From Security Weekly Wiki
Jump to navigationJump to search


  1. Not all cyberattacks are created equal: What researchers learned from 103 'extreme' events - The global 2017 NotPetya attack heavily skewed that figure, accounting for 20 percent of the losses by itself.
  2. Rapid7 Metasploit Framework msfvenom APK Template Command Injection - Irony: This Metasploit module exploits a command injection vulnerability in Metasploit Framework's msfvenom payload generator when using a crafted APK file as an Android payload template. Affected includes Metasploit Framework versions 6.0.11 and below and Metasploit Pro versions 4.18.0 and below.
  3. The Sad State of Two-Factor Authentication in U.S. Banking - Neat site: https://twofactorauth.org/ (List of websites and whether or not they support 2FA.)
  4. Container Security Threats - Good high-level article. There is this: Least privilege: You can give different containers different sets of privileges, each minimized to the smallest set of permissions it needs to fulfill its function. There is a lot to unpack in that one sentence as there are many sets of privileges (the container user, file system permission, capabilities, AppArmor, Seccomp, etc...).
  5. The Security Failures of Online Exam Proctoring - Interesting: The remote proctoring industry offers a range of services, from basic video links that allow another human to observe students as they take exams to algorithmic tools that use artificial intelligence (AI) to detect cheating. But asking students to install software to monitor them during a test raises a host of fairness issues, experts say. “There’s a big gulf between what this technology promises, and what it actually does on the ground,” said Audrey Watters, a researcher on the edtech industry who runs the website Hack Education. “(They) assume everyone looks the same, takes tests the same way, and responds to stressful situations in the same way.”
  6. DNS cache poisoning, the Internet attack from 2008, is back from the dead - The researchers’ paper, DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels, provides a far more detailed and technical description of the attack. They call the attack SAD DNS short for Side channel AttackeD DNS. The researchers privately provided their findings to DNS providers and software developers. In response, Linux kernel developers introduced a change that causes the rate limit to randomly fluctuate between 500 and 2,000 per second. Professor Qian said the fix prevents the new technique from working. Cloudflare introduced a fix of its own. In certain cases, its DNS service will fall back to TCP, which is much more difficult to spoof.
  7. Google patches two more Chrome zero-days - Anonymous, riiiiight: These two bugs mark the fourth and fifth zero-days that Google has patched in Chrome over the past three weeks. The difference this time is that while the first three zero-days were discovered internally by Google security researchers, these two new zero-days came to Google's attention after tips from anonymous sources. Two new ones: CVE-2020-16013 - Described as an "inappropriate implementation in V8," where V8 is the Chrome component that handles JavaScript code.

CVE-2020-16017 - Described as a "use after free" memory corruption bug in Site Isolation, the Chrome component that isolates each site's data from one another.

  1. The Term "Threat Intelligence" is Poisoned. It Does Not Mean What You Think it Means. | SecurityWeek.Com
  2. Bugs in Critical Infrastructure Gear Allow Sophisticated Cyberattacks
  3. Yantra Manav A wormable SSH bot
  4. SaltStack Salt REST API Arbitrary Command Execution
  5. Microsoft advises users to stop using SMS- and voice-based MFA - Help Net Security
  6. The alleged decompiled source code of Cobalt Strike toolkit leaked online
  7. How to get root on Ubuntu 20.04 by pretending nobodys /home - GitHub Security Lab
  8. Decrypting OpenSSH sessions for fun and profit
  9. This new malware wants to add your Linux servers and IoT devices to its botnet | ZDNet
  10. Mysterious Bugs Were Used to Hack iPhones and Android Phones and No One Will Talk About It
  11. Computer Scientists Achieve Crown Jewel of Cryptography