Security researchers at ERNW disclosed a vulnerability in Android bluetooth stack that lets attackers silently deliver malware to and steal data from nearby phones simply knowing the Bluetooth MAC address of the target (easy to guess just by looking at the WiFi MAC address).

A vulnerability (CVE-2020-2100), discovered by Adam Thorn from the University of Cambridge, may allows attacker to abuse internet-facing Jenkins servers to mount and amplify reflective DDoS attacks.

The OWASP Amass Project is tool developed to help information security professionals during the mapping process of attack perimeter.

It allows DNS enumeration, attack surface mapping & external assets discovery, using open source information gathering and active reconnaissance techniques.

SpiderFoot is an OSINT automation tool for reconnaissance process, written in Python 3 and GPL-licensed.

Recently, developers of famous messaging app acknowledged and patched a major vulnerability that gave malicious users the ability to access files on a victim’s computer.

A target user may fall prey to this attack simply clicking a disguised link preview sent via the messaging app: a really easy mistake for users to make. 

Last December, in a talk at 36th Chaos Communication Congress, Samuel Groß presented a technical report about the infamous iOS vulnerability that allowed remote code execution on all iDevices up to iOS 12.4, within a couple of minutes and without user interaction.

A team of researchers from University of Michigan (Stephan van Schaik, Marina Minkin, Andrew Kwong and Daniel Genkin) and University of Adelaide (Yuval Yarom) recently presented a new attack technique that targets Intel CPUs.

The SIM hijacking, also know as SIM swapping, is an attack where a criminal contacts the cell phone provider of a target user, and convinces it (sometimes involving employees of the phone company) to switch target’s account to a SIM that he control.
Since smartphones are often used as a security measure/verification system, this allows the fraudster to take over accounts of the target.

In a previous article [1], I’ve started to talk about DevSecOps and the concept of “shifting left” security.
In order to move security checks to the early steps of development, a great help may be the presence of a security-aware person in every scrum team, the so-called “Security Champions“.

The recent deadly shooting last month at a naval air station in Pensacola, Fla., brought in the spotlight the issue of iOS security: attorney General William P. Barr requested Apple to provide access to two phones used by the killer.