Month: December 2016

The fragile PHP ecosystem continues to break down with holes like this. To be fair, this is a PHPMailer vulnerability. However this is likely to affect a large chunk of PHP sites as “PHPMailer continues to be the world’s most popular transport class, with an estimated 9 million users worldwide”.

An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.

Source: PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass

It has long been speculated that NSA is able to eavesdrop on even encrypted traffic. Researchers think they have figured out how.

The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand.
…
It shows that the agency’s budget is on the order of $10 billion a year, with over $1 billion dedicated to computer network exploitation, and several subprograms in the hundreds of millions a year.
— How is NSA breaking so much crypto?

In order words, really expensive and dedicated hardware. Something only state actors can afford.

Haven’t I heard this before, you may ask. No, this is a different hack from the earlier one. It’s deja vu all over again.

Back in the days Yahoo was like Google or Facebook now. It’s hard to imagine how a company in such a superior position can end up in this state. Yahoo’s story serves as a cautionary tale for the current Internet darlings.

The company says the attack was separate from the breach that led to an earlier disclosure that 500 million accounts were hacked.

Source: Yahoo Says 1 Billion User Accounts Were Hacked

A long form article on the earlier story about NSO Group’s iPhone Zero-Days. Pretty long but easy to follow.

Last summer, Bill Marczak stumbled across a program that could spy on your iPhone’s contact list and messages—and even record your calls. Illuminating shadowy firms that sell spyware to corrupt governments across the globe, Marczak’s story reveals the new arena of cyber-warfare.

Source: How a Grad Student Found Spyware That Could Control Anybody’s iPhone from Anywhere in the World | Vanity Fair