Marshall Sutherland
  
Grammarly's flawed Chrome extension exposed users' private documents

Image/photo

The grammar-correcting browser extension is used by about 22 million users.
Marshall Sutherland
  
I’m harvesting credit card numbers and passwords from your site. Here’s how.

The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all.
Sophie
  
Great article.
Although this is all made up, it worries me that none of this is hard.
Marshall Sutherland
  
Spectre and Meltdown Attacks Against Microprocessors - Schneier on Security

The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution -- which of course is not a solution -- is to throw them all away and buy new ones.
James Lamentus
  
Image/photo
Marshall Sutherland
  


Star Wars Episode IV.1.d: The Pentesters Strike Back
by CyberPoint International on Vimeo

It is a period of cyber war. In an effort to sustain commerce during these challenging times, the Galactic Trade Federation has required the Empire retain the services of a consultancy on Kessel (a best-value provider, and only twelve parsecs away) to assess the state of their security before signing off on the newly-constructed DEATH STAR campus.
Marshall Sutherland
  
Laptop touchpad driver included extra feature: a keylogger

Image/photo

Researcher finds logger, turned off by default, could be turned on with a registry change.
Haakon Meland Eriksen (Parlementum)
  
In the beginning was the word, and the word was 'Hey, you, Keyboard Developer!'

The subtle distinction between debugging at the keyboard and debugging the keyboard.
Marshall Sutherland
  
Germany Preparing Law for Backdoors in Any Type of Modern Device

German authorities are preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations. The law would target all modern devices, such as cars, phones, computers, IoT products, and more.
Klaus
  
All of the last interior ministers believed they have to break basic law to do their jobs. Until now the constitutional court has decided against these attempts.
Einer von Vielen
  
Yes, this could be prevented. It seem to be part of the political game to go into negotiations with the highest possible demand.
Marshall Sutherland
  
Pro tip: You can log into macOS High Sierra as root with no password

Image/photo


Apple, this is Windows 95 bad – but there is a workaround to kill the bug

The photo to go with this is epic, :-)
Alexandre Hannud Abdo
  
Image/photo
Marshall Sutherland
  last edited: Thu, 07 Sep 2017 21:26:46 -0400  
Equifax data leak may affect nearly half the US population

Hackers steal Social Security numbers, birthdates, addresses and more from potentially up to 143 million people.

When looking for this story, the first thing I found was... :-)

Image/photo
Marshall Sutherland
  
Humble Book Bundle: Cybersecurity presented by Wiley

Image/photo


Pay what you want for cybersecurity ebooks and support charity!
Marshall Sutherland
  
New Girl Scout badges focus on cyber crime, not cookie sales

Image/photo

Cookie sales may take a back seat to fighting identity theft and other computer crime now that Girl Scouts as young as 5 are to be offered the chance to earn their first-ever cyber security badges.
Marshall Sutherland
  
Vendors approve of NIST password draft

The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies.

Some of the recommendations:
- Remove periodic password change requirements
- Drop the algorithmic complexity song and dance
- Require screening of new passwords against lists of commonly used or compromised passwords
Marshall Sutherland
  
Android devices can be fatally hacked by malicious Wi-Fi networks

Broadcom chips allow rogue Wi-Fi signals to execute code of attacker's choosing.
Mike Macgirvin
  
Sigh...
Marshall Sutherland
  
Critical security update: PHPMailer 5.2.18 (CVE-2016-10033) - SANS Internet Storm Center
Vulnerability: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]

Severity: CRITICAL

ISC recommended action: Patch...now. This is a very popular application, left unpatched it will be exploited.
Marshall Sutherland
  
A new twist on "refer-a-friend"...

Ransomware Gives Free Decryption Keys to Victims Who Infect Others
Ransomware still under development called Popcorn Time forces victims to either pay the ransom, or try to infect other machines in exchange for the decryption key.
Mike Macgirvin
  
I'm told that in order to get the key you have to not only infect other machines, but must also get one of them to pay up. If none of your victims pays up, you're still stuffed.
Marshall Sutherland
  
That matches my reading as well.
Marshall Sutherland
  
Dirty COW explained: Get a moooo-ve on and patch Linux root hole

Image/photo


Widespread flaw can be easily exploited to hijack PCs, servers, gizmos, phones
Marshall Sutherland
  
]InfoSec Handlers Diary Blog - Dropbox Breach
Dropbox has just been added to the myriad of sites that have been hacked.  It seems that back in 2012 there was a breach and around 60 million accounts were stolen.  There is now evidence surfacing that the details from the accounts are out there.  Dropbox is forcing password changes for a number of users that have been affected.
Marshall Sutherland
  
InfoSec Handlers Diary Blog - TeslaCrypt closes down...Releases master decryption key
In a surprising move...The TeslaCrypt ransomware developers have have stopped distributing TeslaCrypt and released their master decryption key to the public.  Various TeslaCrypt decryptor tools have been updated to include this key permitting anyone who gets compromised with TeslaCrypt a way of decrypting their data without paying the ransom.
Marshall Sutherland
  
ImageTragick: Another Vulnerability, Another Nickname - SANS Internet Storm Center

Image/photo

On Tuesday 2016-05-03, we started seeing reports about a vulnerability for a cross-platform suite named ImageMagick.  This new vulnerability has been nicknamed "ImageTragick" and has its own website.  Apparently, the vulnerability will be assigned to CVE-2016-3714.  It wasn't yet on mitre.org's CVE site when I wrote this diary.
The Internet of (Insecure) Things

Marshall Sutherland
  
Flaws in Samsung’s ‘Smart’ Home Let Hackers Unlock Doors and Set Off Fire Alarms

The nightmare scenario of the internet-connected smart home is real.
Marshall Sutherland
  
'Leaked' Burr-Feinstein Encryption Bill Is a Threat to American Privacy

Every service, person, human rights worker, protester, reporter, company—the list goes on—will be easier to spy on.

The bill, the “Compliance with Court Orders Act of 2016,” requires that all companies providing any kind communications or data service be able to give information to the government in an “intelligible format.” If the company made the data unintelligible, it must provide “technical assistance” to undo it. In case there is any question about the aim, the bill defines intelligible as “decrypted, deciphered, decoded, demodulated, or deobfuscated to its original form.”
Marshall Sutherland
  
DownsizeDC just started a new campaign for this: https://downsizedc.org/etp/private-encryption/