Category Archives: This Week in Security

This Week in Security: DNS DDOS, Revenge of the 15 Year Old Bug, and More

Another DDOS amplification technique has just recently been disclosed, NXNSAttack (technical paper here) that could be used against DNS servers.

We’ve covered amplification attacks before. The short explanation is that some UDP services, like DNS, can be abused to get more mileage out of a DDoS attack. The attacking machined …read more

Continue reading

Posted in ddos, Hackaday Columns, news, security hacks, This Week in Security | Leave a comment

This Week in Security: Thunderspy, Facebook Breaking Everything, and More

Thunderspy was announced this week, developed by [Björn Ruytenberg]. A series of attacks on the Thunderbolt 3 protocol, Thunderspy is the next vulnerability in the style of Inception, PCILeech, and Thunderclap.

Inception and PCILeech were attacks on the naive Direct Memory Access (DMA) built into Firewire, Thunderbolt 1, and PCIe. …read more

Continue reading

Posted in Hackaday Columns, news, Pi-hole, security hacks, This Week in Security, Thunderspy | Leave a comment

This Week in Security: Psychic Paper, Spilled Salt, and Malicious Captchas

Apple recently patched a security problem, and fixed the Psychic Paper 0-day. This was a frankly slightly embarrasing flaw that [Siguza] discovered in how iOS processed XML data in an application’s code signature that allowed him access to any entitlement on the iOS system, including running outside a sandbox.

Entitlements …read more

Continue reading

Posted in android, Favicon, Hackaday Columns, news, security hacks, This Week in Security | Leave a comment

This Week in Security: Fuzzing Fixes, Foul Fonts, TPM Timing Attacks, and More!

An issue was discovered in libarchive through Google’s ClusterFuzz project. Libarchive is a compression and decompression library, widely used in utilities. The issue here is how the library recovers from a malformed archive. Hitting an invalid header causes the memory in use to be freed. The problem is that it’s …read more

Continue reading

Posted in bitlocker, fuzzing, Hackaday Columns, news, security hacks, This Week in Security, Zombieload | Leave a comment

This Week in Security: Signal, WhatsApp, Oauth Fishing, and More State-Sponsored Attacks

A bug was recently fix in Signal that allowed a caller to force a call connection without any user interaction on the receiving side. We’ve seen this sort of problem in other chat applications, most recently the Zoom debacle.

The Signal client uses the same function to connect an outgoing …read more

Continue reading

Posted in double free, Hackaday Columns, oauth, This Week in Security | Leave a comment

This Week in Security: Patch Monday Mysteries, CentOS 8 and CentOS Stream, Russian Surveillance, and CSRF

So first off this week is something of a mystery. Microsoft released an out-of-cycle patch for Internet Explorer. The exploitability assessment from Microsoft indicates that this bug is under active exploitation, but not many details are available. Let’s take a look at what information has been released, and see what …read more

Continue reading

Posted in CentOS, csrf, Hackaday Columns, security hacks, This Week in Security | Leave a comment

This Week in Security: Zeroconf Strikes Again, Lastpass Leaks your Last Password, And All Your Data is Belong to Us

VoIP cameras, DVRs, and other devices running the Web Services Dynamic Discovery (WSDD) protocol are being used in a new type of DDoS attack. This isn’t the first time a zeroconf service has been hijacked as part of a DDoS, as UPnP has also been abused in similar ways.

Feel …read more

Continue reading

Posted in ddos, elasticsearch, Hackaday Columns, lastpass, security hacks, This Week in Security | Leave a comment

This Week in Security: Simjacker, Microsoft Updates, Apple Vs Google, Audio DeepFakes, and NetCAT

We often think of SIM cards as simple data storage devices, but in reality a SIM card is a miniature Universal integrated circuit card, or smart card. Subscriber data isn’t a simple text string, but a program running on the smart cards tiny processor, acting as a hardware cryptographic token. …read more

Continue reading

Posted in Deepfake, Featured, sms, software hacks, This Week in Security | Leave a comment

This week in Security: Mass iPhone Compromise, More VPN Vulns, Telegram Leaking Data, and the Hack of @Jack

In a very mobile-centric installment, we’re starting with the story of a long-running iPhone exploitation campaign. It’s being reported that this campaign was being run by the Chinese government. Attack attribution is decidedly non-trivial, so let’s be cautious and say that these attacks were probably Chinese operations.

In any case, …read more

Continue reading

Posted in 0-day, computer hacks, Hackaday Columns, ios, security hacks, This Week in Security, twitter | Leave a comment

This Week in Security: VPN Gateways, Attacks in the Wild, VLC, and an IP Address Caper

We’ll start with more Black Hat/DEFCON news. [Meh Chang] and [Orange Tsai] from Devcore took a look at Fortinet and Pulse Secure devices, and found multiple vulnerabilities. (PDF Slides) They are publishing summaries for that research, and the summary of the Fortinet research is now available.

It’s… not great. There …read more

Continue reading

Posted in backdoor, Hackaday Columns, security hacks, software hacks, This Week in Security, vlc | Leave a comment