Grammarly's flawed Chrome extension exposed users' private documents


The grammar-correcting browser extension is used by about 22 million users.
I’m harvesting credit card numbers and passwords from your site. Here’s how.

The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all.
Great article.
Although this is all made up, it worries me that none of this is hard.
Spectre and Meltdown Attacks Against Microprocessors - Schneier on Security

The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution -- which of course is not a solution -- is to throw them all away and buy new ones.

Star Wars Episode IV.1.d: The Pentesters Strike Back
by CyberPoint International on Vimeo

It is a period of cyber war. In an effort to sustain commerce during these challenging times, the Galactic Trade Federation has required the Empire retain the services of a consultancy on Kessel (a best-value provider, and only twelve parsecs away) to assess the state of their security before signing off on the newly-constructed DEATH STAR campus.
Laptop touchpad driver included extra feature: a keylogger


Researcher finds logger, turned off by default, could be turned on with a registry change.
In the beginning was the word, and the word was 'Hey, you, Keyboard Developer!'

The subtle distinction between debugging at the keyboard and debugging the keyboard.
Germany Preparing Law for Backdoors in Any Type of Modern Device

German authorities are preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations. The law would target all modern devices, such as cars, phones, computers, IoT products, and more.
All of the last interior ministers believed they have to break basic law to do their jobs. Until now the constitutional court has decided against these attempts.
Yes, this could be prevented. It seem to be part of the political game to go into negotiations with the highest possible demand.
Pro tip: You can log into macOS High Sierra as root with no password


Apple, this is Windows 95 bad – but there is a workaround to kill the bug

The photo to go with this is epic, :-)
  last edited: Thu, 07 Sep 2017 21:26:46 -0400  
Equifax data leak may affect nearly half the US population

Hackers steal Social Security numbers, birthdates, addresses and more from potentially up to 143 million people.

When looking for this story, the first thing I found was... :-)

Humble Book Bundle: Cybersecurity presented by Wiley


Pay what you want for cybersecurity ebooks and support charity!
New Girl Scout badges focus on cyber crime, not cookie sales


Cookie sales may take a back seat to fighting identity theft and other computer crime now that Girl Scouts as young as 5 are to be offered the chance to earn their first-ever cyber security badges.
Vendors approve of NIST password draft

The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies.

Some of the recommendations:
- Remove periodic password change requirements
- Drop the algorithmic complexity song and dance
- Require screening of new passwords against lists of commonly used or compromised passwords
Android devices can be fatally hacked by malicious Wi-Fi networks

Broadcom chips allow rogue Wi-Fi signals to execute code of attacker's choosing.
Critical security update: PHPMailer 5.2.18 (CVE-2016-10033) - SANS Internet Storm Center
Vulnerability: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]

Severity: CRITICAL

ISC recommended action: This is a very popular application, left unpatched it will be exploited.
A new twist on "refer-a-friend"...

Ransomware Gives Free Decryption Keys to Victims Who Infect Others
Ransomware still under development called Popcorn Time forces victims to either pay the ransom, or try to infect other machines in exchange for the decryption key.
I'm told that in order to get the key you have to not only infect other machines, but must also get one of them to pay up. If none of your victims pays up, you're still stuffed.
That matches my reading as well.
Dirty COW explained: Get a moooo-ve on and patch Linux root hole


Widespread flaw can be easily exploited to hijack PCs, servers, gizmos, phones
]InfoSec Handlers Diary Blog - Dropbox Breach
Dropbox has just been added to the myriad of sites that have been hacked.  It seems that back in 2012 there was a breach and around 60 million accounts were stolen.  There is now evidence surfacing that the details from the accounts are out there.  Dropbox is forcing password changes for a number of users that have been affected.
InfoSec Handlers Diary Blog - TeslaCrypt closes down...Releases master decryption key
In a surprising move...The TeslaCrypt ransomware developers have have stopped distributing TeslaCrypt and released their master decryption key to the public.  Various TeslaCrypt decryptor tools have been updated to include this key permitting anyone who gets compromised with TeslaCrypt a way of decrypting their data without paying the ransom.
ImageTragick: Another Vulnerability, Another Nickname - SANS Internet Storm Center


On Tuesday 2016-05-03, we started seeing reports about a vulnerability for a cross-platform suite named ImageMagick.  This new vulnerability has been nicknamed "ImageTragick" and has its own website.  Apparently, the vulnerability will be assigned to CVE-2016-3714.  It wasn't yet on's CVE site when I wrote this diary.
The Internet of (Insecure) Things

Flaws in Samsung’s ‘Smart’ Home Let Hackers Unlock Doors and Set Off Fire Alarms

The nightmare scenario of the internet-connected smart home is real.
'Leaked' Burr-Feinstein Encryption Bill Is a Threat to American Privacy

Every service, person, human rights worker, protester, reporter, company—the list goes on—will be easier to spy on.

The bill, the “Compliance with Court Orders Act of 2016,” requires that all companies providing any kind communications or data service be able to give information to the government in an “intelligible format.” If the company made the data unintelligible, it must provide “technical assistance” to undo it. In case there is any question about the aim, the bill defines intelligible as “decrypted, deciphered, decoded, demodulated, or deobfuscated to its original form.”
DownsizeDC just started a new campaign for this: