Your TV Is Scanning You – PSW #826

Keyboard apps that allow the user to enter Chinese characters communicate with the cloud, and due to vulnerabilities, attackers can eavesdrop and collect keystrokes.

Again, not all of these have a CVE assigned, so if you run Brocade, pay attention. And this practice has got to stop: "Dec 7, 2022: Failed negotiations: Brocade support team confirmed that (i) no security patches would be provided since the tests were not carried out on the latest version and were invalid, (ii) all the reported vulnerabilities were misconfiguration issues in the devices and sannav, (iii) anyway, since the tested versions were EOL, CVEs would never be published if a vulnerability is found and (iv) asked Dell to provide a list of relevant vulnerabilities for the supported versions"

Random numbers are important for crypto: "PuTTY's technique worked by making a SHA-512 hash and then reducing it mod q, where q is the order of the group used in the DSA system. For integer DSA (for which PuTTY's technique was originally developed), q is about 160 bits; for elliptic-curve DSA (which came later), it has about the same number of bits as the curve modulus, so 256 or 384 or 521 bits for the NIST curves." "In all of those cases except P521, the bias introduced by reducing a 512-bit number mod q is negligible. But in the case of P521, where q has 521 bits (i.e. more than 512), reducing a 512-bit number mod q has no effect at all – you get a value of k whose top 9 bits are always zero."

• https://www.openwall.com/lists/oss-security/2024/04/15/6

This is like the nightmare IT problem. We typically blame the user or the operating system itself, rebuild it (or get a new machine) and move on. This problem persisted! Turns out it was the TVs transmissions that filled up a cache, causing weird Windows issues. I want dumb TVs.

Wow: "“I use Android, which has a pretty simple workflow for downloading and decompiling the APK apps,” Brown told KrebsOnSecurity. “Given that I am pretty picky about what I trust on my devices, I downloaded Chirp and after decompiling, found that they were storing passwords and private key strings in a file.” Using those hard-coded credentials, Brown found an attacker could then connect to an application programming interface (API) that Chirp uses which is managed by smart lock vendor August.com, and use that to enumerate and remotely lock or unlock any door in any building that uses the technology." - The thing is the landlord made it a requirement to install these locks. I don't like this at all and believe we should have some regulations surrounding tenants and the security of entry systems.

If attackers can do this against our systems, why can't we also scan our systems in this same way and then fix them (e.g. change the password)? Its really simple, but so many don't do it!

I hope the XZ incident has raised awareness of this threat as it seems to be targeting other projects in a manner such as this: "These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics, they said. “The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement,” said OpenJS Foundation Executive Director Robin Bender Ginn and Open Source Security Foundation (OpenSSF) General Manager Omkhar Arasaratnam."

• https://beskar-openjsf.vercel.app/blog/openssf-openjs-alert-social-engineering-takeovers

First, you can do this more easily and better with a laptop and a Wifi dongle. I think the first attacks date back to around 2005? Second, the Flipper Wifi Module is just an ESP32, which means its only 2.4GHz. Third, connecting to open Wifi networks and entering your Google credentials is something YOU SHOULD NEVER DO!

Attackers are going after network devices and appliances HARD. This problem will get worse until it gets better. If you have devices from the major network and appliance vendors, revamp your strategy to patch them often, fast, and efficiently, otherwise, attackers will exploit them first.

Here's what happened: AMI and Intel include LightHTTPD in their firmware/MegaRAC products, LightHTTPD fixes a security bug, but never tells anyone. No CVE is issued. Products to end-of-life that are vulnerable, and will never be fixed. We can do better. If its a security vulnerability in software, it must get a CVE!

Phi-3 Mini measures 3.8 billion parameters and is trained on a small data set of children's stories, so it learned English the real human babies do. This is far more efficient, and the resulting LLM is ten times smaller than the comparable GPT-3.5, so it can run on a phone.

StarCoder 2 was trained using only public code from repositories, and it only learned computer languages. It's far smaller and more accurate than large generalized LLMs.

Wearing a T-shirt with a stop sign on it, a person standing beside the road brings robotaxis to a halt. This type of attack seems very powerful and difficult to stop.

eScan is an Indian antivirus product and it got updates over HTTP, not HTTPS. Attackers poisoned the updates, distributing malware. This vulnerability was reported and fixed.

Biden and Trump should just give up now, this is the greatest idea anyone has ever had. GO RFK!

Flights were delayed for hours at Sacramento International Airport in California. The cable, which was attached to a pole about 2.5 miles from the airport, had been slashed in one place about four or five feet from the ground in a manner that was "very deliberate" and "very targeted."

Cisco's Hypershield represents a new way to do network security. The core element of Cisco's plan is the deployment of "enforcement points" – essentially teensy firewalls that can run on a server, or in data processing units (DPUs, aka SmartNICs) installed in servers or networking hardware.

Browsing through the internet it’s hard to escape those annoying pop-ups: ‘Control your cookies! Accept or decline’. But 65% of websites ignore user rejection choices.

California has set a benchmark for renewable energy, with wind, solar, hydro, and geothermal supplying 100% of the state's electricity demand for 25 out of the last 32 days (and counting).

Scattered Spider has hit hospitals, pharmacies, tech companies, and Las Vegas' biggest hotels and casinos. There are thousands of people involved, with Russians contributing experience and malware, and young Westerners (aged 13-25) using English and social engineering skills.

Anyone can submit malware samples and other suspicious artifacts for examination by CISA analysts in a secure environment.

“Smart locks” securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The hardcoded password is trivial to extract from their Android app. This vulnerability was reported in 2021, but there was no response until April 18, when the company denied that there was a problem.

The vulnerability could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys. The cryptographic nonce should be 521 random bits, but the software only generates 512 random bits, leaving the first nine bits at zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques.

Many languages, including Rust and Python, fail to correctly escape Windows shell commands. This happens because the escape character in CMD is the carat (^), not the backslash. This allows command injection.

The license plate reader read the plate on the car being towed, and that driver was sent a $105 traffic ticket.

A TV generated Universal Plug and Play IDs and had, over the course of several years, convinced a computer that there were essentially an infinite number of devices on their network. The smart TV, a Hisense 50Q8G, had inadvertently created a denial-of-service attack on the PC.