Are we winning? – Jason Healey – PSW #822

Only if you installed the Linux app yourself, and only if an attacker already has admin creds to the management interface, then a command injection is in play.

Basically, you can track your Flipper Zero as an AirTag (or other similar device).

I have not tested this yet, but it looks promising: "Among the capabilities of udev is the execution of scripts based on hardware events (such as detection), which makes it a good candidate to be employed as a persistence mechanism. To my surprise, at the time I ran into udev there was no subtechnique listed in MITRE ATT&CK matrix. This fact led me to start a mini-research and explore this possibility. In this article, I will share how I run into udev and how I could bypass the restrictions that it presents in order to use it as a persistence mechanism in a red team operation."

No details yet, however, the remediation is crazy: "All locks require a software update or have to be replaced. Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and 3rd party integrations (e.g. elevators, parking garages and payment systems) may require additional upgrades." And there are many of these in the wild: The vulnerability impacts over 3 million doors on over 13,000 properties in 131 countries. All locks using the Saflok system are impacted, including (but not limited to) Saflok MT, the Quantum Series, the RT Series, the Saffire Series and the Confidant Series. "

Fixes Pixiefail and some other things, this code was included in KVM and Qemu.

Yea, I mean, technically you can use a Flipper for this, but probably better off just using your laptop, a dongle, and Kismet (or a laundry list of other tools that Larry can recite from his brain).

Long and detailed post! I like that we are still abusing DHCP, still, today... The long and the short of it is: "The DHCP administrators group is a striking example of this concept. It provides its members with a strong set of permissions, but those permissions may also be abused by attackers. Especially in security, even the most well-intentioned features can be abused. Defenders should be aware of this potential risk, and treat this group with the appropriate caution. We hope this post has provided context and defensive measures against this threat."

I just think its neat that this software still exists, I went to training for PVCS in the 90s and it was used in a small software company I worked at while still in college! And, just like any other software, it has vulnerabilities: "These flaws, tracked as CVE-2024-1147 and CVE-2024-1148, could allow attackers to upload and download sensitive files from affected servers without authentication. Both vulnerabilities carry a high CVSS score of 9.8, underscoring the potential severity."

Attacks such as GoFetch can be problematic for organizations as they are difficult to remediate, either there is no fix available for the given hardware or the fix has negative performance impacts that cannot be overlooked.

Resolves some weird security issues related to zip file bombs, proxy-bypass on domain names, and symlink issues in the temp directory.

Neuralink, Elon Musk’s brain chip startup, released a video on Wednesday showing the company’s first patient using a laptop with just his mind.

Cookie pop-ups now show the number of “partners” that websites may share data with. Analysis of the top 10,000 most popular websites shows that dozens of sites say they are sharing data with more than 1,000 companies, while thousands of other websites are sharing data with hundreds of firms.

At least 900 websites built with Google's Firebase, a cloud database, have been misconfigured, leaving credentials, personal info, and other sensitive data inadvertently exposed to the public internet, according to security researchers.

At least 900 websites built with Google's Firebase, a cloud database, have been misconfigured, leaving credentials, personal info, and other sensitive data inadvertently exposed to the public internet, according to security researchers.

If we do not encrypt our data with a quantum-secure algorithm right now, an attacker who is able to store current communication will be able to decrypt it in as soon as a decade. While the currently proposed PQC algorithms have received a lot of cryptanalysis over the last decade, they are still somewhat less mature than classical cryptography, and our recommendation is to use them in a hybrid fashion, which requires an attacker to break both the classical and the post-quantum algorithm.

After public outcry, General Motors has decided to stop sharing driving data from its connected cars with data brokers. Last week, news broke that customers enrolled in GM's OnStar Smart Driver app have had their data shared with LexisNexis and Verisk.

A rare case in Danish court shows how automated clicks and fake accounts can earn hundreds of thousands of dollars on Apple Music and Spotify. Experts say it’s the tip of the iceberg.

Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named 'Tycoon 2FA' to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. It uses a stealthy adversary-in-the-middle (AitM) attack that starts by sending the target a message containing a false URL for s Microsoft or Google service.

Ray is a widely used open-source AI framework, which distributes work among many servers, like a load balancer. However, its deployment is deliberately insecure and should only be used in closed, trusted networks. However, many developers don't know that and deploy it on public networks. This vulnerability allows attackers to take over the companies' computing power and leak sensitive data. This flaw has been under active exploitation for the last 7 months, affecting sectors like education, cryptocurrency, biopharma and more. Ray was informed of this problem long ago, but declined to correct it since it's not a bug, but intended functionality.