BF-SIRT Newsletter 2018-19

Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw

Don’t panic! But you should stop using PGP for encrypted email and switch to a different secure communications method for now.

A group of researchers released a paper today that describes a new class of serious vulnerabilities in PGP (including GPG), the most popular email encryption standard. The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim’s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim. The proof of concept is only one implementation of this new type of attack, and variants may follow in the coming days.

Top 5 Security links

Critical Linux flaw opens the door to full root access

Multi-stage email word attack without macros

GDPR phishing scam targets apple accounts

Hardcoded password found in Cisco Enterprise software, again

Another severe flaw in Signal desktop app

BF-SIRT Newsletter 2018-18


Twitter said Thursday that a glitch caused account passwords to be stored in plain text on an internal log, sending users across the platform scrambling  to change their passwords.

The social media company said that it found and has fixed the glitch, and its investigation shows no indication of a breach or misuse by anyone. While the company did not specify how many passwords were impacted, a Reuters report pegged the number at more than 330 million.

“I’d emphasize that this is not a leak and our investigation has shown no signs of misuse,” a Twitter spokesperson told Threatpost. “We’re sharing this information so everyone can make an informed decision on the security of their account.

Top 5 Security links
Meow, click me , Meow
Facebook’s getting a clear history button
Medical devices vulnerable to KRACK Wi-Fi attacks
Security Trade-Offs in the new EU privacy law
Glitch: new ‘Rowhammer’ attack can remotely hijack Android phones

BF-SIRT Newsletter 2018-17

Know what Instagram knows – here’s how you download your data

Instagram, the visual story-centric social media platform owned by Facebook, has now added a long-requested feature: the ability for users to download their data – including images, posts and comments.

Not to be cynical, but Instagram is not making this move out of the kindness of its heart: the compliance deadline for GDPR is in a month and data portability is one of its many requirements.

Top 5 Security links
Biggest marketplace selling internet paralysing ddos attacks taken down
F-secure hack unlocks millions of hotel rooms with handheld device
When your CA turns against you
Pyromine uses nsa exploit for monero mining and backdoors

Apples latest updates are out apfs password leakage bug squashed

BF-SIRT Newsletter 2017-13

The top stories from this week is that Google will be reducing trust in Symantec certificates following numerous slip-ups. Also, VMware’s reported three bugs that probably deserve your urgent attention.

You can also read about the black box discovery of memory corruption RCE on, and the update from Apple that patches a large number of flaws in iOS and macOS.

Top 5 Security Links
Google Reducing Trust in Symantec Certificates Following Numerous Slip-Ups
It’s ESXi time for critical VMware patches
Black box discovery of memory corruption RCE on
Apple Patches Large Number of Flaws in iOS, macOS Updates
IIS 6.0 Vulnerability Leads to Code Execution

BF-SIRT Newsletter 2017-12

The top stories from this week is that US Senate just voted to let ISPs sell your web browsing data without permission. We also have information about the Apple iCloud ransom demands.

You can also read about how hackers are using fake cellphone towers to spread android banking trojan or about the critical Lastpass vulnerability.

Top 5 Security Links
US Senate Just Voted to Let ISPs Sell Your Web Browsing Data Without Permission
Apple iCloud ransom demands: The facts you need to know
Hackers Using Fake Cellphone Towers to Spread Android Banking Trojan
Critical bugs for Lastpass found in Chrome, Firefox add-ons
Easy Way to Hijack Privileged Windows User Session Without Password