Table of Contents

  1. Mozilla
    1. Mozilla: Firefox Add-On Developers Must Use 2FA
  2. Crime
    1. Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up
    2. N.J.’s Largest Hospital System Pays Up in Ransomware Attack
    3. Emotet Trojan is Inviting You To A Malicious Christmas Party
  3. Privacy
    1. High-School Students Find Spy Cams in Their Hotel Rooms
  4. Microsoft
    1. Microsoft: We never encourage a ransomware victim to pay
  5. Nginx
    1. Russian media group Rambler attempting to hold Nginx hostage
  6. Google
    1. Google to Force OAuth in G Suite to Increase Security
  7. Github
    1. Hacking GitHub with Unicode's dotless 'i'.
  8. Crypto
    1. Over 435K Security Certs Can Be Compromised With Less Than $3,000
  9. Exploit development
    1. #include </etc/shadow>

Mozilla

Mozilla: Firefox Add-On Developers Must Use 2FA

Firefox extension developers will be required to set up their accounts to support two-factor authentication beginning early next year. Over the last year, several developers of firefox extensions have been compromised, and the add-ons have been modified to add malicious code.

Crime

Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up

The ransomware behind Pensacola and Southwire attacks have started public shaming companies that do not cooperate threatening to release the data. They have already released 700MB of data from Allied Universal in the past.

N.J.’s Largest Hospital System Pays Up in Ransomware Attack

The ransomware attack earlier this month led the hospital system to reschedule surgeries and appointments. The hospital did not clarify how much ransom it paid, or whether its data has since been recovered.

Emotet Trojan is Inviting You To A Malicious Christmas Party

Emotet malware embedded in doc macros is being sent in a spam campaign "inviting" victims for a Christmas party, asking them to wear the ugliest sweater.

Privacy

High-School Students Find Spy Cams in Their Hotel Rooms

High-school students from Wisconsin attending a conference in Minneapolis found spying cameras in their rooms at a downtown hotel, prompting a police investigation.

Microsoft

Microsoft: We never encourage a ransomware victim to pay

In a blog post Microsoft has for the first time revealed its stance on ransom demands. In late 2015, FBI has been found in a middle of controvercy when one of its agents publicly admitted the bureau was recommending the victims to pay the ransom demands. FBI has changed its official stance few months later, after the US senators sent letters asking why the agency was helping out criminals.

Nginx

Russian media group Rambler attempting to hold Nginx hostage

Nginx's co-founders were detained on criminal charges and now face civil suits. The move comes after the nginx $670m acquisition by F5 Networks. Since its registration in 2011, Rambler never raised any issues until after the big money start flowing in. Rambler further claimed it was cutting ties with the "Lynwood" law firm which had filed criminal charges; but this seems likely to be a move for show only, since Lynwood Investments is tied to Alexander Mamut—a Russian billionaire who is co-owner of Rambler itself. A successful, retroactive acquisition of the rights to Nginx would not just give Rambler access to that cash - it would also provide the ability to declare the entire open source license of the Nginx platform invalid.

Google

Google to Force OAuth in G Suite to Increase Security

Google has announced that it will start blocking less secure apps (LSAs) from accessing GSuite starting February 2021, after an initial stage of limiting access during June 2020. Google advises developers to update their apps to use OAuth 2.0 as a connection method, and provides help on how to use OAuth APIs. Microsoft also announced in September that basic authentication will be turned off starting October 2020.

Github

Hacking GitHub with Unicode's dotless 'i'.

Github had a flaw that improperly normalized the email address of another account (e.g. mike@example.org vs mıke@example.org) caused by weird unicode rules.

Crypto

Over 435K Security Certs Can Be Compromised With Less Than $3,000

After analyzing millions of RSA keys and certificates generated on low entropy lightweight IoT devices, security researchers at Keyfactor discovered that more than 435,000 of them shared their prime factors making it easy to derive their private key and compromise them.

Exploit development

#include </etc/shadow>

Some online tools that allow you to compile code run the compiler as a root user and by trying to include /etc/shadow the root hash can be discovered.