AI Is Oversharing and Leaking Data – Sounil Yu – PSW #865

This made a splash this week. Xeno's analysis is on point: However the VSCs which enable writes to flash memory could lead to the exploitation of vulnerabilities in the secure update or secure boot system, as have been found on other chips, such as Silicon Labs’ and Renessas’. Likewise, if we consider the goal of secure boot to avoid attacker code execution in the context of the chip which it is protecting, then clearly an architectural ability of an off-chip attacker to write arbitrary code into the chip is a clear violation of the goal of secure boot." - Esspressif states that the hidden features are not accessible remotely, making this a local attack. If an attacker can gain access to the host, this is likely enough to conduct attacks without having to bypass any more security features. However, if the attacker's goal is to bypass Secure Boot, then this is a feasible way to do so. Some Secure Boot attacks work by disrupting the execution of validation (e.g. prevention of the validation so Secure Boot works as normal, but is not checking the validity of the programs being run).

I'm really confused by this: After identifying the webcam as a suitable target, the threat actor began deploying their Linux-based ransomware with little delay. As the device was not being monitored, the victim organisation's security team were unaware of the increase in malicious Server Message Block (SMB) traffic from the webcam to the impacted server, which otherwise may have alerted them.[1] Akira was subsequently able to encrypt files across the victim’s network.[2]" - How does one bypass ransomware detection by deploying ransomware from an SMB service on a remote Linux webcam? The article states that the ransomware was being caught by an EDR tool, but somehow the attackers were able to get around this by using a Linux webcam? I'm still confused and this article needs more details.

This is a neat project, using LoRa to control services on remote devices. I have on my project list experimenting with LoRa to control devices as a back channel. I've seen some folks with similar setups, essentially using LoRa to communicate with devices that are performing monitoring or RF/WiFi attacks. I want in LOL.

Some really neat hardware hacking stuff here, I need to take their class to fully understand it (I think that may have been some of the point to the article, and that's okay with me as the Voidstarsec people have a great reputation).

This is a really awesome tutorial. I admit I was a bit skeptical because there are many tools available for JTAG that do not require a Flipper Zero, but it turns out the Flipper works just fine! Save this one for the next time you have to interface with something over JTAG as the documentation is on point (at least as I read it, I did not test it out, yet...)

This reseach improves Wifi jamming in a way that allows an attacker to be more precise. Perplexity helped me understand it, provided it is accurate here are some of the details: Background Wireless Jamming: This is a type of denial-of-service attack where an attacker sends radio interference to disrupt legitimate wireless communications. Traditional jamming methods lack precision, affecting both target and non-target devices due to the broadcast nature of radio signals.

Reconfigurable Intelligent Surfaces (RISs): These are engineered surfaces that can digitally control the reflection of radio waves. They are composed of many small, tunable reflectors that can adjust the phase of reflected signals. RISs are emerging as a tool to enhance wireless communication by optimizing signal propagation.

The authors propose using RISs to achieve spatially selective jamming. This means targeting specific devices for jamming while leaving others unaffected, even if they are very close to each other.

• Step 1: Eavesdropping: The attacker uses a device to listen to signals from all devices in the area. This helps estimate the channel conditions between the attacker and each device.
• Step 2: RIS Optimization: The attacker uses an optimization algorithm to configure the RIS. The goal is to maximize the signal strength towards the target device(s) while minimizing it for non-target devices.
• Step 3: Jamming: With the optimized RIS configuration, the attacker sends a jamming signal. This signal is directed primarily at the target device(s), disrupting their communication without affecting nearby devices.

The findings are exposures that we've talked about at length over the years. They represent opportunities for attackers that I believed most were aware of and had implemented countermeasures. However, this pen test team discovered the following:

• Workstations being left unlocked
• Public computers with USB ports enabled (and not protections against a Rubber Ducky attack)
• Missing network controls (LAN turtle deployed successfully)
• Poor physical security and training - Access to restricted areas was easy to gain.

I believe the target organization was not ready for a penetration test. Some consulting beforehand and help with the implementation of the aforementioned security controls would have been a much better exercise, then perform a penetration test.

This is really cool: "Rayhunter analyzes the traffic in real-time and looks for suspicious events, which could include unusual requests like the base station (cell tower) trying to downgrade your connection to 2G which is vulnerable to further attacks, or the base station requesting your IMSI under suspicious circumstances. Rayhunter notifies the user when something suspicious happens and makes it easy to access those logs for further review, allowing users to take appropriate action to protect themselves, such as turning off their phone and advising other people in the area to do the same. The user can also download the logs (in PCAP format) to send to an expert for further review. " - I have said devices, on the project list! You can pick them up on Ebay really cheap.

I miss vulnerability disclosures like this, I feel like this was the norm "back in the day". Here's the description from the disclosure of a vulnerability in a building management system: "Yo, check it - the ABB BMS/BAS system's got a slick little weakness in them caldavInstall.php, caldavInstallAgendav.php, and caldavUpload.php files. All you gotta do is drop that skipChecksum beat in the POST vibe, and bam, the system skips all that MD5 checksum nonsense, no EXPERTMODE needed to crank the funk. This lets any slick cat without a login slide in some jacked-up CalDAV ZIP files, no questions asked. We're talkin' tampered tunes hittin' the deck, openin' the door to messin' with the system or droppin' some nasty uploads, all unauthorized-like. That's the funky flaw, baby - straight-up tamper town." - The exploit code and examples are equally hilarious. Let's not lose our sense of flair!

I love the challenge: implement something new in a new-to-you programming language and do not use an LLM. This is the first step, and once you've done some learning, then use the LLM :) Love it!

I have not tested this, but I am excited to see technology such as this evolve. I also want one that does LLM-assisted static analysis of web application code. I'm sure it exists...

This is great! They even built a website for people to check CVEs for the enhanced score. Many vendor solutions attempt to do this, its great to see a free offering.It fuels my concern that we prioritize incorrectly, CVSS is not enough, and an exploit being available is not enough, and the KEV is too late.

"ZeroProbe is an advanced enumeration and analysis framework designed for exploit developers, security researchers, and red teamers. It provides a set of enumeration tools to identify security vulnerabilities, analyze system protections, and facilitate exploit development."

So, this post has been taken down. Fortunately, I saved a copy. The details? Basically, you can put the Crowdstrike agent to sleep rather than killing it or evading it in some other way. The post contained technical information about how to do it. I have no proof of what happened, but I am guessing SEC Consult got hit with a cease and desist order. This is weird because they coordinated disclosure with Crowdstrike, who fixed it after not wanting to fix it. Statement: In 2025, CrowdStrike does not allow process suspension anymore and appears to have decided that process suspension is indeed a detection gap that should not exist. SEC Consult was not informed about this status update, and we found out by chance during another check of CrowdStrike Falcon Sensor during our security assessments."

The White House has decided to keep the role of National Cyber Director and has finally announced Harry Coker's replacement, one Sean Cairncross. Open to debate is the fact that "he has no experience as a cybersecurity leader"...

Yup. the dude has no experience with cybersecurity. Literally nothing to see here.

Danhy Ackacki and I are giving a talk at BSides Charm - come check it out!

Volumes have been written about how to break into the cybersecurity industry—landing your first job, climbing the ranks, pivoting to your next opportunity. You can’t throw a pink slip without hitting a thought leader piece on the art and strategy of career progression. But far fewer words have been devoted to the other side of the equation: losing a job, especially one you wanted to keep. And that’s no accident. Job loss is wrapped in stigma, tangled in shame, and rarely discussed openly. But it should be.

Whether through layoffs, AI-driven displacement, or outright firing, departures happen for countless reasons and in countless ways. It’s time to strip away the silence and speak candidly about what comes next. Jeff Man and Danny Akacki bring decades of experience—and their own battle scars—to explore not just the why behind job loss, but how to navigate its emotional and practical fallout. From the shock of that final paycheck to the long weeks and months that follow, this session will offer real talk, resilience strategies, and a much-needed reminder: when the fall is all there is, how you land matters

I have some measure of respect for Rob's willingness to play the political game - once I get past my disdain for the idiocracy. I have often wondered why the gov't - whom most folks look to as the ultimate gatekeeper for cybersecurity - can't afford to pay the folks with the talent to do the job. The economic aspects of cybersecurity are not discussed in the right way in my opinion.

Apparenly you have to be named, "Sean" to get a gov't executive role in cybersecurity these days. At least this one appears to be highly qualified.

Since so many of us abandoned Twitter, I'm not even sure if anyone noticed. But it's probably newsworthy to someone. "Musk suggested in an interview with Fox News Monday that the attack originated ‘in the Ukraine area’, there is yet no evidence to support this claim. The hacking collective Dark Storm has since said it is responsible for the attack." Gotta love the spin attempt against Ukraine though...or not.

The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.

The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence.

The risks arising from these commands include malicious implementations on the OEM level and supply chain attacks.

Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the commands might be possible via malicious firmware or rogue Bluetooth connections.

Espressif said the undocumented commands are debug commands used for internal testing, and that they will remove the debug commands in a future software update.

Coder faces ten-year prison sentence for sabotaging his employer's systems.

The cryptocurrency exchange Bybit lost $1.5 billion to North Korean hackers last month — and it all traced back to an account on Safe--a free digital storage service. To authorize the routine transfer that led to the hack, Mr. Zhou said, he used a hardware tool designed by Ledger, the crypto security firm. The device was not in sync with Safe, he said. So he could not use the tool to check the full details of the transaction he was approving.

By some estimates, Bybit is the world’s second-largest crypto exchange, processing tens of billions of dollars every day. Based in Dubai, it does not offer services to customers in the United States.

This was a supply-chain attack: hackers compromised a computer belonging to a Safe developer, and planted malicious code to manipulate transactions.

A developer's MacOS laptop was infected with malware, and the attackers hijacked an AWS session token.

A proposed bill gives tax authorities access to email servers, social media accounts, online investment accounts, and much more.

The Trump administration backed off Biden's plan to force Google to sell off its AI, but left the most serious penalty intact--selling Chrome. The government proposes that Google should be prohibited from making any of its search or generative AI products mandatory on Android.

The attacker needs to get you to run their software on your device. This could happen if you download an app that secretly contains tracking code, or planted by a USB drive. Any device with Bluetooth Low Energy could be affected. Your device then starts broadcasting signals that make it look like an AirTag to nearby Apple devices.

Roy Lee, the student facing down Columbia, told me he won’t be on campus when the hearing happens, that he plans to leave the University, and that the program he built to dupe Big Tech is proof that the jobs they’re offering are obsolete.

The LastPass hack had been linked to at least $45 million in crypto thefts as of December 2024.