Yikes. "The fingerprints of over 1 million people, as well as facial recognition information... was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks." https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms
Matrix of affected web servers: https://vuls.cert.org/confluence/pages/viewpage.action?pageId=56393752
"HTTP/2 Denial of Service Advisory"
"It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed."
Someone was able to put some ransomware in a DSLR Camera, exploiting the PTP protocol implementation.
Nice read about the incident response and investigation into a targeted attack.
Revealed: Microsoft Contractors Are Listening to Some Skype Calls https://www.vice.com/en_us/article/xweqbq/microsoft-contractors-listen-to-skype-calls
"Detecting incognito mode in Chrome 76 with a timing attack"
WPA3 – two new vulnerabilities were discovered:
– CVE-2019-13377: Brainpool curves introduce a second class of side-channel leaks in the Dragonfly handshake of WPA3
– CVE-2019-13456: information leak in FreeRADIUS' EAP-pwd due to aborting when needing more than 10 iterations
– according to @vanhoefm (Twitter), "Wi-Fi standard is now being updated with proper defenses, which might lead to WPA3.1"
3 reasons for a false sense of security:
– reason 1: Legacy configuration and outdated security tips
– reason 2: No threat model
– reason 3: No checks and no monitoring
Don’t just assume security; actually check it.
Nice overview about docker "container" capabilities.