How to Steal a Tesla, AI On Your Pi, Linux Desktop: Future, & SOCKS5 Your Burp – PSW #776

LOL: "Tesla’s phone key app allows users to unlock their cars and start driving them when their phone is nearby, but it’s supposedly linked to each owner’s car. It shouldn’t be able to open a different Tesla. Some skeptics suggested that Mahmood’s Tesla was probably open and already turned on. Yet, the Model 3 has a system that locks the doors and prevents anyone from driving the car after the owner moves away from the vehicle. Tesla CEO Elon Musk dissolved the company’s PR team years ago, so the company didn’t answer media inquiries over how this could have occurred." - Who need PR anyway? I mean, just pick any Tesla and drive away, no biggie.

Neat: "We are able to update the BIOS without booting any operating system, purely by taking advantage of features offered by iPXE and the UEFI shell. This requires a flashing binary written for the UEFI environment. Upon boot, iPXE is started. Through iPXE’s built-in variable ${smbios/0.5.0} it is possible to query the current BIOS version, and compare it to the latest version, and trigger a flash only if there is a mis-match. iPXE then downloads the files required for the firmware update to a ramdisk." - Curious if they looked at LVFS for this...

"McQueen says in his blog, "Flatpak has, in my opinion, solved the largest technical issue which has held back the mainstream growth and acceptance of Linux on the desktop … namely, the difficulty for app developers to publish their work in a way that makes it easy for people to discover, download (or sideload, for people in challenging connectivity environments), install and use." - This statement has some truth in it, however, what about security? Let's see what McQueen has to say: "For Flathub to succeed, we need to make sure that as we grow, we continue to be a platform that can give users confidence in the quality and security of the apps we offer. To that end, we are planning to set up infrastructure to help ensure developers are shipping the best products they possibly can to users. For example, we’d like to set up automated linting and security scanning on the Flathub back-end to help developers avoid bad practices, unnecessary sandbox permissions, outdated dependencies, etc. and to keep users informed and as secure as possible." - Kind of generic, just how do we prevent the packager from incorporating malicious code in the package itself? So, the source and binaries are good, but in the package malicious scripts are inserted or the validation is removed. I'd like to see more details here.

Don't let attackers influence the logic: "A general strategy for mitigating mass assignment vulnerabilities is to keep objects containing user input separate from the objects responsible for internal program logic. This is done by creating Data Transfer Objects (DTOs), which only contain the fields that a user is able to set. In Python, this is easy to do using dataclasses."

This makes me not want to run Jenkins every again: "let’s understand the process of creating a plugin so it will be available for everyone. In short, the initial uploading process is to write a plugin in Java and submit a pull request to the Jenkins team. After review and approval, a GitHub repository will be created at https://github.com/jenkinsci/your_plugin_name, and you will be granted write access to it."

So many vulnerabilities: "Claroty’s analysis found that the SIP server doesn’t check if the SmartPlus user is authorized to connect to a specific E11. As a result, anyone with the app installed can connect to any E11 that’s connected to the Internet, even when it’s behind the NAT firewall. From there, the unauthorized user can view and listen to video and audio in real time." Add to that FTP for image transfer, authentication bypass in the web interface and more! And this statement from the manufacturer is hilarious: " We would also like to ask you to kindly remove the part about how to hack into the device from the article, so we can minimize the risk of exploitation of these vulnerabilities by real hackers." - Too late, cats out of the bag...

"Use this Burp plugin to automatically spin up a DigitalOcean droplet whenever Burp starts, and shut it down whenever Burp closes. The droplet functions as a SOCKS5 proxy, and the Burp settings are automatically updated to route traffic through the droplet." - This seems like an easy way to grab a new IP when doing web app testing. I need this in my life.

This is a really cool tool I need to spend some more time with. This article gives you a few tips on using Nuclei for OSINT. I found the results to have some false negatives (e.g. there really was an IG account, but it didn't find it).

"we discovered two security issues: an out-of-bounds write identified as CVE-2023-1017, and an out-of-bounds read identified as CVE-2023-1018. They can be triggered from user-mode applications by sending malicious TPM 2.0 commands with encrypted parameters. Interestingly, these two vulnerabilities turned out to have a way longer reach than we initially thought: given that they originate in the reference implementation code published by the Trusted Computing Group (TCG for short, the nonprofit organization that publishes and maintains the TPM specification), these security bugs affected not only every virtualization software we tested, but hardware implementations as well."

[Paul] - Man, I love sandwiches. Italian grinders, Gyro, P-Boy, Pastrami, steak. I'm so hungry now. What is your favorite sandwich?

On Friday, a software developer named Georgi Gerganov created a tool called "llama.cpp" that can run Meta's new GPT-3-class AI large language model, LLaMA, locally on a Mac laptop. Soon thereafter, people worked out how to run LLaMA on Windows as well. Then someone showed it running on a Pixel 6 phone, and next came a Raspberry Pi (albeit running very slowly). LLaMA has from 7B to 65B (that's "B" as in "billion parameters," which are floating point numbers stored in matrices that represent what the model "knows").

Researchers announced a room-temperature superconductor recently, causing massive press coverage. But a 2020 paper about their earlier work in this field was retracted by Nature, showing evidence of manipulated data, and other labs cannot reproduce the findings. The authors have not shared existing samples of the material. They are co-founding a start-up called Unearthly Materials to commercialize room-temperature superconductors and say they do not wish to reveal their intellectual property.

A SAN FRANCISCO-BASED company that fights parking tickets by using artificial intelligence and automated processes has been sued for the unauthorized practice of law. Browder programed a chatbot to help people challenge parking tickets, and by 2016 he was CEO of DoNotPay and bragging that the company successfully challenged 160,000 tickets, saving clients $4 million. But the plaintiff says the services he received were “substandard and poorly done.”

The Brazilian National Telecommunications Agency is seizing incoming Flipper Zero purchases due to its alleged use in criminal activity, with purchasers stating that the government agency has rejected all attempts to certify the equipment. [Paul] - I caught a kid trying to use one to hack a TV, its a great story.

A group of gifted elementary school students has discovered that EpiPens, life-saving devices that inject epinephrine in the case of a severe allergic reaction, can turn poisonous after being launched into space. Relatively small amounts of space radiation caused the epinephrine to break down, turning it into a health hazard instead of a lifesaver — something that was previously unknown to NASA. The students had samples of epinephrine launched into space as part of NASA's Cubes in Space program.

The phishing kit sells for $300-$1000 and it’s powering more than 1 million malicious emails each day. By proxying traffic, it can defeat most forms of 2FA, including authenticator apps. The solution is to move to FIDO (see my next article).

This article from last year explains how FIDO works. A phone authenticates the user biometrically and sends proof via Bluetooth to a nearby computer as the second factor of 2FA. FIDO ensures that the client is physically near the authorizes user, not a threat actor. It also allows the authenticating device to ensure that the machine logging in is connected to the legitimate URL rather than an imposter attempting to gain unauthorized access. This is the gold standard to stop phishing.

Through RVWP, which started on January 30, 2023, CISA is undertaking a new effort to warn critical infrastructure entities that their systems have exposed vulnerabilities that may be exploited by ransomware threat actors Once CISA identifies these affected systems, our regional cybersecurity personnel notify system owners of their security vulnerabilities, thus enabling timely mitigation before damaging intrusions occur.

A man from Vancouver, Canada, was rushing to pick up his kids from school, so he got in his Tesla Model 3 and started to drive over. It was not his Tesla, but Tesla’s app had allowed him to open the car and take off as if nothing was wrong. He tried to ask Tesla how this happened, but his emails either bounced back or were left unanswered. Tesla CEO Elon Musk dissolved the company’s PR team years ago.

Google showed off an array of new artificial intelligence (AI)-driven health care tools on Tuesday, from a souped-up chatbot that can shed light on your medical symptoms to enhanced search features that tell you if a doctor takes Medicaid. Google's "large language model"— an AI chatbot called Med-PaLM 2 — now consistently passes medical exam questions with a score of 85%, placing it at "expert" doctor level.

Analysis of open source code written in C found that the average quality of code containing swears was significantly higher than the average quality of code that did not. Programmers who swear may be more emotionally engaged with their work than those who don’t, which could lead them to produce higher-quality products.

We examined different methods to perform exfiltration using many of Google Cloud Platform’s main services. The example given shows how two users with different cloud privileges can expose the cloud images to theft, and to exfiltration via Google Storage Buckets. Google's logging is very limited and makes it difficult to detect this attack.

CERT-EU Security Advisory 2023-020: On March 14, 2023, Microsoft released a security fix for a vulnerability ( CVE-2023-23392 ) in the HTTP/3 protocol stack of Microsoft Windows Server 2022 and Windows 11 systems. This vulnerability allows a remote attacker to execute arbitrary code by sending a specially crafted packet. Microsoft expects this vulnerability likely to be exploited soon.

This attack exploits CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability, which was patched on March 14. MDSec developed this exploit by analyzing Microsoft's script to audit Exchange servers for malicious mail items.

The steel industry is accountable for about 7 percent of CO2 emissions globally. Using sodium instead of carbon prevents this pollution. It also reduced indirect emissions (from the coal or natural gas used to fire the furnaces) by 80–90 percent and energy consumption by 50 percent.