Everything is Overrated – PSW #847

I was expecting something fancy here, such as bypassing air gaps using flashing LEDs, sound waves humans cannot hear, etc. However, it turns out the threat actors are just using USB drives. Don't get me wrong—it's still a sophisticated attack, but it relies on USB drives being inserted into air-gapped systems and then into non-air-gapped systems.

The r-tec team just dropped a bombshell on Axis IP Camera security. They've uncovered a way to achieve Remote Code Execution (RCE) on these cameras by uploading a malicious APP file with the EAP extension, even when the original exploit failed. The secret sauce? They used the "AXIS Live Privacy Shield" APP as a template, replaced the 'liveprivacyshield' elf binary with their own malicious code, and set the APPTYPE to "aarch64"1. While they didn't get root access, they still managed to pop a low-privileged Meterpreter session, proving that with a little persistence and creativity, you can often find a way to pwn a system!

The Horizon3.ai team just dropped a bombshell on Palo Alto's Expedition application security. They've uncovered a treasure trove of vulnerabilities, including an unauthenticated admin password reset (CVE-2024-5910), authenticated command injection (CVE-2024-9464), unauthenticated SQL injection (CVE-2024-9465), and cleartext credentials in logs (CVE-2024-9466)1. The real kicker? They chained these bad boys together to go from zero to full compromise, exploiting everything from a simple PHP file in /var/www/html/ to crafting malicious cron jobs and even dumping entire database tables using SQLMAP1. With only 23 Expedition servers exposed to the internet, this might not be widespread, but it's a stark reminder that even security vendors aren't immune to some seriously gnarly vulnerabilities.

David Buchanan just blew our minds with his deep dive into DRAM fault injection attacks. This mad scientist managed to flip bits in his Raspberry Pi's memory using nothing but electromagnetic pulses, achieving what's known as Rowhammer without even touching the RAM! The secret sauce? He used a ChipSHOUTER to zap specific areas of the Pi's PCB, causing glitches in the DRAM controller and flipping bits in nearby rows. But here's the kicker - he didn't stop at just flipping bits. David went full-on hacker mode, demonstrating how these bit flips could lead to privilege escalation by targeting the Linux kernel's usernscapable function. Talk about turning physics into a security nightmare!

The crew at Adversarial just dropped a truth bomb about patching that'll make your head spin. They're saying that patching alone ain't gonna cut it in today's threat landscape, and they've got the data to back it up. These mad lads analyzed 1,000 real-world attacks and found that a whopping 80% of them didn't even use CVEs - they're all about misconfigurations, weak credentials, and good ol' social engineering. But here's the kicker: they're not telling you to ditch patching altogether. Instead, they're pushing for a risk-based approach that focuses on your actual attack surface and leverages automation to keep you ahead of the bad guys. It's time to stop playing whack-a-mole with patches and start thinking like an attacker! I love this: "In the fairytale land of security theater, product exploits are out there getting stopped by intrusion prevention systems all day. In reality, people aren't running exploits over the wire, and IPS is sitting around burning up budget. In real life, people are finding the page that says "click here to download all the secret data" and clicking the button."

Love this: "The thing is, SBOMs aren’t something that should exist by themselves. They’re a tool, a part of a larger system. The two SBOM formats that get much of the attention and complaints are SPDX and CycloneDX. But those are just two standards. There are formal definitions of SBOMs that tell us what sort of information they should contain – SPDX and CycloneDX meet those requirements, but it’s foolish to use such a narrow definition by itself, remember, it’s a tool." - SBOMs are just data that you have to do something with, such as compare to something else or maintain in a database that you can search to find something relevant or interesting. I think this is the point Josh is trying to make.

This vulnerability is no joke. An attacker who could register usernames could potentially:

• Cause ID collisions, leading to account confusion.
• Spoof another user's ID, essentially stealing their digital identity.
• Gain the same privileges as the target user on the system.

The scary part? This attack could be done offline, bypassing rate limits and leaving minimal audit trails. We're talking about potentially compromising a target account across multiple systems in less than 10 minutes of computing time.

Great points:

• The author argues that services like NordVPN, ProtonVPN, and ExpressVPN aren't true Virtual Private Networks. They're more like traffic aggregators or tunnels.
• True VPNs were originally designed to create private networks over public infrastructure, typically for corporate use. These consumer "VPNs" are a different beast entirely.
• The marketing of these services as privacy tools is often misleading. While they can hide your traffic from your ISP, you're just shifting that visibility to the tunnel provider.
• Most websites now use HTTPS, so your ISP can't see the content of your browsing anyway. DNS-over-HTTPS (DoH) is also becoming more common, further reducing what ISPs can see.
• These tunnel services can be useful for bypassing geographical restrictions or accessing region-locked content, but that's not about privacy - it's about circumventing terms of service.
• The author suggests we stop calling these services "VPNs" because it's inaccurate and misleading. They're not providing the same function as a true corporate VPN.
• While these services can have legitimate uses, users should be aware of the limitations and potential drawbacks, like reduced internet speeds or being flagged as suspicious by some websites.

I will also add that "VPNs" do nothing for privacy in the browser, where websites are executing JavaScript on your local machine. Let that sink in for a moment.

If you want to build a completely fileless malware for Linux, this is a good start: "Execute a binary on a Linux system when execution is not allowed (e.g. restricted PHP environment, read-only filesystem or noexec mount flag). By using only Bash and making syscall(2)’s from Bash (!) and piping the ELF binary straight from the Internet into Bash’s address space - without touching the harddrive and without ptrace() or mmap()…." - I'm not certain if this is entirely new, but feels like an "on the shoulders of giants" post. I think it's great and predict we will see threat actors clean-up the dodgy techniques they are using today that we can spot from a mile away on Linux systems, if we're looking in the right places.

when someone opens up the hard drive of a redbox unit, they can pull a file which has a complete list of titles ever rented, and the email addresses of the people who rented them, and where and when.

INSERT SHOCK FACE HERE

Build a cheap alternative to Flipper Zero™ built on top of ESP32-S3!

Welp, back to firefox we all go!

kv4p HT is a homebrew VHF radio that makes your phone capable of voice and text communication completely off-grid with at least a Technician class amateur radio license. The radio simply plugs into the USB C port on your Android smartphone and transforms it into a fully-fledged handheld radio transceiver. It's completely open source (GPL3): the Android app, ESP32 firmware, PCB designs, and 3D printer files.

The steps to execute the attack now were simple:

1. Create an Apple account with [email protected] email and request a verification code, Apple sends verification code from [email protected] to [email protected] and Zendesk automatically creates a ticket

2. At the same time, create a ticket on company.com support portal from my own email address, this allows me to keep track of a ID range

3. Use the email spoofing bug I mentioned earlier to attempt to add yourself to every ticket within the range from earlier

When the Raspberry Pi Pico 2 came out, it didn’t take long for someone to figure out crazy uses for its RISC-V Hazard3 CPU cores. After all, folks figured out how to pull off amazing feats with the original Pico, like emulating the Macintosh 128K. The RISC-V CPU is more commonly used in application-class processors than microcontrollers, so one developer set to work installing Linux on the RISC-V cores. Here’s how he pulled it off.

Amazon has seen massive adoption of passkeys since the company quietly rolled them out a year ago, announcing today that over 175 million customers use the security feature.

The Federal Trade Commission today announced a final “click-to-cancel” rule that will require sellers to make it as easy for consumers to cancel their enrollment as it was to sign up. Most of the final rule’s provisions will go into effect 180 days after it is published in the Federal Register.

To get started using RF Swift, you first need to follow specific requirements. Supported on Platforms Plateform x86_64/amd64 arm64/v8 riscv64 Windows ✅ ❓ Linux

The parents of a 19-year-old Connecticut honors student accused of taking part in a $243 million cryptocurrency heist were carjacked as part of a botched plan to hold the parents for ransom. Their son executed a sophisticated phone-based social engineering attack in which they stole $243 million worth of cryptocurrency from a victim in Washington, D.C.

In the just-released HBO film on the history of the world's biggest digital currency - Money Electric: The Bitcoin Mystery - documentary filmmaker Cullen Hoback comes to the conclusion that the anonymous creator of Bitcoin was none other than a long-time member of the community and early Bitcoin developer Peter Todd. Todd says: Wrong again, world.

At EFF we’ve long noted that you cannot build a backdoor that only lets in good guys and not bad guys. Salt Typhoon's hack took advantage of systems built by ISPs to give law enforcement and intelligence agencies access to the ISPs’ user data. This gave China unprecedented access to data related to U.S. government requests to these major telecommunications companies.

The "Cards Against Humanity Pays You to Give a Shit" campaign uses US citizens' personal data obtained from a broker to identify whether individuals voted in the 2020 US presidential election and how they lean politically. Those who didn't vote are asked to put info into the website, promise to vote in the upcoming election, make a voting plan, "and publicly post 'Donald Trump is a human toilet'" in exchange for up to $100.

The US government's General Services Administration's (GSA) facial matching login service is now generally available to the public and other federal agencies, despite its own recent report admitting the tech is far from perfect. The best-performing product still failed 10 percent of the time, and the worst had a false negative rate of 50 percent, meaning its ability to properly match a selfie to a government ID was no better than chance. Higher rejection rates for people with darker skin tones were also noted.

Military kit supplier Green Hills Software has equipped Trump's team with supposedly unhackable phones and computers as the campaign attempts to avoid a repeat of earlier incidents where pro-Iranian attackers managed to steal emails and other data from the crew. The company says its security comes from tight coding and locking down absolutely everything it can to minimize the opportunities for intrusion.

This is the IDE used to develop the code for the secure phone described in the previous article. It has many advanced features, including History Viewer, DoubleCheck which automatically reviews source code each time it’s compiled, and Run-time Error Checking.

The latest LLMs can solve grade-school level mathematical word problems. However, simply changing irrelevant details, or adding extra useless information to arithmetical story problems, causes the models to fail. This shows that they have just memorized the problems, without understanding them or actually performing reasoning. This creates an "illusion of understanding".

Anthropic's Claude 3.5 Sonnet, despite its reputation as one of the better behaved generative AI models, can still be convinced to emit racist hate speech and malware. All it takes is persistent badgering using prompts loaded with emotional language. The details of the process are not being released, because the student who found it is afraid of being sued.

OpenAI has disrupted over 20 malicious cyber operations abusing its AI-powered chatbot, ChatGPT, for debugging and developing malware, spreading misinformation, evading detection, and conducting spear-phishing attacks. The report, which focuses on operations since the beginning of the year, constitutes the first official confirmation that generative mainstream AI tools are used to enhance offensive cyber operations.

Glitter is a type of microplastic used in cosmetics, clothing or for decorative purposes. In 2023, the European Union officially banned the sale of loose plastic glitter, to cut environmentally harmful microplastic pollution. Now researchers have created a novel nanocrystal made from cellulose that sparkles in light and is biodegradable.

Novel magnetic nanodiscs could provide a much less invasive way of stimulating parts of the brain, paving the way for stimulation therapies without implants. Tiny discs, 250 nanometers across (about 1/500 the width of a human hair), would be injected directly into the desired location in the brain. From there, they could be activated at any time simply by applying a magnetic field outside the body.

They used a quantum computer produced by Canada’s D-Wave Systems, and an algorithm named quantum annealing. They successfully attacked part of the foundation of AES. They did not fully break AES--it's not yet clear how significant this result is.

The Fed made an Ethereum-based instrument named NexFundAI. Now eighteen individuals have been charged "for widespread fraud and manipulation in the cryptocurrency markets." The fraud involved "wash trades" – transactions conducted solely to increase the volume of trades in a security or other asset.