ‘No Cloud’ Cams Send to Cloud - Security Boulevard

Euf***ed Up: Eufy home security cameras and doorbells are insecure. They send your photos to the cloud with minimal protection and serve up video across the internet with useless encryption.

Thursday 1 December 2022

AWS re:Invent — Top 4 Things We Learned This Week - DevOps.com

The moral of the story: The unexamined life is not worth living

Wednesday 30 November 2022

Meta’s GDPR fine: Why your DevOps needs red teaming - ReversingLabs

Finebook: Meta’s been fined $276 million for leaking people’s PII. But the leak wasn’t directly via a vulnerability, but rather due to data scraping. Helen Dixon (pictured), the head of Ireland’s GDPR regulator, ruled that Meta should have prevented the scrape.

Tuesday 29 November 2022

Naked TikTok Girls = Malware Mayhem   #InvisibleFilter - Security Boulevard

TrickTok: TikTok’s ‘Invisible Body’ challenge was too tempting for malware scrotes to pass up. It was the perfect opportunity to thirst-trap people into downloading an info-stealing Trojan.

Monday 28 November 2022

U.S. and UK Ban More Chinese Kit as Xi’s Grip Weakens - Security Boulevard

‘Oh, bother,’ said Pooh: Two key members of the Five Eyes intelligence alliance have made further moves to stop Chinese equipment imports. The fear is that Chinese companies can be “persuaded” by the Chinese Communist Party to help them spy on us.

Wednesday 23 November 2022

‘This is Appalling’ — Tax-Prep Sites Leak PII to Facebook - Security Boulevard

Taxing times for Meta: Some incredibly personal details are being sent to Facebook, without your consent. H&R Block, TaxAct, and TaxSlayer are accused of selling your data to Meta.

Your support must scale: Don’t be like Meta, dev teams - ReversingLabs

Facebook farce: A rash of small businesses on Facebook found their accounts locked after being hacked. And it’s impossible to contact Meta to get the problem fixed.

Tuesday 22 November 2022

iPhone Privacy ‘Lies’ Exposed Again: Apple Analytics not Anonymous - Security Boulevard

No better than Google—perhaps worse: Apple has been caught lying in a privacy policy. So say the now-notorious security researchers at Mysk.

Monday 21 November 2022

DevOps, Drought and Climate | Meta❤️PTP - DevOps.com

The moral of the story: Life is not a problem to be solved, but a reality to be experienced

Friday 18 November 2022

Oops! Meta Security Guards Hacked Facebook Users - Security Boulevard

‘Oops’ not Even the Half of It: Facebook parent Meta has disciplined or fired at least 25 workers for allegedly hacking into user accounts. Some of the workers were contract security guards, we’re told.

Thursday 17 November 2022

Data Centers IN SPAAACE | Discord GDPR Fine | AWS Fires Dead Wood - DevOps.com

The moral of the story: To write about life, first you must live it.

Wednesday 16 November 2022

Track this: Apple, Google hit with BIG privacy law claims - ReversingLabs

The state of disunion: Within the space of a few days, both Google and Apple have suffered huge legal challenges. The two tech titans were accused of various privacy violations.

Tuesday 15 November 2022

Google Pixel Can be Unlocked via SIM Swap (Other Android Phones, Too) - Security Boulevard

PUK Phun: A Hungarian researcher found a nasty Android security bug. If you insert a new SIM and type in the SIM’s personal unlocking key (PUK), the phone just dismisses the lock screen.

Friday 11 November 2022

NSA’s Plea: Stop Using C and C++ (Because You’re Idiots) - Security Boulevard

Don’t shoot the messenger: The C and C++ languages are unsafe. Instead, the U.S. National Security Agency would like devs to use memory-safe languages—because most security vulnerabilities are caused by bugs in memory usage.

Thursday 10 November 2022

Rust Momentum Intensifies | Elon Says No WFH - DevOps.com

The moral of the story: The whole secret of a successful life is to find out what is one’s destiny to do—and then do it

Wednesday 9 November 2022

Dropbox reveals hack: What DevOps can learn from it - ReversingLabs

OTP FAIL: FIDO2 FTW
Dropbox was hacked last month. The company has now revealed more details — and there are some big surprises.

Tuesday 8 November 2022

Hacker Stole $3B of Bitcoin — Because ‘Crypto’ is Garbage - Security Boulevard

In Fiat We Trust: James Zhong admitted to stealing 50,000 bitcoins from the former dark web market, Silk Road. The U.S. Department of Justice recently opened up and gleefully told the seizure story.

Friday 4 November 2022

Red Cross Wants Shielding from Hacks via Digital Emblem - Security Boulevard

#ICRC thinks outside box: The International Committee of the Red Cross (ICRC) is proposing a digital version of its eponymous logo. The idea is that websites and other digital services that sport the “emblem” would gain protection from hacking under international law.

Thursday 3 November 2022

OpenSSL Fiasco: What can DevOps Learn? | Elon Fires ‘50%’ of Twitter - DevOps.com

The moral of the story: If life were predictable, it would cease to be life—and be without flavor

Wednesday 2 November 2022

Reflection attacks: Don’t be part of the problem - ReversingLabs

We see you: Once again, Microsoft is under fire for shipping a service that can early be misused for DDoS attacks. CLDAP — basically LDAP over UDP — can be weaponized to generate huge spikes of bandwidth.

Tuesday 1 November 2022

FBI/CISA Failed: Biden’s Ransomware Summit Convenes, Impotently

Talking Shop at the Talking Shop: The International Counter Ransomware Summit is on in D.C., with representatives from 36 nations and blocs attending. Not including Russia, natch.

Monday 31 October 2022

Chinese Tech: Banned in DC, but not in the States - Security Boulevard

‘Oh, Bother,’ Said Pooh: There’s a massive loophole in the federal ban on Chinese technology from sus firms such as Huawei and ZTE: It doesn’t stop states from buying it.

Friday 28 October 2022

OpenSSL ‘CRITICAL’ Bug — Sky Falling — Patch Hits 11/1 - Security Boulevard

Worse Than Heartbleed?
OpenSSL has a new “critical” bug. But it’s a secret—until next month.

Thursday 27 October 2022

Meta Income Down by Half | Will Apple Make it Worse? | Linux Secure Boot Fix - DevOps.com

The moral of the story: Your time is limited—so don’t waste it living someone else’s life

Wednesday 26 October 2022

Google pairs GUAC with SLSA to take a bite out of software supply chain insecurity - ReversingLabs

Dip into this tasty repo: Google is putting its weight behind a project to offer a comprehensive view of your software. Enter GUAC: Graph for Understanding Artifact Composition.

Tuesday 25 October 2022

Chinese Huawei ‘Spies’ Charged — FBI is Mad as Hell - Security Boulevard

China pwned by U.S.
The Chinese government sent two spies to extract information about the U.S. case against Huawei. But they didn’t expect their contact to be a double agent.

Friday 21 October 2022

TikTok ‘Will’ Spy on US Citizens — Say Sources - Security Boulevard

For You Plague: TikTok parent ByteDance is planning to track the location of certain targeted individuals on U.S. soil. A specialist Chinese team is already assigned to the task, we’re told.

Thursday 20 October 2022

Fire at Data Center Causes Chaos | 20% Costlier Cloud - DevOps.com

The moral of the story: Life is what happens when you’re busy making other plans

Wednesday 19 October 2022

Devs: Don’t rely on GitHub Copilot — legal risk gets real - ReversingLabs

Shut up and think of the deadline: GitHub’s Copilot ML code-completion engine is violating copyright wholesale. So say several high-profile open source advocates.

Monday 17 October 2022

$3 BILLION in DeFi Hacks in 2022—So Far - Security Boulevard

In Fiat We Trust: Fake money fans are once again mourning the theft of worthless tokens. Finding security flaws in brittle DeFi “smart contracts” seems like shooting fish in a barrel.

Friday 14 October 2022

Linux Fixes 5 Gaping Holes in Wi-Fi - Security Boulevard

Penguinistas’ Premier Panned: Linux’s Wi-Fi code has some nasty bugs, which can be exploited simply by being near an attacker. Remote code execution is a possibility—no need to actually connect to a malicious Wi-Fi network.

Thursday 13 October 2022

Kill the Password: Google on Board | 4-Day Week Proves Worthy - DevOps.com

The moral of the story: I am not bound to please thee with my answer

Wednesday 12 October 2022

DevOps lessons from Toyota FAIL: Crash test secrets - ReversingLabs

Do: Detect daft devs defying doctrine
Toyota stands accused of lax DevOps standards, as the company reveals it stored prod database credentials in a public GitHub repo. That’s bad enough, but it also took five years to detect and fix.

Tuesday 11 October 2022

LEAKED: Intel’s BIOS Source Code — All 6GB of It - Security Boulevard

Hackers’ Happy Hunting Ground: Source code for the Intel Alder Lake processor EUFI BIOS has gone walkies. 6 GB of build image is floating ’round the net like a genie freed from its bottle.

Friday 7 October 2022

Hacker Paige Thompson is FREE (‘Because Transgender Status and Mental Health Issues’) - Security Boulevard

‘Not What Justice Looks Like,’ whines DoJ: Capital One hacker Paige A. Thompson is still guilty, but her sentence is “time served and probation.” The judge went easy “because of her mental health and transgender status,” according to the sore losers at the Department of Justice.

Thursday 6 October 2022

Linux 6.0 is Faster, Cooler | Debian Goes Proprietary | Google Africa Region - DevOps.com

The moral of the story: A fool thinks himself to be wise, but a wise man knows himself to be a fool

Wednesday 5 October 2022

Memory-safe #RustLang shines with its day in the sun - ReversingLabs

Don’t miss out: The chatter around the Rust language is growing into a deafening roar. Not only is the Linux kernel train bearing down on the 6.1 station, but countless other devs are waking up to the memory-safe language.

Tuesday 4 October 2022

FAIL: Los Angeles School District Loses 500GB of PII - Security Boulevard

Won’t Somebody Think of the Children?
The Los Angeles Unified School District (LAUSD) has lost control of a huge cache of sensitive data. The leak—courtesy of Russian gang Vice Society—includes staff bank account details and psych evals of children.

Friday 30 September 2022

Warning: N. Korean Job Scams Push Trojans via LinkedIn - Security Boulevard

슬기론 인민의 이 영광
Weird things are happening on LinkedIn. Scammers, believed to be working for North Korea, are creating fake profiles and targeting job applicants.

Thursday 29 September 2022

“The OG App” Devs’ Facebook Ban | WFH vs. NYC Real Estate | Calif. Pay Law is GO - DevOps.com

The moral of the story: Misery acquaints a man with strange bedfellows

Wednesday 28 September 2022

DevOps teams: BGP security is BAD. But you can fix it - ReversingLabs

“It’s always DNS” — unless it’s BGP: The security of the Border Gateway Protocol (BGP) is laughable. But we all rely on it every day. For everything.

Tuesday 27 September 2022

Russia ‘Plans’ HUGE Cyberattack on Critical Infrastructure - Security Boulevard

Слава Україні — Героям Слава
The Ukrainian government has warned that Russia is planning a massive attack against critical infrastructure. And not just that of Ukraine, but also of its allies.

Monday 26 September 2022

Alleged Russian RSOCKS Hacker: ‘Send Me to US’ - Security Boulevard

Къси Чорапи Селфи
The supposed owner of RSOCKS—a huge illegal botnet that provided anonymous proxy services to scrotes—wants to be extradited to the U.S. He claims to have information authorities here will want to hear.

Thursday 22 September 2022

Wipro Fires 2-Job Staff | Python Bug from 2007 | Lite Layoffs - DevOps.com

The Moral of the Story: I wish my horse had the speed of your tongue

Rust finds its mojo: Move forward to memory-safe code - ReversingLabs

The time is now
It’s confirmed: The Linux kernel will have Rust support soon. Also this week, Microsoft’s Azure CTO said the age of C++ is over—Rust is the future.

Tuesday 20 September 2022

Hate Site Hacked — Kiwi Farms is ‘Very, Very Owned’ - Security Boulevard

Doxxers Doxxed — Swatters Swatted?
Kiwi Farms, the notorious web forum for harassing feminists, the neurodivergent and LGBTQ+ people, has itself suffered the ultimate harassment. Its services were secretly infected for weeks by an injected script that exfiltrated data about its users.

Monday 19 September 2022

Victims of Gym Phone Theft Lose $10,000 Each (Because SMS 2FA) - Security Boulevard

SMS 2FA: Go Away
A spate of thefts from gym lockers is reminding us that SMS based two-factor authentication (2FA) is utter, utter garbage. A fraudster is stealing phones and debit/ATM cards, using them to rack up big bills in London.

Friday 16 September 2022

Uber Hacked: Its Security is ‘Awful’ and ‘Weak’ - Security Boulevard

People Prefer Proper Taxis: Fake taxi-cum-takeout service Uber was fully pwned this week. The company says it’s “responding to a cybersecurity incident,” whatever that means.

Thursday 15 September 2022

Heat Cooks Twitter DC | AI Will Kill All Humans | Patreon Layoffs, CSAM Claim - DevOps.com

The Moral of the Story: Misery acquaints a man with strange bedfellows

Why Twitter security sucks: Half of staff has PII access - ReversingLabs

No locks on the doors:Peiter “Mudge” Zatko (pictured) was grilled by U.S. senators this week. Twitter’s former head of security has some damning things to say about the service’s DevOps security — or lack of it.

Tuesday 13 September 2022

Retbleed Security Fix Makes Linux go 70% Slower - Security Boulevard

Must Try Harder:The Linux kernel workaround for the ‘Retbleed’ vulnerability is causing a huge slowdown in tests. Performance runs of VMware guests show results up to 70% worse on slightly old hardware.

Friday 9 September 2022

Patreon Fires its Security Team — and the Internet Freaks Out - Security Boulevard

Not OK, Jack:Patreon, the notorious membership monetization platform, laid off its entire security team yesterday. Just like that. Ouch.

Thursday 8 September 2022

How’s Facebook Work? They Don’t Know! | Cali. Pay Law | NASA RISC-V Launch - DevOps.com

The Moral of the Story: Long live the King

U.S. schools developers on supply chain security - ReversingLabs

Feds’ big yawndoc: The U.S. government is schooling developers in a new document, Securing the Software Supply Chain. The NSA, CISA and the Office of the Director of National Intelligence (ODNI) have the lead.

Tuesday 6 September 2022

TikTok Hack: 2B Records Leak — but ByteDance Denies - Security Boulevard

For You Plague: TikTok was hacked, with over two billion records stolen. Or so says notorious leak group BlueHornet (a/k/a AgainstTheWest, AggressiveCurl). But TikTok says not.

Friday 2 September 2022

Hackers Hail all Taxis in Moscow — HUGE Gridlock for 3 Hours - Security Boulevard

In Post-Soviet Russia, Taxi Order YOU:
Ukraine supporters hacked Russia’s biggest ride hailing app, Yandex Taxi. They sent every available cab to a single address, all at once.

Wednesday 31 August 2022

Stable Diffusion Goes Public — and the Internet Freaks Out - DevOps.com

The Moral of the Story: What fools these mortals be

LastPass hacked (again): What devs can learn - ReversingLabs

LastChance for its reputation?
The latest LastPass hack: Bad actors stole source code and other secrets from the huge password-manager firm’s dev environment. But not, it stresses, anyone’s passwords — as far as it can tell.

Tuesday 30 August 2022

0ktapus/‘Scatter Swine’ Hacking Gang Stole 10,000 Corp Logins via Twilio - Security Boulevard

Stop SMS 2FA Already: More on the Twilio débâcle from earlier this month: Researchers reveal the hackers swiped at least 9,931 user credentials from more than 130 organizations.

Thursday 25 August 2022

Force Me Back to the Office? Apple ‘Hasn’t Learned Anything’ - DevOps.com

The Moral of the Story: The tempter or the tempted—who sins most?

Hyundai devs used sample code signing keys, making updates vulnerable - ReversingLabs

Hyundai: ‘Leading by example’
Developers of the entertainment unit in the Hyundai Ioniq didn’t seem to follow the sample code they were using. They reused an RSA code-signing key pair from an example, rather than generating their own.

Tuesday 23 August 2022

Oracle’s HUGE Ad Data Graph is ‘Illegal Panopticon’ — 5 BILLION People Big - Security Boulevard

Does Redwood City Have Limits?
Oracle “illegally” collects and links data about you, selling it to the highest bidder—all without your consent. Online and offline, your privacy is invaded daily—so says a California class action lawsuit.

Monday 22 August 2022

NSO Group Fires CEO — and 100 Staff — in Spyware ‘Streamlining’ - Security Boulevard

NSO CEO Go — NSO now ‘NO’?
NSO, notorious producer of the Pegasus nation-state spyware, is struggling. So it’s dumped its CEO, Shalev Hulio, and around 100 employees.

Friday 19 August 2022

VPNs Don’t Work on iOS — and Apple Doesn’t Care - Security Boulevard

VPN: The P is for PR — bad PR
“VPNs on iOS are a scam.” That’s what an angry security researcher would have you believe. He’s fed up of reproducing and documenting a serious iOS bug that Apple just won’t fix.

Thursday 18 August 2022

Agile Sucks (Redux) | Plus: DevOps on Mars - DevOps.com

The moral of the story: Summer’s lease hath all too short a date

Just for devs: Best of Black Hat and DEF CON - ReversingLabs

Hacker summer camp is back, baby: Lots happened in Vegas last week. Most of it should have stayed in Vegas. But some of it bears digging out from piles of mediocre nonsense.

Monday 15 August 2022

Gmail Lets Candidates Spam You — FEC FAIL - Security Boulevard

Email is a Mass Noun: Politicians convinced the Federal Election Commission (FEC) that Google must give them a free pass through Gmail’s spam filters. They want la GOOG to ignore user preferences and deliver their “delightful” fundraising missives direct to your inbox.

Friday 12 August 2022

Cisco Pwned by ‘Russian’ Gang — Data Leaked, Egg on Face - Security Boulevard

MFA FAIL: Cisco got hacked by a ransomware gang—a broker for the UNC2447 threat actor, linked to the Yanluowang crew (pictured). This was way back at the end of May, but Cisco’s only now talking about it.

Thursday 11 August 2022

We Must Kill ‘Dinosaur’ JavaScript | Microsoft Open Sources 3D Emoji - DevOps.com

The moral of the story: The Devil hath power to assume a pleasing shape

DevOps: Fix your dangerous redirects! Amex shows how - ReversingLabs

And Snap shows how not: Recent ‘LogoKit’ spear phishing campaigns have misused open redirect URLs in web apps from Snapchat and American Express. When alerted, Amex quickly fixed the hole, but Snap’s is still open after more than a year.

Tuesday 9 August 2022

Twilio Fails Simple Test — Leaks Private Data via Phishing - Security Boulevard

“Sophisticated” Sophistry: Twilio (NYSE:TWLO) customer data has leaked—after a simple phishing attack on employees. The firm isn’t saying how many end-users are affected, but it could run into the millions.

Monday 8 August 2022

Slack App Leaked Hashed User Passwords for 5 YEARS - Security Boulevard

‘One Way’ Hash — Yeah, Right: Since 2017, if you’ve invited anyone to a Slack workspace, your password has leaked—albeit in the form of a salted hash. People are asking how this could have happened, and how it remained undetected for so long—more than five years.

Friday 5 August 2022

US Emergency Alert System Has ‘Huge Flaw’ — Broadcasters Must Patch NOW - Security Boulevard

EAS FAIL: FEMA IPAWS The Emergency Alert System (EAS) run by FEMA and the FCC is vulnerable to hacking. Imagine the vast potential for panic and chaos if a fake alert was widely broadcast.

Thursday 4 August 2022

Recession! DevOps Hiring Freeze | Data Centers Suck (Power) | Intel to ‘be’ Wi-Fi 7 - DevOps.com

The moral of the story: There’s no point in questioning authority if you aren’t going to listen to the answers

Post-quantum algo ‘SIKE’ dead: Did math geeks find key-encap back door? - ReversingLabs

NIST nixes PQC postulant: Here’s more on NIST’s search for post-quantum cryptography (PQC): This week, is it in trouble? Breathless headlines would have you believe it, because researchers found a way to easily break the SIKE key encapsulation algorithm.