When Public Payphones Become Smart Phones – Inbar Raz – PSW #855

My 2nd favorite research blog is at it again! (My number 1 favorite is Eclypsium LOL). Turns out web server configuration is important.

I believe this is just ranked by number of occurrences. This data is not very useful. You'd have to remove the Wordpress vulnerabilities to get any sort of accuracy as the CVE/CWE data is skewed. Wordpress represents a large percentage of software that is open-source and written by many different types of developers. Therefore, select organizations will just find vulnerabilities in Wordpress, and since those organizations are CNAs, issue CVEs. Often the data in these CVE entries is not very accurate, often mis-representing the versions that are vulnerable. Also, XSS is a pretty easy vulnerability to find in code compared to many other classes of vulnerabilities. So, this is not all that usful.

Some great thoughts in this post:

• Partner with developers, don't view it as an us vs. them relationship
• Context matters, sometimes the researcher views the bug as more impactful than it really is
• I disagree with the local vs. remote impact assessment as attackers will chain vulnerabilities together and so often we see password-based attacks or authentication bypass vulnerabilities used in conjunction with local vulnerabilities.
• Sometimes you do have to be patient and wait to get something fixed, but I feel that too often too much time is given to fix a vulnerability

Disclosure is a messy process and every case is unique!

I believe we are just scratching the surface of where LLMs can take us with respects to these activities:

• Fuzzing
• Web Scraping

The above two activities are challenging for security professionals. Several new projects are attempting to use LLMs to help solve them. The problem is we haven't really solved it for ourselves, and LLMs are based on what we already know. Despite that, I am still excited for what the future brings as I love fuzzing and web scraping!

Thoughts on this list? What would you add?

This project aims to build on the Labrea Tarpit from Tim Liston: "When scanners attempt to identify open TCP ports by sending SYN packets, our solution introduces a second layer of disruption. It delays SYN-ACK responses, sending them after a set time. While the delay for a single port may seem minor, the impact compounds when attackers scan thousands of ports across a network teeming with virtual devices. The result? Overwhelming false positives, wasted time, and mounting frustration as their scans yield no actionable data." You can test it for yourself: https://github.com/sensorfu/ants

I did not know this was a thing: "I discovered a Remote Code Execution vulnerability inside well known Open Source tool actively mantained and lectured in seveal universities and labs using medical standard imaging RFC."

If it was only this easy all the time!

If you are just getting into RFID hacking, read this first!

If you want to create malicious NVMes this is the repo for you.

If you want to bypass EDR but do not want to mess with bootloaders or UEFI, this is the repo for you.

Love this: "We identified flaws in their trust relationship with VPN servers, showing how attackers could exploit these tools to gain privileged access with minimal interaction. This research was not limited to hypothetical scenarios. Through attack simulation exercises, we demonstrated how these vulnerabilities could compromise end-user devices in real-world enterprise environments. By targeting the implicit trust VPN clients place in servers, attackers can manipulate client behaviours, execute arbitrary commands, and gain high levels of access with minimal effort."

This is one I have to go back and read, great stuff, here is the high level: "Positive Technologies has identified a vulnerability, termed "DaMAgeCard," that exploits the Direct Memory Access (DMA) capabilities of SD Express cards to access system memory directly. This vulnerability arises from the integration of PCI Express (PCIe) into SD Express cards, intended to enhance data transfer speeds. However, this integration inadvertently permits modified SD Express cards to bypass system protections and gain unauthorized memory access."

Time to update! Lots of great improvements!

This is a Windows-based attack that has me excited, given some of my experiences with environments that are using InTune. They describe it as: "Pytune is a post-exploitation tool for enrolling a fake device into Intune with mulitple platform support." and was presented at BH EU 2024 (https://www.blackhat.com/eu-24/briefings/schedule/index.html#unveiling-the-power-of-intune-leveraging-intune-for-breaking-into-your-cloud-and-on-premise-42176).

Sora is OpenAI's video generation model, designed to take text, image, and video inputs and generate a new video as an output

TP-link is reportedly being investigated over national security concerns linked to vulnerabilities in its very popular routers. TP-Link holds roughly 65 percent of the US router market for homes and small businesses, and its internet communications products are used by the Defense Department and other federal government agencies.

QUICK BEFORE THE HOLIDAYS. NOW IS THE TIME TO START DICKING WITH YOUR VACUUMS.

my pile of spares has a few cards that I could never get to work on iPhones for some reason. I’d never bothered to really investigate why, but I recently made the metal connection that I had mixed in some “Magic” MIFARE cards with my regular generic ISO14443-A stock. While absolutely magical in ability, the Magic MIFARE cards “can’t be read” by iPhones for reasons that nobody online seems to quite agree with eachother about.

So.. here I am to teach you how to get a Magic MIFARE card to be read by an iPhone.

The Lakera guide to hacking LLM's (Gandalf)

After quite a bit of work on the project, life got the better of it and me. I had to put it aside in the hope that maybe, one day, I would be able to complete it, and since then I occasionally steal a few moments (or hours) with Ghidra and continue the rework.

What is "complete it?", you ask? Well, first and foremost I would like to gain a deeper understanding of the code, especially the part that performs self-checking and reports back to Bezeq. I suppose that today no one is waiting for such messages on the Bezeq side, but in any case, this is an Exploration and Documentation project, it doesn't have to be practical.

Another thing I would like to do one day is replace the entire motherboard with something modern such as an Arduino or RaspberryPi and essentially use a modern telephone on the old hardware - there's a screen, a keypad and a receiver!

We don't know what day or time yet, but please come up and introduce yourselves!

A Rhode Island state benefits portal suffered a cyberattack earlier this month. Deloitte, which manages the RIBridges portal, says there is a “high probability” that sensitive data were stolen. Deloitte notified the state of the incident on Friday, December 13. The portal allows Rhode Island citizens to apply to multiple benefits programs, including Medicaid, Supplemental Nutrition Assistance Program (SNAP), Child Care Assistance Program (CCAP), and General Public Assistance (GPA) Program. Because the RIBridges system is currently unavailable, residents will need to use paper applications for services sent through the mail.

At this point it appears the exfiltrated data includes names, SSNs, DOBs, addresses and some banking information affecting as many as 300,000 Rhode Islanders. The Brain Cipher ransomware gang is taking credit for the attack. The state is posting updates on the RIBridges incident via their Department of Administration web site: https://admin.ri.gov/ribridges-alert

South Carolina-based SRP Federal Credit Union has disclosed a cybersecurity incident that resulted in the theft of personal information belonging to more than 240,000 people. SRP says intruders had access to their network between September 5 and November 4, 2024. The Nitrogen ransomware gang is taking credit for the attack, claiming to have exfiltrated 650GB of customer data, likely including full name, social security, driver's license, credit/debit carrd and account numbers as well as DOB. SRP doesn't seem to have a member-facing site detailing the breach, something they should correct, and as an added distraction, the firm of Markovits, Stock & DeMarco LLC has already initiated a class action lawsuit investigation.

Germany's Federal Office for Information Security (BSI) published a press release on December 12 describing their successful campaign to intercept network traffic between over 30,000 malware-infected devices and their command-and-control (C&C) servers. BSI "instruct[ed] all internet providers in the country with more than 100,000 subscribers to help redirect traffic to the sinkhole." All devices observed by BSI, including media players, internet-connected picture frames, and possibly phones and tablets, were running outdated Android operating systems and were infected with BadBox malware at some point in the supply chain before being purchased. BadBox "can secretly create email and messenger accounts ... spread fake news, carry out advertising fraud, and serve as a proxy." 

he BadBox malware is installed via supply chain compromise, it is embedded in the firmware and not user removable. The best protection is to make sure that any Android based device is Play Protect certified, which includes extensive testing to ensure quality and user security. Google provides a list of certified devices on their Android TV website. You can also check the check the certification status via the Google Play Store app. See Check and fix Play Protect Certification status: https://support.google.com/googleplay/answer/7165974

Mozilla has announced that in Firefox version 135, set to release February 4, 2025, the browser's feature for sending websites a "Do Not Track" request will be removed. "Do Not Track" is not a direct block, but a standard developed in 2011 by the World Wide Web Consortium by which users may register their preference not to be tracked. After more than a decade of opposition from advertisers, lack of policy or enforcement, and unrelenting evolution of tracking technology, Mozilla's support page notes that "many sites do not respect this indication of a person's privacy preferences, and, in some cases, it can reduce privacy." Another checkbox will remain, labeled, "Tell websites not to sell or share my data." This option invokes 2020's Global Privacy Control (GPC), a similar mechanism that aligns with privacy laws in the EU and California, and with certain provisions in other US states. The DNT setting, while well intended, didn't really work as it was never a fully ratified standard and web sites/advertisers refused to implement it. While it's not clear if the GPC setting will be more effective, it has a better chance as it ties to privacy laws should help adoption. For now, the best option is to use browser privacy extensions like uBlock Origin, Privacy Badger, or privacy enhanced browsers all of which are designed to not send extra information to web sites in the first place.

Amnesty International has published a report describing instances and analysis of privacy intrusions on civilian devices by the Serbian government. According to Amnesty's researchers, during interviews the authorities unlocked confiscated devices with Cellebrite software and installed "a previously unknown form of spyware." This report focused on four Android devices, two of which were comproimised by Celebrite, the others by unspecified means, while the owners were being interviewed by Serbian authorities, the implication being the civillians were unaware of the tampering at that time. The best mitigation is keeping your devices updated and backed up. Consider that if you're asked to surrender your device to authorities, locked or otherwise, that you should treat it as compromised afterwards and look to replacement or factory wipe options.

CISA is inviting public comment on an updated plan for public and private sector response in the event of "significant cyber incidents." The original plan was created in 2016, and CISA has collaborated with "over 150 experts from 66 organizations" to create this new draft in response to the 2023 National Cybersecurity Strategy and major changes in the threat landscape and "national response ecosystem," with the additional goal of broadening guidance to more "non-federal stakeholders. Volt Typhoon is mentioned by name in the introduction. China has several "Typhoon" groups. Volt (or Vault) Typhoon, stealth & espionage, focuses on critical infrastructure, Salt Typhoon, data persistence, targeting ISPs and Telecommunications; Flax Typhoon, hijacking IOT devices.  The comment period goes through January 15, 2025, and need to be submitted through the Federal Register's request for comment on the NCIRP updatge page.

Microsoft's Recall AI feature for Copilot+ PCs was delayed for six months before limited release in December, 2024, in large part due to alarms raised over its security risks. The feature captures screenshots every few seconds and uses AI to make them searchable in a timeline, but the database of screenshots was originally stored in plain text. The new release is opt-in rather than opt-out, and encrypts screenshots, but the "filter sensitive information" safeguard --  meant to prevent Recall from storing data such as credit card numbers or social security numbers -- works inconsistently and is trivial to bypass, as demonstrated in a report from Avram Piltch at Tom's Hardware. Recall remains opt-in and requires a Copilot+ PC to operate. Recall's sensitive data filtering is still evolving, so use caution testing it. Given that it is positioned to be your one-stop digital memory, expect users to want to enable and use it, particularly if it's enabled on their new home computers, so you're going to need to understand the risks and have sufficient sign-off before wide deployment.

A joint fact sheet published by the Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) on December 13 highlighting the need to secure Human Machine Interfaces (HMIs) connected to the internet. While it's convientent to make HMI's available over the Internet, this also exposes them to exploit. If you must, then make sure they are protected by a strong passord, or even better MFA, and you're going to have to monitor for inappropriate behavior, keep systems updated. The mitigations for risks that exposure seem worse than setting up a VPN/Remote access solution to view these HMIs.

December 11 service disruption that affected OpenAI’s ChatGPT, the API, and Sora, has been blamed on the deployment of a new telemetry service. In all the OpenAI service experienced roughly four hours of “significant degradation or complete unavailability.” OpenAI writes that “the new service’s configuration unintentionally caused every node in each cluster to execute resource-intensive Kubernetes API operations whose cost scaled with the size of the cluster.”

Kudos for wanting full visibility to better manage the environment, but a few points off for not adequately modeling the impact of the change. In the excitement of getting the data you want with increased monitoring; it is easy to misread the resource impact,  particularly without a production workload. Service restoration was complicated as the clusters were essentially locked out making it slow to back out the changes. Add this scenerio to your testing and roll-back planning.

Researchers at Aqua Nautilus have detected critical vulnerabilities that could affect more than 336,000 internet-exposed Prometheus (open source monitoring and alerting) servers and exporters. The vulnerabilities could be exploited to allow information disclosure, denial-of-service attacks, and remote code execution.

By default the Prometheus endpoint allows for unauthenticated access, which allows lots of system information to be accessed. Make sure you're not only limiting external access to those agents, but also requiring authenticated access. In addion, watch your debug/pprof endpoints for resource exhaustion - these should only be internally reachable.

According to a report from BreachRX, the US Securities and Exchange Commission’s (SEC’s) breach reporting rules are not doing much to improve incident transparency. The rules, which took effect late last year, require public companies to disclose “material” cyber incidents within four days of detection, and to include information about their cybersecurity strategies in their annual reports.

Beyond reporting the minimum information required by the SEC, companies need to consider what best suits their customers, despite an SEC filing being slated towards their investors/owners, which could be opposing requirements. This could be a case where industry develops best practices rather than waiting on regulators so they can balance these needs. I am a fan of transparent honest disclosure versus rumor an speculation which can be at best distracting and at worse cost business.

Today, CISA released Mobile Communications Best Practice Guidance. The guidance was crafted in response to identified cyber espionage activity by People’s Republic of China (PRC) government-affiliated threat actors targeting commercial telecommunications infrastructure, specifically addressing “highly targeted” individuals who are in senior government or senior political positions and likely to possess information of interest to these threat actors.

Use only end-to-end encrypted communication ions, enable FIDO, move away from SMS based MFA, use a password manager, set a Telco PIN, update software and hardware regularly and don't use a personal VPN due to provider risks.