cloud sysadmin

AWS EC2 Virtualization 2017

A very good summary of the advancement of virtualization technologies used in AWS EC2. The newest instance type offered is simply AWS Bare Metal, which provides all the hardware access with little performance overhead, while still retaining the benefits of cloud – elasticity etc.

AWS EC2 Virtualization 2017: explaining the different virtualization types, from emulation and binary substitution, paravirtualization and Xen, PV, HVM, and PVHVM modes, and the new Nitro hypervisor


Huge security flaw lets anyone log into a High Sierra Mac

This is as bad as it gets. While Apple’s hardware is still top-notch, the quality of their software – especially on macOS – seems to be going down. Too much emphasis on iOS?

Wow, this is a bad one. On Macs running the latest version of High Sierra (10.13.1 (17B48)), it appears that anyone can log in just by putting “root” in the..

Source: Huge security flaw lets anyone log into a High Sierra Mac

2017-11-30: Apple releases a fix
2017-11-30: The fix apparently broke file sharing on macOS. Software is hard. Period.

privacy security

Experts can hack most CPUs since 2008 over USB by triggering Intel Management Engine flaw

Gaining full privileged access to the CPU just by plugging in a USB device? This is as serious as it sounds.

Positive Technologies plans to demonstrate at the next Black Hat conference how to hack over USB into Intel Management Engine of most CPUs since 2008.

Source: Experts can hack most CPUs since 2008 over USB by triggering Intel Management Engine flaw


A penetration tester’s guide to sub-domain enumeration

Sub-domain enumeration is one of the techniques used in penetration testing. The following article gives a good guide on how to start.

As a penetration tester or a bug bounty hunter, most of the times you are given a single domain or a set of domains when you start a…

Source: A penetration tester’s guide to sub-domain enumeration

privacy security

Key Reinstallation Attacks – Breaking WPA2 by forcing nonce reuse

A serious weakness in WPA2 can cause sensitive information transmitted over Wifi to be read. KRACK attack is especially bad news for Android and Linux users.

This website presents the Key Reinstallation Attack (KRACK). It breaks the WPA2 protocol by forcing nonce reuse in encryption algorithms used by Wi-Fi.

via Key Reinstallation Attacks Breaking WPA2 by forcing nonce reuse


Accenture left a huge trove of sensitive data on exposed servers

Quite unforgiveable for a company that does cloud consultancy.

According to Vickery, the largest server contained over 137 gigabytes of data, which included large databases of credentials, some of which appeared to relate directly to Accenture customers. Vickery also found almost 40,000 passwords in one backup database — the vast majority were stored in plaintext.

Source: Accenture left a huge trove of sensitive data on exposed servers


Computer virus hits US Predator and Reaper drone fleet

What could possibly go wrong..

A computer virus has infected the cockpits of America’s Predator and Reaper …

Source: Computer virus hits US Predator and Reaper drone fleet


World Wide Web Consortium abandons consensus, standardizes DRM with 58.4% support, EFF resigns

It’s a sad day for the Web. Yes the controversial EME (Encrypted Media Extensions) – basically an implementation of DRM – is now in all major browsers and the writing’s on the wall. But W3C being complicit in this is just wrong. I’m glad that EFF is taking a strong stand on this important issue.

The W3C is a body that ostensibly operates on consensus. Nevertheless, as the coalition in support of a DRM compromise grew and grew — and the large corporate members continued to reject any meaningful compromise — the W3C leadership persisted in treating EME as topic that could be decided by one side of the debate. In essence, a core of EME proponents was able to impose its will on the Consortium, over the wishes of a sizeable group of objectors — and every person who uses the web.

Source: World Wide Web Consortium abandons consensus, standardizes DRM with 58.4% support, EFF resigns

privacy security

Wanted: Weaponized exploits that hack phones. Will pay top dollar

Lucrative exploit market might just swing more people over to the dark side.

Exploit broker Zerodium ups the ante with $500,000 to target Signal and WhatsApp.

Source: Wanted: Weaponized exploits that hack phones. Will pay top dollar

privacy security

Our Copyfish extension was stolen and adware-infested

Popular chrome extension gets hijacked.

We log into our developer account and boom – our Copyfish extension is gone! It seems the hackers/thieves/idiots moved it to THEIR developer account. We currently have no access to it!

Our Copyfish extension was stolen and adware-infested