Every F-35 squadron, no matter the country, has a 13-server ALIS package that is connected to the worldwide ALIS network. Individual jets send logistical data back to their nation’s Central Point of Entry, which then passes it on to Lockheed’s central server hub in Fort Worth, Texas. In fact, ALIS sends back so much data that some countries are worried it could give away too much information about their F-35 operations.
Source: F-35’s Hacking Vulnerability | Could the F-35 Be Hacked?
Hackers could conceivably introduce bad data in the JRE that could compromise the safety of a mission, shortening the range of a weapon system so that a pilot thinks she is safely outside the engagement zone when she is most certainly not.
It’s highly likely these vulnerabilities are a known detectable exploit vector. Any military aircraft should be able to perform its mission disconnected from a network — except for perhaps drones.
QUIC stands for “Quick UDP Internet Connections” and is, itself, Google’s attempt at rewriting the TCP protocol as an improved technology that combines HTTP/2, TCP, UDP, and TLS (for encryption), among many other things.
Source: HTTP-over-QUIC to be renamed HTTP/3 | ZDNet
Since then, HTTP-over-QUIC support was added inside Chrome 29 and Opera 16, but also in LiteSpeed web servers. While initially, only Google’s servers supported HTTP-over-QUIC connections, this year, Facebook also started adopting the technology.
Court says an attacker was only required to send malformed UDP packets to a target’s Steam client, which would have triggered the bug and allowed him to run malicious code on the target’s PC.
Source: Valve Patches Security Bug That Existed in Steam Client for the Past Ten Years
This also appears to be happening with Xfinity’s protected browsing feature. A reader alerted us that, when he tried to access TorrentFreak, access was denied stating that a “suspicious” site was ahead.
Source: Comcast’s Protected Browsing Blocks TorrentFreak as “Suspicious” Site – TorrentFreak
Portugal isn’t the only country allowing tiering of internet services. In Britain, the internet service provider Vodaphone charges about $33 a month for basic service but offers several “passes” allowing unlimited video or music streaming, social media usage, or chat, at additional tariffs of up to $9.30 per month.
Source: Portugal’s internet shows us a world without net neutrality, and it’s ugly – LA Times
The U.S. software weapon would have allowed the spy agency’s hackers to break into potentially millions of Windows computers by exploiting a flaw in how certain versions of Windows implemented a network protocol commonly used to share files and to print.
Source: Leaked NSA Malware Is Helping Hijack Computers Around the World
From: Security Update for Microsoft Windows SMB Server (4013389)
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
SpaceX hopes to start testing its satellites before the end of this year and continuing through the early months of 2018. If that’s successful, the company plans to launch satellites in phases between 2019 and 2024, after which the system will be at full capacity.
Source: SpaceX plans to start launching high-speed internet satellites in 2019
An attacker can exploit the vulnerability by sending a malformed protocol-specific Telnet command while establishing a connection to the affected device, because of a flaw in how the protocol fails to properly process some commands.
Cisco said that there are “no workarounds” to address the vulnerability, but it said that disabling Telnet would “eliminate” some risks.
Source: Hundreds of Cisco switches vulnerable to flaw found in WikiLeaks files | ZDNet
The (presumably ancient) code has a bug, though: it does not verify the syntax of the user name. RFC 959 specifies that a username may consist of a sequence of any of the 128 ASCII characters except
<LF>. Guess what the JRE implementers forgot? Exactly − to check for the presence of
<LF>. This means that if we put
%0D%0A anywhere in the user part of the URL (or the password part for that matter), we can terminate the USER (or PASS) command and inject a new command into the FTP session.
Source: SMTP over XXE − how to send emails using Java’s XML parser – shift or die
So, if we send a
USER command to a mail server instead of a FTP server, it will answer with an error code (since
USER is not a valid SMTP command), but let us continue with our session. Combined with the bug mentioned above, this allows us to send arbitrary SMTP commands, which allows us to send emails.
While this incident represents one of the first of its kind, the bad news is this form of attack is only going to become more common as more and more everyday items get connected to the internet, providing hackers with greater numbers of potential zombie devices.”
The reason behind it is the issue of default credentials for wireless devices. This is going to bring billions of devices into the fold by 2020, which is only three years away. Whenever it is, there’s going to be so many of these things used by people with very limited understanding of what they are,” says Dine.
Source: How IoT hackers turned a university’s network against itself | ZDNet
The network that IoT devices must use should be isolated and secured by a firewall. This isn’t that difficult to do.