Darknet market's peacemaker sentenced to 11 years in prison
Sealed with an XSS: Flaw in Go lang library could cause app issues
In Brief A Colorado man will spend more than a decade behind bars for trying to settle a few arguments, albeit on an online souk selling highly illegal stuff.
Bryan Connor Herrell, aka "penissmith" and/or "botah" has been sentenced to 11 years for his work as a sort of problem solver on the Alphabay crime market. The moderator was tasked with settling disputes between sellers and their customers, usually involving drugs.
In addition to handling disputes, he was also asked to watch for scammers who might give 'honest' drug dealers, identity thieves, and gun-runners a bad name. For his troubles, he was paid a nice chunk of Bitcoin.
Snowden was right: US court deems NSA bulk phone-call snooping illegal, possibly unconstitutional, and probably pointless anywayREAD MORE
"Cases like these exemplify how the FBI and our international partners are eliminating the false promise of anonymity dark marketplaces claim to provide and are successfully dismantling criminal organizations which prey upon communities through use of sophisticated computer code,” said Sean Ragan, special agent in charge of the FBI Sacramento Field Office.
Go language found to contain cross-site scripting bug
A flaw in a library for the Go language could leave some applications vulnerable to cross-site scripting attacks.
Bug-hunters with RedTeam Pentesting GmbH have said the way Go code handles CGI and FastCGI requests could potentially create cross-site scripting holes that would only show up in the finished web application.
The problem arises because the Go application and the HTTP server itself handle data in different ways, and in some cases the data type for an upload will not be properly checked.
"For example, consider a web application which allows uploading PDF files and pictures," the team wrote. "During upload, the application checks (via the
DetectContentType() mentioned in the documentation) that the uploaded content is either "application/pdf" or "image/png" and rejects all other data. When an uploaded file is requested again, the application does not set a Content-Type header and depends on the auto detection."
The bug can be patched by updating to versions 1.14.8 and 1.15.1.
What an Os-lo blow! Norway's parliament hit with attack
A targeted attack on the Norwegian parliament has resulted in the email accounts of several lawmakers and their staffers being accessed by hackers.
Norway's government has confirmed the incident, saying that it was part of a "significant" operation aimed at members of the opposition Labour party. An exact number of accounts or details on exactly who was hacked were not given.
Details of the attack's impact are scanty. Reportedly, the country's National Security Authority has been called in to assist, and at this time it is not known who was behind the attack or their goals.
Cisco warns of critical Jabber bug
Headlining this latest crop of 16 security updates from Cisco is a patch for a critical security flaw in the Jabber messaging client.
The Windows version of Jabber has been found to contain a remote code execution flaw (CVE-2020-3495) which can be exploited simply by opening a message. The bug has been issued a CVSS score of 9.9 on a scale of ten.
"The vulnerability is due to improper validation of message contents," says Cisco.
"An attacker could exploit this vulnerability by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages to the affected software."
Users and admins are advised to update to the latest version of the Jabber for Windows client to get the fix. Watchcom's Olav Sortland Thoresen was credited with the discovery.
WhatsApp sinks six flaws, including remote code bug
WhatsApp has issued fixes for six CVE-listed bugs in both the mobile and desktop versions of its client.
The bulletin is headlined by CVE-2020-1894. The stack write overflow for both Android and iOS would have potentially allowed for remote code execution when the target opened a malformed push-to-talk message.
Also addressed was an out-of-bounds write flaw in video calls (CVE-2020-1891), a URL validation bug in Android (CVE-2020-1890), a security bypass in the desktop client (CVE-2020-1889), an out-of-bounds write flaw in Android (CVE-2020-1886), and an input validation flaw on the desktop client (CVE-2019-11928).
In each case, the flaws have already been patched, so users can protect themselves by making sure they're running the latest version of the WhatsApp software. ®