Security Roundup - 2018-03-29

Processor based attacks continue to be researched. It should surprise no one that security researchers have begun a close inspection of the hardware platforms our software runs on. The latest one, called BranchPredictor, appears to be a compliment of Spectre. Where Spectre leverages cached branch predictions, BranchPredictor tries to prime branch prediction for exploitation. Meanwhile, Microsoft’s released a bad patch for Meltdown on Windows 7 machines allowing programs to read and write to arbitrary memory locations (including what would otherwise be protected kernel memory).

Your library account has expired. That is the beginning of a highly effective phishing hook that a set of hackers used for years resulting in hacks into at least 300 universities. The phishing lures were so successful that the text rarely changed over the course of four years, according to researchers into these campaigns.

DNS over HTTPS promises security, bring privacy concerns. DNS is one of the primary protocols used on the internet. It was, however, not built with security or privacy in mind, meaning that anyone able to monitor your traffic can what servers a user is trying to contact. DNS over HTTPS (DoH) is a proposed solution undergoing discussion at the IETF. In the wake of Facebook’s privacy leaks, privacy advocates worry that one level of privacy protection will enable more centralized points of spying.

Invasive introspection of microcontroller firmware. How far do you think one is willing to take to reverse engineer programs on a hardware chip? Researchers at Duo Security show you just how far down the rabbit hole they have gone.

GoScanSSH targets multiple devices. A new malware straing that has been active since at least June 2017 has been discovered by TalosIntel. What is of interest of this malware is its leveraging of Golang to target multiple hardware architectures. The software itself uses an extensive list of 7K usernames and passwords to break in, as well as a blacklist of IP blocks to try to avoid the scrutiny of government actors.

Written on March 29, 2018