Someone slipped a vuln into crypto-wallets via an NPM package. Then someone else siphoned off $13m in coins to protect it from thieves

Rich Text Office files, who could have imagined that!

Microsoft has never seen a pure data file format yet that it didn’t go and stick some hook into to make it executable without warning. (Script, VBS, native code, byte code, hook to a COM object…) If there was a data format guaranteed by THOU SHALT NOT definitions not to have any auto-script capabilities, you’d still have to station people with cricket bats at Microsoft to stop them from adding that.

Is ODT better or just not used enough to be targeted?

I don’t know if ODT has any defined provision for auto-script on open, so it would depend on whose code was opening the file.

Back in a day, there was a Microsoft exploit in plain XML files, where if you slipped a UUID value in, it would look it up in the registry and try to open the file with whatever it was, no indication or warning.

lmao nice

Everyone is warning about the BlueKeep exploit on legacy Windows boxes.

Apparently the thing to do is patch them, now, and Microsoft is even patching end-of-lifed versions.

And yet, I think there’s an XKCD for this. “Horribly wrong”. I never have Remote Desktop running on Windows boxes. On headless Pis, I switch it on, do stuff, disable it. I never punch a hole in the router to allow anyone from the Internet to even try that port. If I had to RDP from somewhere else, I’d set up a VPN rather than expose that port.

People should skip to the NSA’s suggested additional measures, and then worry about patching. If it’s not running, and no one can get to it, patching is a much lower priority.

That’s been my thought exactly for a long time. Neither RDP nor VNC belongs out in the open.

If I expose SSH to the public, it’s configured for key-based authentication only. No key, no access.

http://2.bp.blogspot.com/-U8f3yzZQI2Y/TmGXrEq21UI/AAAAAAAAABo/vHeObBS6dqw/s320/no%2Bticky%2Bno%2Blaundry.PNG

Hacking these medical pumps is as easy as copying a booby-trapped file over the network

Patching is good, I guess, but somehow horribly wrong. The real problem is that people are making their Wi-Fi extenders (or anything they don’t have to) visible on the Internet.

Spin the wheel and find today’s leaky cloud DB… clack clack… clack A huge trove of medical malpractice complaints

Heh. A nice article, but from the Washington Post, which won’t let me read anything if I block the slightest tracking site.

kevin mitnick is a huge jerk i refuse to give him press

this is a known issue with TOTP codes and other tools like dave kennedy’s “social engineering toolkit” can be used to similar aims

okay dokey

To be clear, by huge jerk I don’t mean just “difficult to get along with”, but serious allegations of abusive behavior, doxing, and stealing other’s work and passing it off as his own.

I personally saw him be ejected from a charity fundraiser because he felt he shouldn’t have to pay the modest entry fee (IIRC 20 bucks?).

He nearly had to be physically ejected.

Stop us if you’ve heard this one: US government staff wildly oblivious to basic computer, info security safeguards

Good news: NASA and Homeland Security just passed their government IT exams – and we really mean just

Scumbags can program vulnerable MedTronic insulin pumps over the air to murder diabetics – insecure kit recalled