Entries by Abel De Kat Angelino

BF-SIRT Newsletter 2018-22

Public Disclosure of a Critical Arbitrary File Overwrite Vulnerability: Zip Slip The Snyk Security team is today announcing the public disclosure of a critical arbitrary file overwrite vulnerability called Zip Slip. It is a widespread vulnerability which typically results in remote command execution. The vulnerability affects thousands of projects, including ones from HP, Amazon, Apache, […]

BF-SIRT Newsletter 2018-21

BUG in GIT opens developers systems up to attack. Git repository hosting services GitHub, GitLab and Microsoft VSTS each patched a serious vulnerability on Tuesday that could lead to arbitrary code execution when a developer uses a malicious repository. Developers behind the open-source development Git tool pushed out Git 2.17.1, addressing two bugs (CVE-2018-11233 and […]

BF-SIRT Newsletter 2018-20

VIRGINIA TECH AND DASHLANE ANALYSIS FIND RISKY, LAZY PASSWORDS THE NORM Dashlane analyzed over 61 million passwords and uncovered some troubling password patterns. The analysis was conducted with research provided by Dr. Gang Wang, an Assistant Professor in the Department of Computer Science at Virginia Tech. The Virginia Tech project, described as “the first large-scale empirical analysis […]

BF-SIRT Newsletter 2018-19

Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw Don’t panic! But you should stop using PGP for encrypted email and switch to a different secure communications method for now. A group of researchers released a paper today that describes a new class of serious vulnerabilities in PGP (including GPG), […]

BF-SIRT Newsletter 2018-18

TWITTER URGES USERS TO CHANGE PASSWORDS DUE TO GLITCH Twitter said Thursday that a glitch caused account passwords to be stored in plain text on an internal log, sending users across the platform scrambling  to change their passwords. The social media company said that it found and has fixed the glitch, and its investigation shows […]

BF-SIRT Newsletter 2018-17

Know what Instagram knows – here’s how you download your data Instagram, the visual story-centric social media platform owned by Facebook, has now added a long-requested feature: the ability for users to download their data – including images, posts and comments. Not to be cynical, but Instagram is not making this move out of the […]

BF-SIRT Newsletter 2018-14

Intel tells remote keyboard users to delete app after critical bug found. On Tuesday, Intel warned of a critical escalation of privilege vulnerability (CVE-2018-3641) in all versions of the Intel Remote Keyboard that allows a network attacker to inject keystrokes as if they were a local user. The vulnerability received a Common Vulnerabilities and Exposure […]

BF-SIRT Newsletter 2018-10

Netflix could pwn 2020s IT security – they need only reach out and take The container is doomed, killed by serverless. Containers are killing Virtual Machines (VM). Nobody uses bare metal servers. Oh, and tape is dead. These, and other clichés, are available for a limited time, printed on a coffee mug of your choice […]

BF-SIRT Newsletter 2018-09

Memcrashed – Major amplification attacks from UDP port 11211 Over last couple of days we’ve seen a big increase in an obscure amplification attack vector – using the memcached protocol, coming from UDP port 11211. The general idea behind all amplification attacks is the same. An IP-spoofing capable attacker sends forged requests to a vulnerable […]

BF-SIRT Newsletter 2018-08

Apple fixes that “1 character to crash your Mac and iPhone” bug Apple has pushed out an emergency update for all its operating systems and devices, including TVs, watches, tablets, phones and Macs. The fix patches a widely-publicised vulnerability known officially as CVE-2018-4124, and unofficially as “one character to crash your iPhone”, or “the Telugu […]