XZ – Backdoors and The Fragile Supply Chain – PSW #823

I was hoping for a universal carrier unlock, maybe: "Google has fixed two Google Pixel zero-days exploited by forensic firms to unlock phones without a PIN and gain access to the data stored within them."

Your camera is watching, always: "With this knowledge, the electromagnetic signals could be captured from a distance and reconstructed into video frames, all while bypassing any security measures that might be in place."

Whaaaaat? " ssh.exe is able to spawn cmd.exe and execute commands even when it has been disabled via GPO" - The demo is crazy, get the user to click a shortcut and shovel a shell and some creds. Bravo I say, Bravo!

"Instead, that task falls upon a diverse group of organizations and individuals that preserve this public utility with little funding or subsisting on tight budgets. The stakes are incredibly high, but the amount of resources available for keeping this infrastructure secure falls short." and this: "In an effort to combat this dilution of responsibility and dearth of financial support, global policymakers and representatives from nonprofits, philanthropy, and fundraising organizations recently launched Common Good Cyber, an initiative aimed at building sustainable funding models to support those that secure the Internet for everyone." - My question is this: If we had funds available, who should get the funding to secure the Internet and why?

I haven't seen much published about this one: "Vulnerabilities present on Qualcomm’s popular chipsets and modems are desirable to hackers intending to breach devices ranging from smartphones to IoT devices. By exploiting such vulnerabilities, attackers can evade security protocols via multiple malicious acts, which indicates an immediate response from Qualcomm."

"Through a 2010 FOIA request (yes, it took that long), we have copies of the NSA’s KRYPTOS Society Newsletter, “Tales of the Krypt,” from 1994 to 2003."

"If the hotel reception is not staffed, guests can register via a check-in terminal. The terminal also supports the lookup of existing bookings. With a booking ID, guests can lookup their room number and keypad code. However, when entering a '------' as booking ID, the check-in terminal lists other people's bookings and keypad codes." - I love that a hacker, now known as Martin '------' Schobert (Pentagrid), was fuzzing a terminal and thought "What would happen if?" and entered 6 dashes into the booking ID field to see what would happen. I want the video of his reaction when this worked for the first time. Bravo Martin!

Interesting take: "It is important to note the difference between quantum RSA decryption and non-quantum RSA cracking. The latter could, technically, have already occurred. National intelligence agencies could have achieved this – but they would keep it secret and for their own use only. Achieving full quantum computing would be too massive to hide. Knowledge would escape"

April fool's joke?

Extremely detailed account, in a five-part blog post series, on attacking a Synology BC500 camera.

The article states: "A feature of coming to adulthood for any young person in the last quarter of the twentieth century would have been the yearly warnings about the danger of adulterated Halloween treats. Stories were breathlessly repeated of apples with razor blades in them, or of chocolate bars laced with rat poison, and though such tales often carried examples of kids who’d died horrible deaths in other far-away places, the whole panic was (as far as we know) a baseless urban legend." - I put this right up there with waiting 30 minutes after you eat before swimming, Rock n' Roll is the devil's music, and consuming caffeine as a child will stunt your growth. Throw in there "the Flipper Zero is a dangerous hacking tool that people use to do things such as steal cars". None of these things, as it turns out, are actually true.

This is really neat: "If you gain local admin privilege access to a host with an EDR solution, you can potentially evade detection by blinding the kernel callbacks that the EDR relies on. This can be achieved by exploiting a minifilter driver, such as the Sysmon driver. Although a reboot of the host is required, this approach is far easier than finding a new Bring Your Own Vulnerable Driver (BYOVD) or attempting unsigned driver exploitation, which is not always an option."

Generative AI systems hallucinate and recommend that developers install packages with names that look reasonable, but don't actually exist. A researcher made a package with a hallucinated name and it was downloaded that installed thousands of times by developers.

There's been a shift in awareness across the software development ecosystem about the challenges of using non-memory safe languages. The reason is that the majority of security vulnerabilities in large codebases can be traced to memory security bugs. And since Rust code can largely if not totally avoid such problems when properly implemented, memory safety now looks a lot like a national security issue. Rewriting C++ code in Rust increases efficiency: "In every case we've seen a decrease by more than 2x in the amount of effort required to both build the services in Rust as well as maintain and update those services written in Rust"

Google collects browsing data from Chrome in Incognito mode, which led to a lawsuit. Now Google has agreed to delete billions of data records reflecting users' private browsing activities.

Despite the US ban on some Chinese equipment, the number of China-made devices in US networks has increased by more than 40% in the past year, from 185,000 in February 2023 to nearly 300,000 in February 2024.

A fundamental limit on quantum computing is noise in the qubits. Now Microsoft applied an error-correction algorithm that it wrote to Quantinuum's physical qubits, yielding about four reliable qubits from 30 physical ones. That is the best ratio of reliable qubits from a quantum chip that has ever been shown.

Google announced a new Chrome security feature called 'Device Bound Session Credentials' that ties cookies to a specific device, blocking hackers from stealing and using them to hijack users' accounts. DSBC links the authentication process to a specific new public/private key pair generated using your device's Trusted Platform Module (TPM) chip that can't be exfiltrated and is securely stored on your device, so even if an attacker steals your cookies, they won't be able to access your accounts.

Since mid-February, NIST has fallen behind in its role of adding essential enrichment information to new CVE entries--the institute analyzed only 199 of 3370 CVEs it received last month. This appears to be a result of funding cuts and lack of staff. However, they expect to restore operations within two weeks.

SS7's problems have been known about for years and years, as far back as at least 2008. It can be abused to track people's phones' locations; redirect calls and text messages so that info can be intercepted; and spy on users. Now the FCC is gathering comments as part of a process to fix these problems.

The Cyber Safety Review Board found shoddy cybersecurity practices, lax corporate culture and a deliberate lack of transparency over what Microsoft knew about the origins of the breach. The 2023 Microsoft intrusions exploited security gaps in the company’s cloud, allowing MSS hackers to forge credentials that enabled them to siphon emails from Cabinet officials.