Security

Local port forwarding is good when you want to use SSH to pivot into a non-routable network. But if you want to access services on a network when you can't configure port-forwarding on a router and don't have VPN access to the network, remote port forwarding is the way to go.

Remote port forwarding excels in situations where you want access to a service on an internal network and have gained control of a machine on that network via a reverse shell of some kind. Whether you're a pentester or system admin, this is a good thing to know about.

In September 2017, security researcher Josip Franjković discovered an issue with Facebook’s partners portal, which leaked users’ email addresses. The bug was discovered after one of the researcher’s sites was approved to participate in the Free Basics project by Facebook.

What the researcher discovered was a medium-high impact privacy bug where adding a new admin user would leak their email address in subsequent notification emails.

The confidential source code to Apple's iBoot firmware on iOS devices was leaked on GitHub.

Motherboard's Lorenzo Franceschi-Bicchierai reported on Wednesday that someone posted the iBoot source code on a GitHub repository. The code had been posted by a new user on Reddit last year, but very few people took notice of it until the code was uploaded this week to GitHub, where anyone could find it.

Microsoft is trying to kill the password, and it’s about time. This week, the company said the next test version of its stripped-down Windows 10 S operating system will strip out passwords as well, by default. If you go through setup as recommended, you’ll never get a password option.

But killing the password altogether will take more work and time — and the problem may get worse before it gets better.

Exploit aggregator and seller Zerodium is now trying to attract hackers finding flaws in Linux operating system. The firm will offer bug bounties of up to $45,000 for Linux security vulnerabilities. “Got a Linux LPE? Working with default installations of Ubuntu, Debian, CentOS / RHEL / Fedora? We are increasing our payouts to $45,000 per #0day exploit until March 31st, 2018,” the company announced on Twitter.

As more and more websites offer access over encrypted HTTPS, Chrome will soon brand any site served up over plain, unencrypted HTTP as "Not secure." Chrome 68, due for release in July, will start sticking the "Not secure" label in the address bar, as a counterpart to the "Secure" label and padlock icon that HTTPS sites get.

This is a continuation of a change made in January of last year where Chrome would brand HTTP sites with password forms as being "Not secure."

Financially motivated cybercriminals always go for low–hanging fruit. That means leveraging existing attack tools rather than developing new ones, using the same attack on as many victims as possible and targeting mass amounts of devices. Research shows that in the last few months, those “fruits” have started to include assets that are generally more difficult to patch: servers.

Last month, we reported on hackers' accelerating efforts to get full control of the Nintendo Switch, allowing the popular system to run homebrew code and, potentially, pirated games. This week, the hacking team fail0verflow claimed a major advance in that effort, tweeting a picture showing Linux booting up on the machine.

Two men have been charged with stealing as much as $50,000 through "Jackpotting," a crime that causes malware-infected ATMs to rapidly empty their cash reserves to waiting accomplices.

The tools used by security researchers, penetration testers, and "red teams" often spark controversy because they package together, and automate, attacks to a degree that make some uncomfortable—and often, those tools end up getting folded into the kits of those with less noble pursuits. AutoSploit, a new tool released by a "cyber security enthusiast" has done more than spark controversy, however, by combining two well-known tools into an automatic hunting and hacking machine—in much the same way people already could with an hour or two of copy-pasting scripts together.