Its Not Really A 0-Day – PSW #866

I mean, it's convenient to develop on the Flipper Zero platform and use it as the UI. Creating a UI for an ESP32, as an example, is a fairly heavy lift. That being said, you can just use a laptop or an RPI for this purpose...

This is a great Flipper Zero add-on, at only $19.99 you can extend the range of the CC1101. Many add-on boards are priced much higher and contain an additional CC1101. The Flipper already has one so just extending the range makes more sense. I ordered one a while back and its really good, so shop around (though I can't seem to find the original site I ordered it from...)

This is why people are afraid of firmware updates. When they go wrong, they go really wrong.

The firmware on these devices is really old, like 2014 and Linux kernel 2.x old. Also, the default credentials can be easily cracked, and the default credentials are in the documentation. There is another CVE for cracking credentials on a TP-Link device. Do we need CVEs for crackable passwords on IoT devices?

Great information for hardware hackers in this one. Save it for later as a reference.

For context, the vulnerabilities disclosed are in the reference implementation for ESP32 systems (e.g. in the examples folder on their Github repo). I believe this is one reason Esspresif did not consider this to be a security exposure worthy of a CVE. I disagree as the reference code exists in a repo that gets a version number, and those version numbers are vulnerable, therefore you should upgrade and we need a CVE to track this. That said, Espressif did patch the vulnerabilities. However, if you used any of the reference code, your code may now be vulnerable, so you will need to backport the patches. I am surprised this did not get more press as it represents a very real remote code execution possibility, especially for the highest severity vulnerability, being described as follows: "An attacker within Bluetooth range can achieve arbitrary code execution on an ESP32 device running the BluFi reference code by exploiting the WiFi credential setting commands." - Looking at the code this is a classic mistake, rather than setting limits as to how large the string can be, the length gets set to whatever length of the string being passed in by a user controlled variable. Which means: classic buffer overflow.

Room 641A will forever be infamous, if for nothing but a reminder that the NSA is listening. waves to NSA people

This is cool! I tested it, and it works. I have a Linux VM in my pocket. That is all for now.

I have one remaining Windows 10 PC to upgrade, and thankfully, Windows 11 is supported. It's a Surface laptop I bought about 5 years ago. I plan to keep it as one of my Windows backup machines. However, most of the other hardware I have lying around would not run Windows 11. If there ever were a case to switch to Linux, this would be it. PSA: Don't be afraid to try Linux as your desktop; it's far better than even 3-4 years ago; you may be surprised how well it works for you!

Raphael Mudge has a new blog, and the first post is fire. You should read it. The main topic: Is offensive security research helping or not? I want to tag on to this notion: If there is no patch or an EDR is blind to an attack technique, do you want to know about it? Some teams just don't even want to know. If there is no great solution, now its something that is a legal liability as they know about something and they may not be addressing it. Don't be this team. Be the team that wants to know about everything and work towards creative solutions that provide visibility, detection, and/or prevention in some manner, even if an attacker has an 0-Day or an EDR bypass.

This is a really great troll! There are two sides to this though, and I get both. I could argue either side, you pick!

This really stretches, and perhaps violates, the definition of 0-Day. Microsoft has known about this for some time, in fact, MS Defender actually has detections and preventions for it. Just because Microsoft still refuses to patch it does not mean it's a 0-Day. FYI, CISA put out an advisory about this vulnerability in 2010: https://www.cisa.gov/news-events/alerts/2010/07/16/microsoft-windows-lnk-vulnerability

With an abundance of available targets for security research, its often overwhelming to come to a final decision on a target of interest. This Watchtowr post, which is amazing in its own right and exemplifies the unique writing style that we love Watchtwr for (and memes!), sums up the decision tree nicely:

• Written in C# (a familiar language, thank you Exchange).
• Used and leveraged widely by watchTowr Platform customers.
• Popular amongst large enterprises
• A suspiciously minimal amount of critical/high-severity vulnerabilities in the past.
• Attackers recognize the value of Kentico’s CMS - re: CVE-2019-10068 being exploited in the wild.

This is so good I want to create a generic version of it and make it visual to present in the next research meeting. Well done!

I'm excited to be sharing keynote duties at Kernelcon this year with Gabrielle Hempel and Jayson Street. The them for this year is Race Condition - which ties in nicely with my topic. (don't see it? you'll have to come to the conference!)

"human-centric crypto vulnerablitiies" - could they possibly be talking about key management or implementation??? They state, "human error remains the weakest link in crypto security". nothing to see here. They also state, "security breaches persist due to mismanagement of private keys, phishing attacks, and lack of multi-layered protection. There it is.

A rather lengthy and detailed article, but was somewhat confusing to me. Still a very detailed account of the challenges faced by many "small" critical infrastructure companies that are notoriously underfunded for cybersecurity and don't really have to answer to any particular regulatory compliance framework.

This link will get you to the actual case study.

Did I ever tell you about the time PCI DSS literally made tripwire a $1B company? Oh, never mind. Localization, the idea that online data should be contained locally in a region, is suggested in this article to be "a critical tool for compliance and cybersecurity threat mitigation." I'm not sure I'm buying this sentiment. They seem to be suggesting that following laws/regulations (think GDPR) is key to securing data and meeting regulatory compliance requirements. Maybe I'm missing something?

The actual report (and it's not behind a paywall and you don't have to give up any info).

Aha! I found this year's report! Did things get better??? Not hardly. Both reports are interesting reading, and the "trends" from 2023 to 2024 and they way there are reported is also quite compelling.

This is just a fun site to visit. Not an unpaid endorsement of bugcrowd, but because we love Casey!

Hardly a new concept or concern, but at least there's some empirical data to support the assertion found in the breach report. Some people need hard facts rather than professional opinion, I suppose. Also confusing is that this is a "news" article about a report that was published a year ago (2024) that is a study of breach data from 2023. Sorry....

Senior principal vulnerability analyst Will Dormann said last week he contacted Microsoft Security Response Center (MSRC) with a clear description of the bug and supporting screenshots, only to be told that his report wouldn't be looked at without a video. Frustrated with Microsoft's demand, which Dormann said would only show him typing commands that were already depicted in the screenshots, and hitting Enter in CMD, the analyst created a video laden with malicious compliance. The video is 15 minutes long and at the four-second mark flashes a screenshot from Zoolander, in which the protagonist unveils the "Center for Kids Who Can't Read Good." It also features a punchy techno backing track while wasting the reviewer's time with approximately 14 minutes of inactivity.

"tj-actions/changed-files" is a popular GitHub Action, used by more than 23,000 GitHub repositories. Attackers compromised the project, and altered its code to leak secrets into build logs. This exposes the secrets for public repositories, but not for private ones. The attack used a stolen PAT [personal access token] linked to a bot account. GitHub is not able to determine how this PAT was compromised.

Wiz Research has discovered an additional supply chain attack on reviewdog/actions-setup@v1, that may have contributed to the compromise of tj-actions/changed-files. At this point we believe this is a chain of supply chain attacks eventually leading to a specific high-value target.

The technology works by firing a beam of light the width of a pencil from one traffic light-sized terminal to another--free space optics. Alphabet says the system can transmit data at 20 gigabits per second over 20 km, extending traditional fibre-optics networks with minimal construction and lower costs. Taara already operates in 12 countries including India and parts of Africa.

China was Zuckerberg’s “white whale.” His desire to enter the Chinese market was so intense that he learned Mandarin and actively pursued relationships with top Chinese officials.

AI can help reporters analyze large volumes of data and try to identify patterns. And crucially, we made sure to tell the model not to guess if it wasn’t sure. Of course, members of our staff reviewed and confirmed every detail before we published our story, and we called all the named people and agencies seeking comment, which remains a must-do even in the world of AI.

Newer features that use AI, such as an image generator in Paint and AI rewriting of text in Notepad, will require a paid Microsoft 365 account.

SourceHut says it's getting DDoSed by LLM bots, so it deployed Nepenthes, a tar pit, to catch web crawlers.

1 megawatt flash-chargers, with voltage levels of up to 1,500V, can provide a full charge for its latest EVs within five to eight minutes.