Category: Security & Privacy

Github Under JS-Based "Greatfire" DDoS Attack, Allegedly From Chinese Government

Github is under attack from the Chinese Government, Slashdot writes.

via Github Under JS-Based “Greatfire” DDoS Attack, Allegedly From Chinese Government – Slashdot.

March 28, 2015
Rouge CAs and certificate pinning.

A intermediate CA, held by MSC Holdings, issued by CNNIC, the Chinese NIC, apparently issued certificates for unauthorized domains. The problem was detected by Google for their domains through pinned certificates in their browser.

Google Online Security Blog: Maintaining digital certificate security.

March 24, 2015
The issue with Crypto.

Encrypted email is still not popular, because this is so embarrassing:

https://twitter.com/wildew00tz/status/579687784975372289

March 23, 2015
Exploiting the DRAM rowhammer bug to gain kernel privileges

For the sake of having this here. Manipulating bits in memory is a big deal in multi-tenant virtualized and cloud environments, aka public cloud. Unfortunately this is a hardware issue and not something that a software patch will solve. Only new physical deployments can solve that problem. So rowhammer will be a nightmare for a while…

via Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges.

March 10, 2015
Check if you trust the Superfish CA

Filippo Valsorda wrote a test to check whether your PC is vulnerable through the Superfish Malware, that Lenovo decided to preinstall on it’s devices.

Check here if you trust the Superfish CA.

February 19, 2015
OWASP Internet of Things Top Ten Project

The OWASP Project is looking at the Internet of Things, too, and published a top 10 of security concerns for that matter. While all of this is reasonable for the Internet of Things, it can be applied very generally for the Internet of anything. Good security pays in every environment, it’s just the Internet of Things has potentially more attack surface.

(more…)

February 18, 2015
Disk Forensic Evidence after Equation Group

After Kaspersky found hard drive firmware malware, @dragosr makes a valid point about disk forensic evidence. In particular, since the published timeline of the Equation Group reaches back as far as 2001.

Whoosh and there goes "beyond a shadow of a doubt" for any disk forensic evidence used in any court case.

— dragosr (@dragosr) February 17, 2015

February 18, 2015
Uber: Privacy Issues

A few days old already, Richard Gutjahr reported Uber has a privacy issue. Apparently, the now 404ed Lost and Found page listed not only lost items, but also usernames and contact details.

via Richard Gutjahr.

February 17, 2015
MongoDB with no protection

Students at the “Universität des Saarlandes” found almost 40k MongoDB instances, apparently with no security at all. Access to these databases includes write credentials.

Universität des Saarlandes: Aktuelles aus Studium und Forschung.

February 10, 2015
Xenon flash will cause Raspberry Pi2 to freeze

A Xenon flash will cause the Raspberry Pi 2 to freeze http://t.co/u5Vkn3svTz

— Hacker News Bot (@newsycombinator) February 8, 2015

A new class of DoS for hardware?

February 8, 2015