Using a Raspberry Pi to hack grandma (Part2)

One Raspberry Pi, two red teamers and a simple mission: hack grandma.

After building a Raspberry Pi “attack box”, of course I want to kick the wheels and take it for a spin before I get called into my next red team operation.

But what to do?

I could do the normal thing and ping our CEO Spencer Thompson and do a basic web penetration test against our site. But our site is pretty limited and doesn’t offer a lot of “meat” to go after. Plus, I’ve done about a million of these so I want to try something new.

Part of being a red teamer means being creative. Thinking outside of the box. Ideas, ideas, ideas…

I’ve got it! With the world shut down and everyone working from home, what if I plug my Raspberry Pi into my home network and see if I can gain a foothold onto one of my in-law’s devices! They’ve been staying with us to help take care of James, my 8-month old son. Challenge accepted.

https://feed.prelude.org/p/easy-as-pi

👉🏼 How to build a disposable attack box using a Raspberry Pi
https://t.iss.one/BlackBox_Archiv/1937

#disposable #attackbox #grandma #raspberry
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Nextdoor launches anti-racism notification to prevent discriminatory language

Nextdoor is introducing a new anti-racism notification, which asks users to reconsider posting content if the app thinks it may be offensive. As with its previous Kindness Reminder, if a user tries to post something with words or phrases Nextdoor thinks may be objectionable, it will give them the option to edit the post before it actually goes live. The users can, however, ignore the warning and post it anyway.

https://blog.nextdoor.com/2021/04/19/nextdoor-launches-anti-racism-notification-to-prevent-discriminatory-language/

https://www.theverge.com/2021/4/19/22392304/nextdoor-anti-racism-notification-community-moderation

https://www.youtube.com/watch?v=0yLUWsZp5Ug

#nextdoor #racist #antiracism #notification #discriminatory #language #video #thinkabout
📡 @nogoolag 📡 @blackbox_archiv

Social Media ‘Likes’ Change the Way We Feel About Our Memories

Summary: Sharing our personal experiences on social media may negatively impact how we feel about our memories, especially if the post doesn’t get many likes, a new study reports.

Memories are often considered very personal and private. Yet, in the past few years, people have got used to notifications from social media or phone galleries telling them they have a “memory”.

These repackaged versions of the past affect not just what we remember but also the attachments we have with those memories. In a new study, we found social media has the potential to change how people feel about their memories.

Social media metrics such as Facebook “likes” can negatively impact how people feel about certain memories, especially if these memories are shared without getting many likes. Beyond this, the anticipation of social media judgements about the past can also impact on what memories people share and how.

With the aim of understanding the everyday presence of these automated memories, we drew upon detailed interviews and focus groups with around 60 social media users. In particular, we looked at how people use features such as Timehop, Facebook memories and Apple memories.

We asked participants about their experiences of being reminded of memories by these different features. While some found the features to be creepy and invasive, others found them a useful reminder of previous experiences they’d forgotten.

We also asked whether the number of likes a shared memory received had any impact on them. In some cases participants felt differently about their memories depending on the number of likes.

https://neurosciencenews.com/memory-social-media-18263/

#social #media #facebook #DeleteFacebook #likes #memories #thinkabout
📡 @nogoolag 📡 @blackbox_archiv

Improving Cognitive Health in COVID-19 Survivors Through Digital Therapeutics - Clinical Trial Details

The primary objective of this study is to investigate the efficacy of AKL-T01, a remotely-delivered digital cognitive intervention, relative to a waitlist control in improving cognitive functioning in COVID-19 survivors.

Emerging evidence suggests a subgroup of survivors of COVID- 19 have residual difficulties with cognition and daily functioning. These deficits are pronounced in cognitive domains including attention, learning and executive skills, and may continue to impact quality of life after recovery from other COVID-19 symptoms. This study aims to investigate the efficacy of AKL-T01 (Akili Interactive), a remotely-delivered digital cognitive intervention, in targeting and improving cognition and functional outcomes in individuals recovering from COVID-19. The efficacy of the AKL-T01 intervention will be measured relative to a waitlist control group.

https://jcto.weill.cornell.edu/open_clinical_trials/improving-cognitive-health-in-covid-19-survivors-through-digital-therapeutics

https://www.theverge.com/2021/4/19/22391587/long-covid-brain-cognitive-treatment-video-game-akili

#clinical #digital #therapeutics #covid #brain #cognitive #treatment #videogame
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Hackers Used to Be Humans. Soon, AIs Will Hack Humanity

Like crafty genies, AIs will grant our wishes, and then hack them, exploiting our social, political, and economic systems like never before.

IF YOU DON'T have enough to worry about already, consider a world where AIs are hackers.

Hacking is as old as humanity. We are creative problem solvers. We exploit loopholes, manipulate systems, and strive for more influence, power, and wealth. To date, hacking has exclusively been a human activity. Not for long.

As I lay out in a report I just published, artificial intelligence will eventually find vulnerabilities in all sorts of social, economic, and political systems, and then exploit them at unprecedented speed, scale, and scope. After hacking humanity, AI systems will then hack other AI systems, and humans will be little more than collateral damage.

Okay, maybe this is a bit of hyperbole, but it requires no far-future science fiction technology. I’m not postulating an AI “singularity,” where the AI-learning feedback loop becomes so fast that it outstrips human understanding. I’m not assuming intelligent androids. I’m not assuming evil intent. Most of these hacks don’t even require major research breakthroughs in AI. They’re already happening. As AI gets more sophisticated, though, we often won't even know it's happening.

AIs don’t solve problems like humans do. They look at more types of solutions than us. They’ll go down complex paths that we haven’t considered. This can be an issue because of something called the explainability problem. Modern AI systems are essentially black boxes. Data goes in one end, and an answer comes out the other. It can be impossible to understand how the system reached its conclusion, even if you’re a programmer looking at the code.

https://www.wired.com/story/opinion-hackers-used-to-be-humans-soon-ais-will-hack-humanity/

#opinion #hackers #humans #ai #humanity
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Hunting phishing websites with favicon hashes

HTTP favicons are often used by bug bounty hunters and red teamers to discover vulnerable services in a target AS or IP range. It makes sense – since different tools (and sometimes even different versions of the same tool) use different favicons[1] and services such as Shodan calculate MurmurHash values[2] for all favicons they discover and let us search through them, it can be quite easy to find specific services and devices this way.

But while the use of favicon hashes is common in the “red” community, significant number of blue teamers don’t use them at all. Which is unfortunate, given that – among their other uses – they can provide us with a simple way of identifying IPs hosting phishing kits. After all, this was the reason why searches using HTTP favicon hashes have been introduced into Shodan in the first place[3].

As an example, we will show how to detect IPs hosting phishing pages by looking for sites that try to pass themselves of as login portals for O365 and other Microsoft services, however the same principle would work for any other service as well. One could therefore for example calculate hashes of unique favicons used by systems specific to a company one is trying to protect (e.g. favicon from a company website) and use periodical lookups of these on Shodan and other services in order to implement a – admittedly fairly simple – phishing detection/brand protection mechanism...

So how would one look for fake Microsoft login portals? First, we need to calculate a MurmurHash value of a favicon that we expect might be reused on a phishing website to make it look more trustworthy. Looking at official Microsoft websites, it seems that they use the favicon located at https://c.s-microsoft.com/favicon.ico.

https://isc.sans.edu/diary/Hunting+phishing+websites+with+favicon+hashes/27326

#hunting #phishing #websites #favicon #hashes
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Forced unemployment and second-class status: The life of Google's data center contractors

Contractors love the good pay and engaging work in Google's data centers. They resent that Google and its staffing firm, Modis Engineering, make them quit every two years.

Shannon Wait felt a muscle pull in her shoulder as she knelt to lug a 50-pound battery into its rack, but she ignored the pain and kept going. She had 20 batteries to replace in the cavernous, 85-degree warehouse that day.

Hauling batteries is a major part of the job for Wait and hundreds of other workers like her at Google's data centers. They'd tried switching to automated machines during her two years working in the Berkeley County, South Carolina facility, but that stopped after only a few weeks when one of the machines pinned a co-worker to a wall.

Despite the heavy lifting, many of the workers in Google's 14 U.S. data centers at least start out enjoying the work. It's a tech job for people with no tech experience. It pays relatively well ($15 per hour for most contract workers). And while it's physically demanding, it's nothing like working at an Amazon fulfillment center or the local Walmart.

But Wait and other workers like her who keep the data centers running are not actually Google employees. While as many as half the workers in some data centers actually work for Google, make Google salaries and get all those famous Google perks, the other half don't. For data center contractors specifically, that difference can extend beyond second-tier social status to job insecurity and forced unemployment.

Protocol spoke with four contract and full-time Google employees in three of the 14 U.S. locations for this story, all of whom were granted anonymity for fear of losing their jobs (except for Wait, whose data center contract recently ended).

https://www.protocol.com/google-contractors-forced-unemployment

#google #DeleteGoogle #data #center #contractors #unemployment #thinkabout
📡 @nogoolag 📡 @blackbox_archiv

Internal Facebook email reveals intent to frame data scraping as ‘normalized, broad industry issue’

Updated: More scraping incidents are "expected" in the future.

An internal email accidentally leaked by Facebook to a journalist has revealed the firm's intentions to frame a recent data scraping incident as "normalized" and a "broad industry issue."

Facebook has recently been at the center of a data scraping controversy. Earlier this month, Hudson Rock researchers revealed that information belonging to roughly 533 million users had been posted online, including phone numbers, Facebook IDs, full names, and dates of birth.

The social media giant confirmed the leak of the "old" data, which had been scraped in 2019. A functionality issue in the platform's contact platform, now fixed, allowed the automatic data pillaging to take place.

The scraping and subsequent online posting of user data raised widespread criticism and on April 14, the Irish Data Protection Commission (DPC) said it planned to launch an inquiry to ascertain if GDPR regulations and/or the Data Protection Act 2018 have been "infringed by Facebook."

Now, an internal email leaked to the media (Dutch article, translated) has potentially revealed how Facebook wishes to handle the blowback.

https://www.zdnet.com/article/facebook-internal-email-reveals-intent-to-frame-data-scraping-as-broad-industry-issue-and-normalized/

https://datanews.knack.be/ict/nieuws/interne-mail-toont-hoe-facebook-veiligheidsproblemen-wil-normaliseren/article-news-1724927.html

#facebook #DeleteFacebook #data #scraping #internal #email #thinkabout #why
📡 @nogoolag 📡 @blackbox_archiv

They Hacked McDonald’s Ice Cream Machines—and Started a Cold War

Secret codes. Legal threats. Betrayal. How one couple built a device to fix McDonald’s notoriously broken soft-serve machines—and how the fast-food giant froze them out.

OF ALL THE mysteries and injustices of the McDonald’s ice cream machine, the one that Jeremy O’Sullivan insists you understand first is its secret passcode.

Press the cone icon on the screen of the Taylor C602 digital ice cream machine, he explains, then tap the buttons that show a snowflake and a milkshake to set the digits on the screen to 5, then 2, then 3, then 1. After that precise series of no fewer than 16 button presses, a menu magically unlocks. Only with this cheat code can you access the machine’s vital signs: everything from the volume of its milk and sugar ingredients to the temperature of the glycol flowing through its heating element to the meanings of its many sphinxlike error messages.

“No one at McDonald’s or Taylor will explain why there’s a secret, undisclosed menu," O’Sullivan wrote in one of the first, cryptic text messages I received from him earlier this year.

As O’Sullivan says, this menu isn’t documented in any owner’s manual for the Taylor digital ice cream machines that are standard equipment in more than 13,000 McDonald’s restaurants across the US and tens of thousands more worldwide. And this opaque user-unfriendliness is far from the only problem with the machines, which have gained a reputation for being absurdly fickle and fragile. Thanks to a multitude of questionable engineering decisions, they’re so often out of order in McDonald’s restaurants around the world that they’ve become a full-blown social media meme. (Take a moment now to search Twitter for “broken McDonald’s ice cream machine” and witness thousands of voices crying out in despair.)

But after years of studying this complex machine and its many ways of failing, O’Sullivan remains most outraged at this notion: That the food-equipment giant Taylor sells the McFlurry-squirting devices to McDonald’s restaurant owners for about $18,000 each, and yet it keeps the machines’ inner workings secret from them. What's more, Taylor maintains a network of approved distributors that charge franchisees thousands of dollars a year for pricey maintenance contracts, with technicians on call to come and tap that secret passcode into the devices sitting on their counters.

https://www.wired.com/story/they-hacked-mcdonalds-ice-cream-makers-started-cold-war/

#mcdonalds #hacked #icecream #coldwar
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day

Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances.

This blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells.

The investigation by Pulse Secure has determined that a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector.

Pulse Secure’s parent company, Ivanti, released mitigations for a vulnerability exploited in relation to these malware families and the Pulse Connect Secure Integrity Tool for their customers to determine if their systems are impacted. A final patch to address the vulnerability will be available in early May 2021.

Pulse Secure has been working closely with Mandiant, affected customers, government partners, and other forensic experts to address these issues.

There is no indication the identified backdoors were introduced through a supply chain compromise of the company’s network or software deployment process.

https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html

#zeroday #alert #pulsesecure #vpn #backdoor
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Ransomware gang tries to extort Apple hours ahead of Spring Loaded event

The operators of the REvil ransomware are demanding that Apple pay a ransom demand to avoid having confidential information leaked on the dark web.

The REvil crew claims it came into possession of Apple product data after breaching Quanta Computer, a Taiwanese company that is the biggest laptop manufacturer in the world and which is also one of the companies that assemble official Apple products based on pre-supplied product designs and schematics.

In a message posted on a dark web portal where the ransomware gang usually threatens victims and leaks their data, the REvil gang said that Quanta refused to pay to get its stolen data back and, as a result, the REvil operators have now decided to go after the company’s primary customer instead.

The REvil gang posted 21 screenshots depicting Macbook schematics and threatened to publish new data every day until Apple or Quanta paid the ransom demand.

Furthermore, the ransomware gang also hinted that the data of other companies might also be leaked online.

“Our team is negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands,” the REvil operators wrote. “We recommend that Apple buy back the available data by May 1.”

Known customers of Quanta Computer include some of the biggest laptop vendors in the world, such as HP, Dell, Microsoft, Toshiba, LG, Lenovo, and many others.

https://therecord.media/ransomware-gang-tries-to-extort-apple-hours-ahead-of-spring-loaded-event/

https://twitter.com/vxunderground/status/1384529044323008521

#REvil #ransomware #extort #apple #spring #event
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Auth0 Has been down for almost 4 hours now

Incident Report for Auth0
https://status.auth0.com/

👉🏼 https://downtimeproject.com/

👉🏼 https://news.ycombinator.com/item?id=26876287

#auth0 #down #incident
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

SuperTokens

SuperTokens is an open core alternative to proprietary login providers like Auth0 or AWS Cognito. We are different because we offer:

👉🏼 Open source: SuperTokens can be used for free, forever, with no limits on the number of users.

👉🏼 An on-premises deployment so that you control 100% of your user data, using your own database.

👉🏼 An end to end solution with login, sign ups, user and session management, without all the complexities of OAuth protocols.

👉🏼 Ease of implementation and higher security.

👉🏼 Extensibility: Anyone can contribute and make SuperTokens better!

💡 Philosophy
Authentication directly affects UX, dev experience and security of any app. We believe that current solutions are unable to optimise for all three "pillars", leading to a large number of applications hand rolling their own auth. This not only leads to security issues, but is also a massive time drain.

We want to change that - we believe the only way is to provide a solution that has the right level of abstraction, gives you maximum control, is secure, and is simple to use - just like if you build it yourself, from scratch (minus the time to learn, build and maintain).

We also believe in the principle of least vendor lockin. Your having full control of your user's data means that you can switch away from SuperTokens without forcing your existing users to logout, reset their passwords or in the worst case, sign up again.

https://github.com/supertokens/supertokens-core

#supertokens #login #provider #alternative #auth0 #opensource
📡 @nogoolag 📡 @blackbox_archiv

Facebook Email to profile vulnerability

A video shared with researchers and Motherboard shows a tool linking email addresses to Facebook accounts

A tool lets a user see which email address is linked to a Facebook account even if the Facebook user didn't publicly advertise their address, according to a video sent to various researchers and Motherboard.

The news presents another significant privacy issue for Facebook, which is continuing to face a series of data leaks around phone numbers and other data.

https://twitter.com/UnderTheBreach/status/1384552368512159744

https://www.vice.com/en/article/bvz8pz/tool-finds-facebook-email-addresses

#tool #facebook #DeleteFacebook #poc #email #accounts #video
📡 @nogoolag 📡 @blackbox_archiv

Castopod Host

Castopod Host is an open-source server made for podcasters who want engage and interact with their audience. Please note that Castopod Host is still under heavy development: it may not be 100% stable and some features are still being developed.

We are a team of entrepreneurs and developers who spent the last ten years developing media content solutions.

We have always been advocates for the open source community, but we coud not find open source solutions for podcasts that suited our needs, so we decided to start The Podlibre Iniative.

The past two decades of organic growth were driven by original audio content producers.
Major digital players and audio content industry are now investing on Podcasts.
Yet, compared to the standards in Social Media and Search Engines, Podcasts - technology, user experience - have not evolved much for the past 20 years.

It is time for all players - Podcasters, Radio Networks, Journalists, Writers and all Voice lovers - to power up podcasts!

https://podlibre.org/tag/castopod-host/

https://code.podlibre.org/podlibre/castopod/-/releases

#castopod #podcast #opensource #alternative
📡 @nogoolag 📡 @blackbox_archiv

Tracking the WhatsApp habits of 5000 random Smartphones

In the previous blog post, we have seen that this is quite simple to hack the WhatsApp online status of a contact. A simple Online or last seen yesterday at 19:00 insight can be reverse engineered to leak phone habits at a couple of seconds accuracy.

‼️ There is an even more silly thing not mentioned yet: You can track any mobile phone ! So let’s play and scale to track 5000 random numbers.

Like previously, I am sharing the source code as a PROOF OF CONCEPT. You can jump straight to the end if you are more curious about the results than by the technical stuff I’m about to resume. We are reusing the previous code with Node.js, Puppeteer & Grafana.

https://jorislacance.fr/blog/2021/04/16/whatsapp-tracking-2

💡 Hack the WhatsApp status to track contacts
https://jorislacance.fr/blog/2020/04/01/whatsapp-tracking

💡 How a WhatsApp status loophole is aiding cyberstalkers
https://t.iss.one/BlackBox_Archiv/2018

💡 Sudden New Warning Will Surprise Millions Of WhatsApp Users
https://t.iss.one/BlackBox_Archiv/1987

💡 All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers (PDF)
https://t.iss.one/BlackBox_Archiv/2042

#DeleteWhatsapp #user #tracking #whatsapp #thinkabout #change
📡 @nogoolag 📡 @blackbox_archiv

On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits

In this paper, we instead investigate the insecurity of OSS from a critical perspective—the feasibility of stealthily introducing vulnerabilities in OSS via hypocrite commits (i.e., seemingly beneficial commits that in fact introduce other critical issues).

The introduced vulnerabilities are critical because they may be stealthily exploited to impact massive devices.

https://github.com/QiushiWu/qiushiwu.github.io/blob/main/papers/OpenSourceInsecurity.pdf

#opensource #security #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers (Interesting quotes and conclusion)

💡 All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers (PDF)
https://t.iss.one/BlackBox_Archiv/2042

Both WhatsApp and Telegram transmit the contacts of users in clear text to their servers (but encrypted during transit), where they are stored to allow the services to push updates (such as newly registered contacts) to the clients. WhatsApp stores phone numbers of its users in clear text on the server, while phone numbers not registered with WhatsApp are MD5-hashed with the country prefix prepended (according to court documents from 2014 [2]).

Signal does not store contacts on the server. Instead, each client periodically sends hashes of the phone numbers stored in the address book to the service, which matches them against the list of registered users and responds with the intersection. The different procedures illustrate a trade-off between usability and privacy: the approach of WhatsApp and Telegram can provide faster updates to the user with less communication overhead, but needs to store sensitive data on the servers.

💡Signal:

Our script for Signal uses 100 accounts over 25 daysto check all 505 million mobile phone numbers in the US. Our results show that Signal currently has 2.5 million users registered in the US, of which 82.3 % have set an encrypted user name, and 47.8 % use an encrypted profile picture. We also cross-checked with WhatsApp to see if Signal users differ in their use of public profile pictures, and found that 42.3 % of Signal users are also registered on WhatsApp (cf. Tab. IV), and 46.3 % of them have a public profile picture there. While this is slightly lower than the average for WhatsApp users (49.6 %), it is not sufficient to indicate an increased privacy-awareness of Signal’s users, at least for profile pictures.

💡Telegram:

For Telegram we use 20 accounts running for 20 days on random US mobile phone numbers. Since Telegram’s rate limits are very strict, only 100,000 numbers were checked during that time: 0.9 % of those are registered and 41.9 % have a non-zero importer_count. These numbers have a higher probability than random ones to be present on other messengers, with 20.2 % of the numbers being registered with WhatsApp and 1.1 % registered with Signal, compared to the average success rates of 9.8 % and 0.9 %, respectively. Of the discovered Telegram users, 44 % of the crawled users have at least one public profile picture, with 2 % of users having more than 10 pictures available.

💡 Comparison WhatsApp | Signal | Telegram:

With its focus on privacy, Signal excels in exposing almost no information about registered users, apart from their phone number. In contrast, WhatsApp exposes profile pictures and the About text for registered numbers, and requires users to opt-out of sharing this data by changing the default settings. Our results show that only half of all US users prevent such sharing by either not uploading an image or changing the settings. Telegram behaves even worse: it allows crawling multiple images and also additional information for each user. The importer_count offered by its API even provides information about users not registered with the service. This can help attackers to acquire likely active numbers, which can be searched on other platforms.

💡 Conclusion:

Mobile contact discovery is a challenging topic for privacy researchers in many aspects. In this paper, we took an attacker’s perspective and scrutinized currently deployed contact discovery services of three popular mobile messengers: WhatsApp, Signal, and Telegram. We revisited known attacks and using novel techniques we quantified the efforts required for curious serv[...]

#contact #messenger #telegram #whatsapp #signal #crawling #attacks #comment #conclusion
📡 @nogoolag 📡 @blackbox_archiv

China’s social credit program creeps into Canada

Vancouver, British Columbia, Canada: China’s Orwellian “social credit system” that records the social and financial behaviour of individuals and corporations across China, using a vast surveillance system, has expanded globally, and is now openly operational at the renowned Haidilao hot pot restaurant, in Western Canada.

Ryan Pan, a manager with Haidilao Hot Pot in Vancouver confirmed that over 60 surveillance cameras have been installed in the restaurant at the request of the Haidilao corporation, as part of the social credit system in China. He said that the Vancouver location has 30 tables with two cameras assigned to each table.

When asked specifically why Haidilao required so many cameras to monitor staff and patrons, Ryan Pan said that the cameras were installed to “punish” staff if they didn’t adhere to corporate standards and to “people track”. Pan also said that the video is sent back to China but declined to say why this was, other than to say the reason for this was “secret.”

Founded in Sichuan, China, the Haidilao opened up at two locations in the Vancouver region, the most recent of which was opened in 2018 in a former Swiss Chalet restaurant in the trendy Kitsilano district of Vancouver. The location is within walking distance of the home rented by Huawei for staff temporarily re-located to Vancouver to assist Meng Wanzhou, the chief financial officer (CFO) of the telecom giant. Following her arrest and hearing over a provisional US extradition request for fraud and conspiracy to commit fraud in order to circumvent US sanctions against Iran. The Haidilao location is no more than 10 minutes to Meng Wanzhou’s mansion and the Peoples Republic of China Consulate. Haidilao has over 935 locations around the world and more than 36 million VIP members and 60,000 plus staff.

We reached out to Ivy Li, with the Canadian Friends of Hong Kong, who is a well-known public speaker, writer and activist on matters related to China and pro-democracy, to ask why Canadians should be concerned that China’s social credit system is now operational in Canada.

https://www.sundayguardianlive.com/news/chinas-social-credit-program-creeps-canada

#canada #vancouver #china #surveillance #social #scoring
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Not Your Usual Supply Chain Hack: The Codecov Bash Uploader Blunder

We all know about the SolarWinds supply chain hack. But, while smaller in scope, Codecov‘s Bash Uploader Security supply chain failure is also a record-setter. And, this is not a record anyone wants to break.

Months after their code was busted Codecov only discovered the foul-up, thanks to a security-conscious user. He checked the Secure Hash Algorithm 1 (SHA-1) checksum for the Github version of Codecov Bash Uploader and the SHA-1 checksum for the downloaded Bash Uploader version with shasum — a Linux program that calculates and verifies SHA-1 hashes — and found they didn’t match. In other words, they were not the same program.

Whoops!

Codecov is a reporting tool that inserts coverage metrics directly into continuous integration (CI) workflows. Its job is to watch for coding problems while running test suites. It especially looks in pull requests where new features and bug fixes are usually found and new bugs and problems often pop up.

Bash Uploader’s task is to export users’ CI environmental data. This includes any credentials, tokens, or keys users were working within their CI runner when the Bash Uploader script was executed. That’s already dangerous enough because its name is perfectly descriptive. Bash Uploader uses the Bash shell and curl to upload unencrypted environmental data to Codecov. And, oh yes, to the attacker’s server as well.

https://thenewstack.io/not-your-usual-supply-chain-hack-the-codecov-bash-uploader-blunder/

💡 Read as well ...
https://t.iss.one/cRyPtHoN_INFOSEC_EN/15695

#supplychain #hack #codecov
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Wikinews discusses DRM and DMCA with Richard Stallman after GitHub re-enables public access to youtube-dl

Interview with Richard Stallman about the harms of DRM and DMCA 1201

https://en.wikinews.org/wiki/Wikinews_discusses_DRM_and_DMCA_with_Richard_Stallman_after_GitHub_re-enables_public_access_to_youtube-dl

#freesoftware #stallman #drm #dmca #youtubedl #github #interview #mp3
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv
🎙@NoGoolag