Thought of the day:
Using "email@example.com" as your e-mail used for signing-into services not only helps track down who leaked it if you start receiving spam, but is also a moderate boon to security - *if* your credentials leak, potential attackers will have to actually figure out the "+something" part for all other services.
A recent version of CCleaner for 32bit Windows systems had been compromised in unidentified ways and sent at least some information about the system it was used on to an unknown third party: http://www.piriform.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
This just came along over on G++: https://badbytes.blogspot.de/2015/10/the-other-keys.html
I wasn't aware that the RSA algorithm allows for multiple private keys that can be used to decrypt a message (is that kind of a "key collision" then?)...
ummm question for #infosec fediverse??? my friend just woke up to his computer being remote controlled by some russian nazi buying playstation gift cards on amazon for resale, trying to get into his coinbase, etc.
he pulled the network cable and investigated, found a remote control program configured to point to port 1488 of a domain registered to someone with a moscow address.
what, if anything, is the appropriate thing to report the details to? FBI? 🤔
Apropos named vulnerabilities, that Bluetooth thing (BlueBorne) looks pretty bad, for Android and Linux particularly: RCE in the lower layers of the Bluetooth stack, no authentication reqired...
Brian Krebs has spent some time on the background of the MalwareTech guy, and found him wearing quite a few black hats in the past...
Disable Intel IME (management platform on the CPU)
RCE and authentication bypass in HPE iLO4 firmware. No details on the exploit vector yet.
I trust no one has their iLO ports accessible from the Internet?
This seems good-ish:
Still, doesn't seem to be FLOSS, which means we would have to take their word for this. Or am I missing something?
Oh come on, i a tech-savvy group of people talking about cybersecurity, can we *PLEASE* stop using the words "hack", "hacked", and "hacker" to mean "compromise", "broken-into", "cybercriminal"?
It conflates government-paid professional malicious actors with a kid in a basement somewhere building a digital clock. Doesn't seem fair to the kid.
Secret chips in replacement parts can completely hijack your phone’s security