Category: tech


This Security Alert addresses CVE-2017-10151, a vulnerability affecting Oracle Identity Manager. This vulnerability has a CVSS v3 base score of 10.0, and can result in complete compromise of Oracle Identity Manager via an unauthenticated network attack. The Patch Availability Document referenced below provides a full workaround for this vulnerability, and will be updated when patches in addition to the workaround are available. Continue reading

Recently a new ransomware, called BadRabbit, infected systems in many countries, most of in East Europe, such as Ukraine and Russia. The malware was not totally new, it seems to be an evolution of the old NotPetya ransomware for some aspects, including: Continue reading

Several shimmers recently found inside Canadian ATMs. Source: RCMP.

Several readers have called attention to warnings coming out of Canada about a supposedly new form of card skimming called “shimming” that targets chip-based credit and debit cards. Shimming attacks are not new (KrebsOnSecurity first wrote about them in August 2015), but they are likely to become more common as a greater number of banks in the United States shift to issuing chip-based cards. Here’s a brief primer on shimming attacks, and why they succeed. Continue reading

Crypto-currency miners represent an easy solution when it comes to taking advantage of a system’s computing power to earn some money, but can result in no gain if the mined coins are going to someone else’s wallet. Continue reading

There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
as a result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information
about a private key may be performed offline. Continue reading

It has become common for users to use Google to find information that they do not know. In a quick Google search you can find practically anything you need to know. Links returned by a Google search, however, are not guaranteed to be safe. Continue reading

Yep, also confirmed by long-pressing the link in a browser. I’ve also installed the app and decompiled it. The app itself has minimal permissions (internet access) but it’s basically an ad-loaded wrapper which has some code to download a second apk, also called “whatsapp.apk” Continue reading

Guidance on technical protection measures to those who produce, use, process, or standardize the specifications of electronic design intellectual property (IP) are provided in this recommended practice. Distribution of IP creates a risk of unsanctioned use and dilution of the investment in its creation. Continue reading

Check Point’s mobile threat research team identified a new variant of an Android malware that sends fraudulent premium SMS messages and charges users’ accounts for fake services without their knowledge. According to Google Play data, the malware infected at least 50 apps and was downloaded between 1 million and 4.2 million times before the affected apps were removed. Continue reading

List of unsecured devices lived in obscurity since June. Now, it’s going mainstream.

Continue reading