Mastodawn

Sep 7, 2023

Jeremy Kirk Sep 6, 2023

Microsoft’s post-mortem into how China-linked attackers accessed cloud email accounts for US gov’t organisations is an incredible read, and it shows how a chain of mistakes and vulnerabilities in the cloud can lead to a real mess. The attackers probably couldn’t believe their luck. In cloud email security poker, it's a royal flush.

A Microsoft engineer account gets hacked. Engineer has access to a sensitive crash dump, which due to a race condition vulnerability still contained a consumer signing key. That expired consumer signing key works for – boom! – enterprise email due to some validation errors. After forging some Azure Active Directory (AD) access tokens, the attackers crack open the email accounts of the State and Commerce departments. #infosec

Story by @dangoodin https://arstechnica.com/security/2023/09/hack-of-a-microsoft-corporate-account-led-to-azure-breach-by-chinese-hackers/

Microsoft finally explains cause of Azure breach: An engineer’s account was hacked

Other failures along the way included a signing key improperly appearing in a crash dump.

Ars Technica

xuf

Sep 6, 2023

Lorenzo Franceschi-Bicchierai Sep 5, 2023

NEW: Using a Flipper Zero, a security researcher has demonstrated that anyone can flood nearby iPhones with annoying and persistent pop-ups.

Researchers says this can be used as a "prank," but also effectively as a denial of service.

“It’s not just a minor inconvenience; it can disrupt the seamless experience that Apple users are accustomed to,” he said.

https://techcrunch.com/2023/09/05/flipper-zero-hacking-iphone-flood-popups/

TechCrunch is part of the Yahoo family of brands

xuf

Sep 3, 2023

JP Aug 31, 2023

if there were a website called "we will pay anyone 3 million untraceable dollars to murder a specific member of the EFF" i wonder if the EFF would change its tune on whether it's sometimes justifiable for tier 1 ISPs to take something off the internet. or if that specific member would just be expected to take one for Team The Abstract Principle Of Free Speech.
that's basically what everyone who understands that k*wif*rms has a literal body count has been telling them.

xuf

Sep 2, 2023

Chris Partridge Sep 2, 2023

Find of the day - someone dropped an AtlasVPN #0day on Reddit. The AtlasVPN daemon on Linux runs an HTTP server to accept CLI commands, it binds to 127.0.0.1:8076 by default.

What's hilarious is that it accepts commands without ANY authentication - so if you open a malicious webpage, that webpage can fire a POST to 127.0.0.1:8076/connection/stop and instantly disconnect your VPN.

Utter garbage.

Source: https://www.reddit.com/r/cybersecurity/comments/167f16e/atlasvpn_linux_client_103_remote_disconnect/

Proof below - used AtlasVPN's latest Linux client, version 1.0.3.

AtlasVPN Linux Client 1.0.3 Remote Disconnect Exploit

*Throwaway for obvious reasons.* The following is my 0day. This code, when executed on any website, disconnects the AtlasVPN linux client and...

xuf

Sep 2, 2023

Adam Harvey Sep 1, 2023

Just published a blog post about the crates.io malware typosquatting incident a couple of weeks ago — basically, what happened, and what we did in response on the crates.io team: https://blog.rust-lang.org/inside-rust/2023/09/01/crates-io-malware-postmortem.html

You can also read this in conjunction with this blog post from Phylum, who reported this incident: https://blog.phylum.io/rust-malware-staged-on-crates-io/ — our thanks again to @louislang!

#rust

crates.io Postmortem: User Uploaded Malware | Inside Rust Blog

Want to follow along with Rust development? Curious how you might get involved? Take a look!

xuf

Sep 1, 2023

Just plain, simple Alex

Aug 31, 2023

Never in my life would I expected a cybersecurity issue (at least not a non-food safety issue) to result in a food recall

Add this to your risk assessments

xuf

Sep 1, 2023

Matthew Green Sep 1, 2023

This article with quotes from Apple on why it killed the CSAM photo scanning initiative is the first thing I’ve seen from the company explaining their decision. https://www.wired.com/story/apple-csam-scanning-heat-initiative-letter/

Apple's Decision to Kill Its CSAM Photo-Scanning Tool Sparks Fresh Controversy

Child safety group Heat Initiative plans to launch a campaign pressing Apple on child sexual abuse material scanning and user reporting. The company issued a rare, detailed response on Thursday.

WIRED

xuf

Aug 31, 2023

Martijn Grooten Aug 31, 2023

Terrible idea: NYC's Metropolitan Transportation Authority allowing you to track someone's movements by entering their credit card number (good reporting by @josephcox )
Good idea: subscribing to 404 Media (I just did)
https://www.404media.co/i-tracked-nyc-subway-rider-home-omny-mta/

I Tracked an NYC Subway Rider's Movements with an MTA ‘Feature’

“Obviously this is a great fit for abusers,” an expert on domestic violence and cybersecurity said.

404 Media

xuf

Aug 31, 2023

Martin Aug 30, 2023

"A fake version of the private messaging app Signal has found a way onto Google Play and appears to be linked to a Chinese spy operation, researchers claimed on Wednesday." https://www.forbes.com/sites/thomasbrewster/2023/08/30/malicious-signal-app-planted-on-google-play-by-china-linked-cyber-spies/

A Fake Signal App Was Planted On Google Play By China-Linked Hackers

Hackers who previously targeted Uyghurs evaded Google Play security checks to push a fake Signal app for Android. It uses a never previously-documented method to spy on the encrypted comms tool.

Forbes

xuf

Aug 31, 2023