From Security Weekly Wiki
Jump to navigationJump to search
  1. New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites - Comments in Wordpress are just evil, and not worth it in my opinion for a host of reasons: WordPress doesn't use CSRF validation when a user posts a new comment, allowing attackers to post comments on behalf of an administrator. Comments posted by an administrator account are not sanitization and can include arbitrary HTML tags, even SCRIPT tags. WordPress frontend is not protected by the X-Frame-Options header, allowing attackers to open targeted WordPress site in a hidden iFrame from an attacker-controlled website.
  2. HackInOS: 1 - I did not validate anything about this project, but it sounded neat: HackinOS is a beginner level CTF style vulnerable machine. I created this VM for my university’s cyber security community and all cyber security enthusiasts.
  3. Intel Windows 10 Graphics Drivers Riddled With Flaws - The more serious of these (CVE-2018-12216) has a CVSS score of 8.2 and stems from insufficient input validation in the kernel mode driver within Intel Graphics Driver for Windows. The kernel mode driver of a graphics driver executes any instruction it needs on the CPU without waiting, and can reference any memory address that is available. Could this also open up firmware attacks against the GPU hardware? Though I would believe that any kernel driver can access any hardware directly? I have to read this more carefully: https://docs.microsoft.com/en-us/windows-hardware/drivers/display/driver-protection but it does state that the described driver protection is optional.
  4. DMSniff POS Malware has flown under the radar for at least four years - Sure it had a domain name generation algorythm, but didn't seem especially stealthy to me. How did it evade detection, one could guess: “DMSniff is another name in a growing list of evolving threats for the point-of-sale malware world. During our research we found that this malware was primarily utilized to target small to medium sized businesses such as restaurants and theaters.” concludes the experts. “It also contains a domain generation algorithm, something that is rare to see in point-of-sale malware”
  5. What do sexy selfies, search warrants, tax files have in common? They've all been found on resold USB sticks - While entertaining: Troublingly, the material recovered was often fairly sensitive. There were nude images of a middle-aged man, along with contact details. There were legal documents like a search warrant and risk assessments. There were financial papers dating back years, along with personal data. There were also tax forms, wage slips and the like. Not really news. We covered this with SIM cards back in the day. It seems people like to sell electronics without scrubbing the data.
  6. InfoSec Handlers Diary Blog - Tip: Ghidra & ZIP Files
  7. Facebook and Instagram suffer most severe outage ever - And GMail and YouTube: https://bgr.com/2019/03/13/gmail-google-drive-outage-youtube-down-too/ - Gmail started on Tuesday night and Facebook started on Wed. Coincidence? What are the chances that both Facebook and Google had major outages at the same time and there was no connection?
  8. Tesla allegedly spied on and ran smear campaign on a whistleblower | SC Media - A former security manager told Bloomberg Businessweek that Tesla hacked, spied on, and engaged in a smear campaign against whistleblower Martin Tripp. Sean Gouthro, a former security manager at Tesla’s Nevada Gigafactory, claimed Elon Musk personally hired Tesla investigators to hack into an employee’s phone, spy on his messages, and even mislead police about a potential mass shooting, all in response to whistleblowing.
  9. Proof-of-concept code published for Windows 7 zero-day | ZDNet
  10. Man drives 3,300 miles to talk to YouTube about deleted video - LOL: On Sunday, police in Mountain View, California, where Google is headquartered, arrested a man who drove more than 3,300 miles from Maine to discuss what he thought was the company’s removal of his YouTube account and the one video he’d posted – one about getting rich quick. It was not, in fact, deleted by YouTube. It turns out, his wife deleted it, concerned as she was about her husband’s mental state. She told BuzzFeed News that the video, created by 33-year-old Kyle Long, was “rambling” and “bizarre.”
  11. WordPress Releases Security Update | US-CERT
  12. Cisco Patches Critical Default Password Bug
  13. Code Execution Flaw Found in Sonatype Nexus Repository Manager | SecurityWeek.Com
  14. DARPA Is Developing an Open-Source Voting System - Schneier on Security