In the debate over "responsible disclosure," advocates for corporate power say that companies have to be able to decide who can reveal defects in their products and under which circumstances, lest bad actors reveal their bugs without giving them time to create and promulgate a patch.
Read the rest “Oracle's bad faith with security researchers led to publication of a Virtualbox 0-day”
The New Years revelation that decades' worth of Intel's processors had deep, scary defects called "Spectre" and "Meltdown" still has security experts reeling as they contemplate the scale of patching billions of devices that are vulnerable to attack.
Read the rest “Son of Spectre: researchers are about to announce eight more Meltdown-style defects in common microprocessors”
The Vingcard Vision locks are RFID-based hotel locks; at this week's Infiltrate conference in Miami, Tomi Tuominen and Timo Hirvonen from F-Secure will present a method for combining a $300 Proxmark RFID tool with any discarded key from a given hotel to derive the master keys that allow them to unlock every room in the hotel, a process that takes less than 60 seconds.
Read the rest “In 60 seconds, security researchers can clone the master hotel-room keys for 140,000 hotels in 160 countries”
Dropbox has published a set of guidelines for how companies can "encourage, support, and celebrate independent open security research" -- and they're actually pretty great, a set of reasonable commitments to take bug reports seriously and interact respectfully with researchers.
Read the rest “Dropbox has some genuinely great security reporting guidelines, but reserves the right to jail you if you disagree”
Saleem Rashid is a 15 year old self-taught British programmer who discovered a fatal defect in the Ledger Nano S, an offline cryptocurrency wallet that is marketed as being "tamper-proof."
Read the rest “Teen's devastating bug-report on a "tamper-proof" cryptocurrency wallet shows why companies can't be left in charge of bad news about their products”
Five years ago, Benjamin Delpy was working for an unspecified French government agency and teaching himself to program in C, and had discovered a vital flaw in the way that Windows protected its users' passwords.
Read the rest “Origin story of the Mimikatz password cracker is a parable about security, disclosure, cyberwar, and crime”
Kids Pass is a service that offers discounts on family activities in the UK; their website makes several common -- and serious -- security problems that could allow hackers to capture their users' passwords, which endangers those users' data on other services where they have (unwisely) recycled those same passwords. Read the rest “Security researchers repeatedly warned Kids Pass about bad security, only to be ignored and blocked”
The uniquely horribly named Svakom Siime Eye is an Internet of Things sex-toy with a wireless camera that allows you to stream video of the insides of your orifices as they are penetrated by it; researchers at the UK's Pen Test Partners discovered that once you login to it via the wifi network (default password "88888888"), you can root it and control it from anywhere in the world. Read the rest “Camera-equipped sex toy manufacturer ignores multiple warnings about horrible, gaping security vulnerability”
Wikileaks' seismic Vault 7 release didn't follow the usual Wikileaks procedure: perhaps in response to earlier criticism, the organization redacted many of the files prior to their release, cutting names of CIA operatives and the sourcecode for the cyber-weapons the CIA had developed, which exploit widely used mobile devices, embedded systems, and operating systems. Read the rest “Wikileaks offers tech giants access to sourcecode for CIA Vault 7 exploits”
Last month, a hacker took 900GB of data from Cellebrite, an Israeli cyber-arms dealer that was revealed to be selling surveillance and hacking tools to Russia, the UAE, and Turkey. Read the rest “This dump of Iphone-cracking tools shows how keeping software defects secret makes everyone less secure”
In March 2015, IOActive's Ruben Santamarta privately disclosed his findings on the major bugs in Panasonic's Avionics IFE in-flight entertainment systems; 18 months later, it's not clear whether all airlines have patched these bugs. Read the rest “Panasonic's in-flight entertainment systems have critical security flaws”
Justin Shafer was roused from his bed this week by thunderous knocking at his North Richland Hills, Texas home, and when he opened the door, found himself staring down the barrel of a 'big green' assault weapon, wielded by one of the 12-15 armed FBI agents on his lawn. Read the rest “Security researcher discovers glaring problem with patient data system, FBI stages armed dawn raid”
It's like Bad USB, with extra Thunderbolt badness: Web-based attacks can insert undetectable malicious software into a Mac's UEFI/BIOS, which spreads to other machines by infecting Thunderbolt and USB devices. Read the rest “Proof-of-concept firmware worm targets Apple computers”