Changes

From Security Weekly Wiki
Jump to navigationJump to search
#[https://www.helpnetsecurity.com/2020/11/12/sms-voice-mfa/ Microsoft advises users to stop using SMS- and voice-based MFA - Help Net Security] - Still better than no MFA: ''Last year, Weinert noted that using any form of MFA is better than relying just on a password for security, as it “significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”''
#[https://securityaffairs.co/wordpress/110782/hacking/cobalt-strike-source-code.html The alleged decompiled source code of Cobalt Strike toolkit leaked online] - Crap: ''The repository has been already forked more than hundreds of times and is rapidly spreading online.''
#[https://securitylab.github.com/research/Ubuntu-gdm3-accountsservice-LPE How to get root on Ubuntu 20.04 by pretending nobodys /home - GitHub Security Lab]- Best part is here: ''Here’s what happened: I had found a couple of denial-of-service vulnerabilities in accountsservice. I considered them low severity, but was writing them up for a vulnerability report to send to Ubuntu. Around 6pm, I stopped work and closed my laptop lid. Later in the evening, I opened the laptop lid and discovered that I was locked out of my account. I had been experimenting with the .pam_environment symlink and had forgotten to delete it before closing the lid. No big deal: I used Ctrl-Alt-F4 to open a console, logged in (the console login was not affected by the accountsservice DOS), and killed accounts-daemon with a SIGSEGV. I didn’t need to use sudo due to the privilege dropping vulnerability. The next thing I knew, I was looking at the gnome-initial-setup dialog boxes, and was amazed to discover that I was able to create a new user with administrator privileges.''
#[https://blog.fox-it.com/2020/11/11/decrypting-openssh-sessions-for-fun-and-profit/ Decrypting OpenSSH sessions for fun and profit]
#[https://www.zdnet.com/article/this-new-malware-wants-to-add-your-linux-servers-and-iot-devices-to-its-botnet/ This new malware wants to add your Linux servers and IoT devices to its botnet | ZDNet]
#[https://www.vice.com/en/article/xgzxmk/google-project-zero-bugs-used-to-hack-iphones-and-android-phones Mysterious Bugs Were Used to Hack iPhones and Android Phones and No One Will Talk About It]
#[https://www.quantamagazine.org/computer-scientists-achieve-crown-jewel-of-cryptography-20201110/ Computer Scientists Achieve Crown Jewel of Cryptography]
7,886

edits

Navigation menu