Category: privacy

The fragile PHP ecosystem continues to break down with holes like this. To be fair, this is a PHPMailer vulnerability. However this is likely to affect a large chunk of PHP sites as “PHPMailer continues to be the world’s most popular transport class, with an estimated 9 million users worldwide”.

An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.

Source: PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass

It has long been speculated that NSA is able to eavesdrop on even encrypted traffic. Researchers think they have figured out how.

The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand.
…
It shows that the agency’s budget is on the order of $10 billion a year, with over $1 billion dedicated to computer network exploitation, and several subprograms in the hundreds of millions a year.
— How is NSA breaking so much crypto?

In order words, really expensive and dedicated hardware. Something only state actors can afford.

Haven’t I heard this before, you may ask. No, this is a different hack from the earlier one. It’s deja vu all over again.

Back in the days Yahoo was like Google or Facebook now. It’s hard to imagine how a company in such a superior position can end up in this state. Yahoo’s story serves as a cautionary tale for the current Internet darlings.

The company says the attack was separate from the breach that led to an earlier disclosure that 500 million accounts were hacked.

Source: Yahoo Says 1 Billion User Accounts Were Hacked

A long form article on the earlier story about NSO Group’s iPhone Zero-Days. Pretty long but easy to follow.

Last summer, Bill Marczak stumbled across a program that could spy on your iPhone’s contact list and messages—and even record your calls. Illuminating shadowy firms that sell spyware to corrupt governments across the globe, Marczak’s story reveals the new arena of cyber-warfare.

Source: How a Grad Student Found Spyware That Could Control Anybody’s iPhone from Anywhere in the World | Vanity Fair

Largest password breach so far – 500M users.

After earlier reports of a cybercriminal hack that affected 200 million users, the real breach turns out to be far more serious.

Source: Hack Brief: Yahoo Breach Hits Half a Billion Users

[2016-09-29]: Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say. ‘Cos it doesn’t affect the bottom line, no?

“Yahoo is already suffering. I don’t think they’ll suffer more because of this,” said Avivah Litan, a security analyst with the research firm Gartner.
Ouch.

It’s not a suspect breach. Change your Dropbox password now.

Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked. Not just a little bit hacked and not in that “someone has cobbled together a list of credentials that work on Dropbox” hacked either, but proper hacked to the tune of 68

Source: The Dropbox hack is real

Your secrets should be safe as long as your machine is not connected to any network right? Think again. There have been extremely innovative ways of transmitting information from unplugged (or what is known as air-gapped) computers to other devices, including:

• using inaudible acoustic signals via built-in speakers
• using GPU as a FM transmitter
• wireless keyboard/mouse
• computer fan

and now.. via the sound that a hard drive makes.

“DiskFiltration” siphons data even when computers are disconnected from the Internet.

Source: New air-gap jumper covertly transmits data in hard-drive sounds

TeamViewer is a very popular tool for remote access due to its ease of use and firewall bypassing capability. It is widely used by IT support, sysadmins, appliance manufacturer, Pos system makers, individuals etc. If this hack is real it would have huge ramifications for users of this tool.

Remote-control tool wobbles offline, blames bad passwords for compromises

Source: TeamViewer denies hack after PCs hijacked, PayPal accounts drained

Update (2016-06-04): Also reported here.