BU-CERT News

From threatpost.com

The vulnerability can be exploited to reveal limited traffic data including a device’s IP address.

An unpatched bug in the latest version of Apple’s iOS is blocking virtual private network (VPN) applications from cloaking some private data transmitted between a device and the servers they are requesting data from. While the bug remains unpatched, Apple is suggesting steps users can take to reduce risk, researchers state.

The bug, outlined in a report by ProtonVPN, impacts Apple’s most recent iOS 13.4. The flaw is tied to the way VPN security software loads on iOS devices. Post launch, VPN software is supposed to terminates all internet traffic and reestablishes connections as encrypted and protected. Researchers said the Apple VPN bypass bug in iOS fails to terminate all existing connections and leaves a limited amount of data unprotected, such as a device’s IP address, exposing it for a limited window of time.

Read more…

From latesthackingnews.com

Fake Chrome Update Distributing Backdoor Analysts from Dr.Web have found hackers actively targeting users with a malicious Chrome update. This update runs a backdoor on the target device which then facilitates subsequent malware attacks. According to their report, this phishing campaign is in the wild where the hackers are distributing malware after hacking different websites. They managed to gain admin access to the target websites and embed malicious JavaScript code on the compromised pages.

Read more…

From isc.sans.edu

In a couple of my recent diaries, we discussed two small unpatched vulnerabilities/weaknesses in Windows. One, which allowed us to brute-force contents of folders without any permissions[1], and another, which enabled us to change names of files and folders without actually renaming them[2]. Today, we’ll add another vulnerability/weakness to the collection – this one will allow us to cause a temporary DoS condition for the Explorer process (i.e. we will crash it) and/or for other processes. It is interesting since all that is required for it to work is that a user opens a link or visits a folder with a specially crafted file.

Read more…

From kalilinuxtutorials.com

Framework RapidPayload – Metasploit Payload Generator

Requirements

• OpenJDK 8 (JAVA) , or superiors versions .
• Metasploit
• Apktool
• Python3

Read more…

From gbhackers.com

Web application security, one of the most significant components in the web app extension, frequently gets ignored.

Within code development, app management, and visual design, web application security risks are frequently overlooked or are not accurately focused upon. And this can be detrimental to the organization.

If you are looking to increase the strength of web application security and want to go commercial with your app, then you are in the right place.

Read more…

From zdnet.com

Voter information for more than 4.9 million Georgians, including deceased citiens, has been published on a hacking forum over the weekend, on Saturday.

Personal information such as full names, home addresses, dates of birth, ID numbers, and mobile phone numbers were shared online in a 1.04 GB MDB (Microsoft Access database) file.

Read more…

From securityboulevard.com

BGP does a great job of identifying optimal paths across the internet, but its lack of security controls allows the protocol to be exploited.

Whenever someone asks me, “What is border gateway routing protocol (BGP)?” I always use the following analogy to explain it: BGP is like the postal service. When you address a letter and drop mail in your mailbox, it gets mailed to the destination by using people, trucks, airplanes or sorted in postal facilities. BGP works the same way but it travels across the internet, is much faster and instead of airplanes or postal facilities, routers, circuits and central offices are used to reach its destination.

Read more…