SECURITY WARNINGS & Notices - Please post them here

[polonus]

Activist attacked by advanced targeted PHISHING: https://www.eff.org/deeplinks/2017/09/phish-future

Scary, are Big Brother agents fighting free expression that does not fits them well?

polonus

[polonus]

The Coming Software Apocalypse:

https://www.theatlantic.com/technology/archive/2017/09/saving-the-world-from-code/540393/

polonus

[Pondus]

Apple computers are at risk from flawed updates, researchers find
https://www.cnet.com/news/apple-macbook-vulnerable-firmware-updates/

Apple may not be alone
Smith said Windows computers likely have similar (or worse) problems, but he doesn't yet have data to support that suspicion.

[polonus]

Internet wide security update on hold: https://lists.dns-oarc.net/pipermail/dns-operations/2017-September/016766.html

There are a number of reasons why systems may not be ready to accept the new KSK key:

An old configuration with the 2010 key written into the code itself.
A failure to implement the RFC 5011 protocol that will automatically update the key.
Flaws or conflicts in software that prevent the automatic rollover from happening, or accepting the change when it does happen.
No matter what the reason, it is an indication of how incredibly difficult it is to update the internet on a network-wide basis. Just look at IPv6.

pol

[polonus]

Three new zero-days being abused in Word Press plug-ins:

https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploited-wild/

PHP-based CMS, a disaster in the hands of the unsavvy!

polonus

[Pondus]

Every single Yahoo account was compromised by hackers
http://nordic.businessinsider.com/yahoo-3-billion-accounts-were-compromised-in-its-hacking-attack-2017-10?r=US&IR=T

https://www.bloomberg.com/news/articles/2017-10-03/yahoo-says-all-3-billion-users-probably-affected-by-2013-breach

http://www.marketwatch.com/story/every-yahoo-account-was-affected-by-2013-hack-verizon-now-says-2017-10-03

[polonus]

Win7 kernel security to be applied to Win10 kernel as well?

That is what Google wants: https://googleprojectzero.blogspot.nl/2017/10/using-binary-diffing-to-discover.html

polonus

P.S. See attached code txt attached, copyright 1989 by Dave Angel,  providing a mem-dump for fuzzers. (pol)

[Asyn]

Security Alert: User Info Breach
https://blog.disqus.com/security-alert-user-info-breach

[bob3160]

Security Alert: User Info Breach
https://blog.disqus.com/security-alert-user-info-breach

Ouch. Would be nice if they informed their users. 

[polonus]

Another vulnerable plug-in in Word Press: https://web.archive.org/web/20170817183628/https://wordpress.org/plugins/postman-smtp/

Patched by another developer: https://github.com/yehudah/Postman-SMTP

polonus

[Asyn]

Forrester.com Experienced A Cybersecurity Incident
https://go.forrester.com/blogs/forrester-com-experienced-a-cybersecurity-incident/

[Pondus]

Microsoft silently fixes security holes in Windows 10 – dumps Win 7, 8 out in the cold
http://www.theregister.co.uk/2017/10/06/researchers_say_windows_10_patches_punch_holes_in_older_versions/

[DavidR]

Microsoft silently fixes security holes in Windows 10 – dumps Win 7, 8 out in the cold
http://www.theregister.co.uk/2017/10/06/researchers_say_windows_10_patches_punch_holes_in_older_versions/

The only thing is that I'm not surprised about what MS gets up to or in this case doesn't get up to.

[Pondus]

Microsoft silently fixes security holes in Windows 10 – dumps Win 7, 8 out in the cold
http://www.theregister.co.uk/2017/10/06/researchers_say_windows_10_patches_punch_holes_in_older_versions/

The only thing is that I'm not surprised about what MS gets up to or in this case doesn't get up to.

Yepp you have to trust that your AV vendor has those exploits blocked
https://googleprojectzero.blogspot.no/2017/10/using-binary-diffing-to-discover.html

[polonus]

SS7 (Signalling System 7) protocol, is as holed as holed can be. Do no longer use SMS authentication!

Read: http://anonymous-news.com/how-hackers-can-use-two-factor-authentication-to-hack-your-gmail-empty-bitcoin-wallet/

polonus

P.S. Related threat -usb-cable with inbuilt-sim-card... https://secure.dshield.org/forums/diary/Whats+in+a+cable+The+dangers+of+unauthorized+cables/22904/

Damian