Pentest-Report Mullvad VPN & Servers 11.-12.2020

“Mullvad VPN AB is owned by parent company Amagicom AB. The name Amagicom isderived from the Sumerian word ama-gi – the oldest word for “freedom“ or, literally,“back to mother” in the context of slavery – and the abbreviation for communication.Amagicom stands for “free communication”.”

This document is dedicated to a presentation of a security-centered project carried outby Cure53 for Mullvad. More specifically, the report describes the results of a thoroughand comprehensive penetration test and source code audit against the Mullvad VPNservers, infrastructure and related web applications and other exposed services. Theproject was completed in late 2020

https://cure53.de/pentest-report_mullvad_2021_v1.pdf

#pentest #mullvad #vpn #report #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Myanmar: New internet blackout “heinous and reckless”

Responding to credible reports of a widespread mobile internet blackout underway in Myanmar, Amnesty International’s Deputy Regional Director for Campaigns, Ming Yu Hah, said:

“To shut down the internet amid a volatile coup, a humanitarian crisis and a health pandemic is a heinous and reckless decision.

“Since the 1 February coup, people in Myanmar have been forced into a situation of abject uncertainty. An expanded internet shutdown will put them at greater risk of more egregious human rights violations at the hands of the military.

“The military must re-establish all telecommunications immediately and stop putting people’s rights in danger. All mobile operators and telecommunications providers in Myanmar must seek urgent clarification from the Myanmar authorities.”

On 6 February, the Myanmar military reportedly ordered telecommunications companies in the country to fully shut down internet and 4G services. According to information received by Amnesty International, the effective blackout will be in operation until Monday 8 February.

An earlier order, on 5 February, instructed telecommunications companies to block access to Twitter and Instagram.
On 4 February, the military had already announced that they were ordering telecoms operators to block access to Facebook until 7 February.

As the 1 February military coup was underway, internet and phone outages were reported in several parts of the country, including in the capital, Nay Pyi Taw, the largest city, Yangon, as well as Shan and Kachin States and the Mandalay and Sagaing regions. Access was later reestablished.

There have also been mobile internet restrictions in conflict-affected areas of Rakhine and Chin States in the country for more than a year. 4G internet access in those areas was reportedly restored late in the evening on 2 February 2021.

Such restrictions pose a real danger to at-risk civilian populations, especially when access to information is so vital during the COVID-19 pandemic – and even more so when the situation on the ground is so tense amid the coup, and in conflict-affected areas.

https://www.amnesty.org/en/latest/news/2021/02/myanmar-new-internet-blackout/

#myanmar #internet #blackout #AmnestyInternational #thinkabout #why #HelpMyanmar
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Spotify’s latest invention monitors your speech, determines your emotional state… and suggests music based on it

Remember when Spotify was granted a patent for personality tracking technology, and how unsettling it was?

Published in October 2020, the filing explained that behavioural variables, such as a user’s mood, their favourite genre of music, or their demographic could all prospectively “correspond to different personality traits of a user”.

Spotify suggested that it could promote personalized content – presumably audio advertising content, but also perhaps music and podcast content – to users based on the personality traits it detected in them.

Now, according to details published in a new US Spotify patent, the company wants to use technology to get even deeper into its users’ heads, by using speech recognition to determine their “emotional state, gender, age, or accent” – attributes that can then be used to recommend content.

The new patent, entitled “Identification of taste attributes from an audio signal”, which you can read in full here, was filed in February 2018 and granted on January 12 this year.

According to the filing, SPOT’s new patent covers a “method for processing a provided audio signal that includes speech content and background noise” and then “identifying playable content, based on the processed audio signal content.”

Spotify explains that “it is common for a media streaming application to include features that provide personalized media recommendations to a user”.

An existing approach to identifying what type content a user should be recommended, notes the filing, is to ask them to provide “basic information such as gender or age”.

https://www.musicbusinessworldwide.com/spotifys-latest-invention-will-determine-your-emotional-state-from-your-speech-and-suggest-music-based-on-it/

#spotify #invention #patent #speech #emotionalstate #thinkabout
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Malware attachment using Morse Code to encode itself

First time I've seen this... a malware attachement in HTML that used MORSE CODE to bypass mailfilters

Gotta admit... I'm pretty impressed by the creativity. Never seen this kind of attack on any of our clients before

https://www.reddit.com/r/sysadmin/comments/ldesgy/first_time_ive_seen_this_a_malware_attachement_in/

#malware #morsecode
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

The End of the Privacy of Digital Correspondence

The EU wants to have all private chats, messages, and emails automatically searched for suspicious content, generally and indiscriminately. The stated aim: To prosecute child pornography. The result: Mass surveillance through fully automated real-time messaging and chat control and the end of secrecy of digital correspondence.

In 2020 the European Commission proposed “temporary” legislation aimed at allowing the search of all private chats, messages, and emails for illegal depictions of minors and attempted initiation of contacts with minors. This is to allow the providers of Facebook Messenger, Gmail, et al, to scan every message for suspicious text and images. This takes place in a fully automated process and using error-prone “artificial intelligence”. If an algorithm considers a message suspicious, its content and meta-data are disclosed automatically and without human verification to a private US-based organization and from there to national police authorities worldwide. The reported users are not notified.

Some U.S. providers of services such as Gmail and Outlook.com are already performing such automated messaging and chat controls. Through a second piece of legislation, the EU Commission intends to oblige all providers of chat, messaging and e-mail services to deploy this mass surveillance technology.

https://www.patrick-breyer.de/?page_id=594160&lang=en

#eu #privacy #masssurveillance #surveillance #messaging #thinkabout
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

La fin de la confidentialité de la correspondance numérique

L'UE souhaite que tous les discussions privée, messages et e-mails privés recherchent automatiquement le contenu suspect, de manière générale et sans discrimination.

Le but déclaré: poursuivre la pornographie juvénile.

Le résultat: une surveillance de masse grâce à la messagerie en temps réel entièrement automatisée et au contrôle du chat et à la fin du secret de la correspondance numérique.

En 2020, la Commission européenne a proposé une législation «temporaire» visant à permettre la recherche de tous les chats, messages et e-mails privés pour des représentations illégales aux mineurs et des tentatives d'initiation de contacts avec des mineurs.

Cela permet aux fournisseurs de Facebook Messenger, Gmail, et al, d'analyser chaque message à la recherche de texte et d'images suspects.

Cela se déroule dans un processus entièrement automatisé et en utilisant une «intelligence artificielle» sujette aux erreurs.

Si un algorithme considère un message comme suspect, son contenu et ses méta-données sont divulgués automatiquement et sans vérification humaine à une organisation privée basée aux États-Unis et aux autorités policières nationales du monde entier.

Les utilisateurs signalés ne sont pas notifiés.
Certains fournisseurs de services américains tels que Gmail et Outlook.com effectuent déjà de tels contrôles automatisés de messagerie et de chat.
Par le biais d'un deuxième texte législatif, la Commission européenne entend obliger tous les fournisseurs de services de chat, de messagerie et de courrier électronique à déployer cette technologie de surveillance de masse.

https://www.patrick-breyer.de/?page_id=594160&lang=en

#eu #privacy #masssurveillance #surveillance #messaging #thinkabout
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Supercookie: Browser Fingerprinting via Favicon

Supercookie uses favicons to assign a unique identifier to website visitors.
Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user.

The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers.

https://github.com/jonasstrehle/supercookie

#supercookie #browser #tracking
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

They Stormed the Capitol. Their Apps Tracked Them.

Times Opinion was able to identify individuals from a trove of leaked smartphone location data.

About 40 percent of the phones tracked near the rally stage on the National Mall during the speeches were also found in and around the Capitol during the siege — a clear link between those who’d listened to the president and his allies and then marched on the building.

While there were no names or phone numbers in the data, we were once again able to connect dozens of devices to their owners, tying anonymous locations back to names, home addresses, social networks and phone numbers of people in attendance. In one instance, three members of a single family were tracked in the data.

https://www.nytimes.com/2021/02/05/opinion/capitol-attack-cellphone-data.html

#usa #cellphone #smartphone #data #tracking
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

More CopperheadOS harassment proof

Wow, I'm late to this, but having a lawyer send a letter to a student's university to try to get them in trouble for open source contributions they made on their own time is very not ok.

https://nitter.nixnet.services/FiloSottile/status/1358231799458103297

#copperheadOS #harassment #proof #thinkabout
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

From phishing to opening 45 libraries, Jharkhand's Jamtara turns a new page

Infamous as India's phishing capital, Jamtara in Jharkhand has opened as many as 45 public libraries to divert the youth from cybercrime.

amtara, which is infamous as India's phishing capital, is now trying to turn a new page with the opening of several public libraries to divert the youth away from cybercrime. Police of at least 22 states have visited Jamtara in connection with several cybercrimes.

To move away from the image of India's phishing capital, the district administration has kicked off a public library movement to divert the hearts and minds of youths away from cybercrime.

Jamtara DC Faiz Aq Ahmad said the dropouts, mostly in the age group of 15 to 35 years, get carried away to make a quick buck. "We thought many ways to tackle the crime. Jamtara was known for the library movement initiated by great social reformer and educator Ishwar Chandra Vidyasagar. His idea motivated us."

This is how the district administration decided to use the unused government buildings and land to start a public library movement.

"Many dilapidated buildings were renovated to turn them into a public library. As many as 45 public libraries have already been set up and are functional. Most of them have been set up in the area known as the hubs of cyber fraud," he said.

During the pandemic, special classes for students of class 10th and 12th were arranged in these public libraries. Two teachers in each public library have been entrusted with the responsibility to clear teach students every Sunday.

https://www.indiatoday.in/india/story/from-phishing-to-opening-45-libraries-jharkhand-s-jamtara-turns-a-new-page-1766593-2021-02-06

#india #phishing #libraries #jharkhand #jamtara
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

NewPipe x SponsorBlock

A fork of NewPipe with SponsorBlock functionality.

The implementation is still a bit basic but it generally works pretty well.

💡 How can I get this?

Builds will be uploaded in the Releases section. Please download the APK from the newest release and install it on your device.

💡 Why isn't this in upstream NewPipe?

The developer team behind the official NewPipe decided that they do not want to include this kind of functionality in their app. See https://newpipe.schabi.org/blog/pinned/newpipe-and-online-advertising/ and https://github.com/TeamNewPipe/NewPipe/pull/3205 for more information and discussion.

We obviously disagree but we respect their decision and continue to offer SponsorBlock in NewPipe via this fork.

https://github.com/polymorphicshade/NewPipe#newpipe-x-sponsorblock

#newpipe #sponsorblock
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Mobile Forensic Investigations - Basic Fundamentals, Intermediate
and Advanced Overview

#smartphone #forensic #investigations #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

VoltPillager: Researchers Compromise Intel SGX With Hardware-Based Undervolting Attack

Security researchers out of the University of Birmingham have crafted another attack against Intel Software Guard Extensions (SGX) when having physical motherboard access and using their "VoltPillager" hardware device they assembled for about $30 USD.

Two years ago Plundervolt was widely publicized for compromising Intel's SGX security by manipulating the CPU frequency/voltage as able to through software interfaces. By carefully undervolting the Intel CPUs when executing enclave computations they were able to ultimately compromise the integrity of SGX.

The impact of Plundervolt was already limited as typically the software needs root/administrative rights to access the CPU voltage/frequency MSRs or other kernel interfaces for manipulating them. But in response to Plundervolt, motherboard vendors began offering options to allow disabling voltage/frequency interface controls on their systems. Following Plundervolt, security researchers at the University of Birmingham in the UK began exploring a hardware-based attack on SGX.

https://www.phoronix.com/scan.php?page=news_item&px=VoltPillager-HW-Undervolt

#research #VoltPillager #undervolting #attack #intel #sgx
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Photoshop CC v19 installer for Linux

This bash script helps you to install Photoshop CC version 19 on your Linux machine using wine behind the scene and sets some necessary components up for the best performance

🚀 Features

✅ downloads necessary components and installs them (vcrun, atmlib, msxml...)

✅ downloads photoshop.exe installer

✅ reates photoshop command and a desktop entry

✅ wine dark mode

✅ supports graphic cards like (intel, Nvidia)

✅ saves the downloaded files in your cache directory

✅ It's free and you will not need any license key

✅ works on any Linux distribution

https://github.com/Gictorbit/photoshopCClinux

#linux #wine #photoshop
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

North Korean hackers stole more than $300 million to pay for nuclear weapons, says confidential UN report

New York (CNN)North Korea's army of hackers stole hundreds of millions of dollars throughout much of 2020 to fund the country's nuclear and ballistic missile programs in violation of international law, according to a confidential United Nations report.

The document accused the regime of leader Kim Jong Un of conducting "operations against financial institutions and virtual currency exchange houses" to pay for weapons and keep North Korea's struggling economy afloat. One unnamed country that is a member of the UN claimed the hackers stole virtual assets worth $316.4 million dollars between 2019 and November 2020, according to the document.
The report also alleged that North Korea "produced fissile material, maintained nuclear facilities and upgraded its ballistic missile infrastructure" while continuing "to seek material and technology for these programs from overseas."

North Korea has for years sought to develop powerful nuclear weapons and advanced missiles to pair them with, despite their immense cost and the fact that such a pursuit has turned the country into an international pariah barred by the UN from conducting almost any economic activity with other countries.

https://edition.cnn.com/2021/02/08/asia/north-korea-united-nations-report-intl-hnk/index.html

#northkorea #hacker #un #report
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

In-depth dive into the security features of the Intel/Windows platform secure boot process

This blog post is an in-depth dive into the security features of the Intel/Windows platform boot process. In this post I'll explain the startup process through security focused lenses, next post we'll dive into several known attacks and how there were handled by Intel and Microsoft. My wish is to explain to technology professionals not deep into platform security why Microsoft's SecureCore is so important and necessary.

https://igor-blue.github.io/2021/02/04/secure-boot.html

#intel #windows #secure #boot #security
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

If you are still releasing custom ROMs/kernels with permissive, YOU ARE LITERALLY BACKDOORING YOUR USERS!

Remember when I said using SELinux permissive is really bad? Here is a privilege escalation PoC where the only requirement is SELinux permissive. If you are still releasing custom ROMs/kernels with permissive, YOU ARE LITERALLY BACKDOORING YOUR USERS!

https://nitter.nixnet.services/topjohnwu/status/1359054106019565571

https://github.com/vvb2060/Magica

#selinux #backdooring #customrom #topjohnwu #thinkabout
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

This is how we lost control of our faces

The largest ever study of facial-recognition data shows how much the rise of deep learning has fueled a loss of privacy.

Now a new study shows just how much this enterprise has eroded our privacy. It hasn’t just fueled an increasingly powerful tool of surveillance. The latest generation of deep-learning-based facial recognition has completely disrupted our norms of consent.

https://www.technologyreview.com/2021/02/05/1017388/ai-deep-learning-facial-recognition-data-history/

https://arxiv.org/pdf/2102.00813.pdf

#ai #deep #learning #facial #recognition #data #privacy #study #thinkabout #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Stash - an organizer for your porn

What is Stash?

Stash allows you to organize and view your own collection of adult video and image files. Think of it like a private PornHub site for your personal porn collection.

View your content

Preview and view all of your scenes and galleries from your web browser on your PC, tablet or phone. Stash directly streams videos to your web browser. Stash supports streaming of a large variety of formats and codecs to most web browsers.

Curate your content

Rate your scenes, and tag them with performers, tags, movies and studios. Filter and sort your content with a variety of filter and sorting options.

Stash also allows you to derive scene metadata from video filenames. Alternatively, you can scrape scene metadata from websites using community-curated scrapers.

https://stashapp.cc/

https://github.com/stashapp/stash/releases

#stash #porn #organizer
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Fedora on the PinePhone: Pipewire Calling!

https://odysee.com/@linmob:3/fedora-on-the-pinephone-pipewire-calling:1

#linux #fedora #pinephone #pipwire #video
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Farmers Are Having to Hack Their Own Tractors Just to Make Repairs

Owners are turning to hacked software from Eastern Europe as farm equipment companies won't license it to them directly.

Usually the word "hacking" implies breaking into someone else's data, but farmers are having to hack their own farm equipment just to keep it running, reports Freethink. Companies like John Deere won't license out the software necessary to diagnose and fix their increasingly complex farm equipment, forcing owners to source that software online.

https://www.thedrive.com/news/39158/farmers-are-having-to-hack-their-own-tractors-just-to-make-repairs

#farmers #hackers #tractors #hacking #video
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag