Whilst finding vulnerabilities is a bad thing, having them found by white hat hackers is a good thing. Hackathons like this one prove that it can be constructive to get a group of them in to find and help fix vulnerabilities in your system before they are found in public and exploited to death before you have a chance to fix them.

The US Air Force's second security hackathon has paid dividends... both for the military and the people finding holes in its defenses. HackerOne has revealed the results of the Hack the Air Force 2.0 challenge from the end of 2017, and it led to volunteers discovering 106 vulnerabilities across roughly 300 of the USAF's public websites. Those discoveries proved costly, however. The Air Force paid out a total of $103,883, including $12,500 for one bug -- the most money any federal bounty program has paid to date.

 

www.engadget.com/2018/02/1…

An Intel flaw that has been sitting hidden for a decade has finally surfaced.

Being on the chip rather than the OS, it doesn’t affect a single OS – with Linux, Windows and MacOS being mentioned in this article.

www.linuxinsider.com/story/850…

Another vulnerability hits the news. Whilst similar to heartbleed in leaking memory contents, it does not seem to be too risky if you’re running it as a single user, and the memory leak isn’t huge quantities.

Saying that, this vulnerability also may also affect cloud systems. For example, on AWS, (which has httpd), doing a version check:

$ httpd -v Server version: Apache/2.4.27 (Amazon) Server built: Aug 2 2017 18:02:45

However, without knowing how Amazon have setup Apache behind the scenes, are we able to say definitely that we are/aren’t affected?

Source: Apache bug leaks contents of server memory for all to see—Patch now | Ars Technica

Flaw in remote management feature gives attackers a way to breach networks.

Source: Intel patches remote code-execution bug that lurked in chips for 10 years | Ars Technica

You’ve probably seen articles inducing panic around the number of android devices vulnerable to this Quadrooter bug. But read through the below first.

Another day, another overblown Android security scare. Who’s ready for a reality check?

Source: No, 900 million Android devices are not at risk from the ‘Quadrooter’ monster | Computerworld

Guys, gals, aardvarks, fishes: I'm running out of ways to say this. Your Android device is not in any immediate danger of being taken over a super-scary malware monster.

It’s a silly thing to say, I realize, but we go through this same song and dance every few months: Some company comes out with a sensational headline about how millions upon millions of Android users are in danger (DANGER!) of being infected (HOLY HELL!) by a Big, Bad Virus™ (A WHAT?!) any second now. Countless media outlets (cough, cough) pick up the story and run with it, latching onto that same sensational language without actually understanding a lick about Android security or the context that surrounds it.

To wit: As you’ve no doubt seen by now, our latest Android malware scare du jour is something an antivirus software company called Check Point has smartly dubbed “Quadrooter” (a name worthy of Batman villain status if I’ve ever heard one). The company is shouting from the rooftops that 900 million (MILLION!) users are at risk of data loss, privacy loss, and presumably also loss of all bladder control – all because of this hell-raising “Quadrooter” demon and its presence on Qualcomm’s mobile processors.

“Without an advanced mobile threat detection and mitigation solution on the Android device, there is little chance a user would suspect any malicious behavior has taken place,” the company says in its panic-inducing press release.

Well, crikey: Only an advanced mobile threat detection and mitigation solution can stop this? Wait – like the one Check Point itself conveniently sells as a core part of its business? Hmm…that sure seems awfully coincidental.

TL;DR: A “mobile threat detection and mitigration solution” is already present on practically all of those 900 million Android devices. It’s a native part of the Android operating system called Verify Apps, and it’s been present in the software since 2012….. Android has had its own built-in multilayered security system for ages now. There’s the threat-scanning Verify Apps system we were just discussing. The operating system also automatically monitors for signs of SMS-based scams, and the Chrome Android browser keeps an eye out for any Web-based boogeymen.

Computerphile explains Shellshock www.youtube.com/watch

And why are you still using Windows?

A flaw in Microsoft's Internet Explorer which leaves users vulnerable to hackers has not been fixed, despite its discoverer giving the company six months grace to do so before publishing details.

The IE flaw that Microsoft refuses to patch - Telegraph.

...when there is a need for a security patch or other bug fix, the person in control of implementation is…you. With closed source, you need to wait for the enterprise in control to fix the problem and make it available to users. For example, Akamai, one of the best, most sophisticated technology firms on the planet, is still working to address its Heartbleed vulnerabilities. Thus, users have no choice but to wait on Akamai for a complete fix. Open source users can do what they want with the code. They can use a patch that has been made available on Github, or can otherwise modify their code as they see fit. In fact, because Spree is open source and its users control their own code, they can choose to replace OpenSSL altogether if they so desire.

Has Heartbleed Made You Think Twice About Open Source Security? Think Again. | Spree Commerce.

Some websites running SSL encryption, such as Airbnb, Pinterest, USMagazine.com, NASA, and Creative Commons, among others, were exposed to a major security bug called Heartbleed on Monday.

The bug was reportedly discovered by a member of Google's security team and a software security firm called Codenomicon.

A number of other websites may, according to a list being distributed on GitHub, be vulnerable to the bug as well.

The bug affects web servers running Apache and Nginx software, and it has the potential to expose private information users enter into websites, applications, web email and even instant messages.

And while most security experts advise that you always use websites and services offering SSL security encryption whenever possible, the Heartbleed bug has the ability to allow malicious operators to defeat this security layer and capture passwords as well as forge authentication cookies and obtain other private information.

A security patch for the bug was announced on Monday, but many websites are still playing catch up. That's why websites like the Tor Project are, only somewhat tongue-in-cheek, advising that you stay off the Internet this week if you really care about your security.

Widespread Encryption Bug, Heartbleed, Can Capture Your Passwords.

Some software bugs are infinitely subtle and complicated. Others are comprehensible almost at a glance to anyone who dabbled in BASIC as a kid. The iOS 7 bug is in the latter group.

Did you see it? This function is called when a iPhone connects to an encrypted site over SSL: it’s meant to verify that the encryption key is being vouched for — digitally signed — by the operator of the website.

But notice the two “goto fail” lines, one after the other. The first one belongs there. The second is a typo. That extra, duplicative line diverts the program’s execution, like a bypass stent, right past a critical authentication check. The part where the digital signature is actually checked is dead code, never reached. Behind iPhone’s Critical Security Bug, a Single Bad ‘Goto’ | Threat Level | Wired.com.

Why Apple’s Recent Security Flaw Is So Scary.

On Friday, Apple quietly released iOS 7.0.6, explaining in a brief release note that it fixed a bug in which "an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS." That's the understated version. Another way to put it? Update your iPhoneright now.

Oh, and by the way,OS X has the same issues—except there's no fix out yet.

I could make all manner of snarky comments on this, but I won’t.

iOS 7 bug lets you call any number from a locked homescreen (video).