University of Minnesota security researchers apologize for deliberately buggy Linux patches

The abashed University of Minnesota researchers apologized for their blunders, but the issues are far from resolved. And, Linus Torvalds briefly addresses the fouled up Linux patches.

Last week, some University of Minnesota (UMN) security researchers kicked a hornet nest, when it was revealed that they'd tried to insert deliberately buggy patches into Linux. Greg Kroah-Hartman, the well-respected Linux kernel maintainer for the Linux stable branch, responded by banning not only them but any UMN-connected developers from contributing to the Linux kernel. Now, the researchers have sort of, kind of, apologized for their mistakes: "We sincerely apologize for any harm our research group did to the Linux kernel community."

https://www.zdnet.com/article/university-of-minnesota-security-researchers-apologize-for-deliberately-buggy-linux-patches/

https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u

#opensource #security #minnesota #university #trolling #apologize
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Emotet malware self-destructs after cops deliver time-bomb DLL to infected Windows PCs

Uninstall code, distributed from backend servers seized in January, fired on Sunday

Notorious Windows malware Emotet was automatically wiped from computers yesterday by European law enforcement using a customized DLL.

This specially crafted time bomb caused the software to self-destruct on Sunday, April 25. The code was distributed at the end of January to Emotet-infected computers by the malware's command-and-control (C2) infrastructure, which had just been seized in a multinational police operation.

Those raids were largely successful: on Friday this week, malware tracker site Abuse.ch’s Emotet portal showed none of the Emotet C2 servers it tracks were online.

As the dust settled from the swoops, the officers and agents involved wondered what to do next. The answer was to set a firm death date. Infosec bods subsequently spotted that the backend systems seized by the police had made available a software update for Emotet that, once automatically downloaded and quietly installed, would activate an uninstall routine this weekend.

Infosec outfit MalwareBytes confirmed on Sunday that its updated Emotet install had indeed completely removed itself as expected.

Mariya Grozdanova, a threat intelligence analyst at Redscan, described the cops' deinstallation code to The Register: “The EmotetLoader.dll is a 32-bit DLL responsible for removing the malware from all infected computers. This will ensure that all services related to Emotet will be deleted, the run key in the Windows registry is removed – so that no more Emotet modules are started automatically – and all running Emotet processes are terminated."

https://www.theregister.com/2021/04/26/emotet_sunday_25_april_killswitch_date/

https://nitter.pussthecat.org/MBThreatIntel/status/1386413655659479043

💡 read this as well:
https://t.iss.one/BlackBox_Archiv/1707

💡 read this as well:
https://t.iss.one/BlackBox_Archiv/1705

💡 read this as well:
https://t.iss.one/BlackBox_Archiv/1703

#malware #botnet #emotet #bka #europol #busted #takedown #uninstall
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

“SWAT team of nerds” - Pentagon explains odd transfer of 175 million IP addresses to obscure company

Something weird happened minutes before Trump left—US says it was security research.

The US Department of Defense puzzled Internet experts by apparently transferring control of tens of millions of dormant IP addresses to an obscure Florida company just before President Donald Trump left the White House, but the Pentagon has finally offered a partial explanation for why it happened. The Defense Department says it still owns the addresses but that it is using a third-party company in a "pilot" project to conduct security research.

"Minutes before Trump left office, millions of the Pentagon's dormant IP addresses sprang to life," was the title of a Washington Post article on Saturday. Literally three minutes before Joe Biden became president, a company called Global Resource Systems LLC "discreetly announced to the world's computer networks a startling development: It now was managing a huge unused swath of the Internet that, for several decades, had been owned by the US military."

The number of Pentagon-owned IP addresses announced by the company rose to 56 million by late January and 175 million by April, making it the world's largest announcer of IP addresses in the IPv4 global routing table.

"The theories were many," the Post article said. "Did someone at the Defense Department sell off part of the military's vast collection of sought-after IP addresses as Trump left office? Had the Pentagon finally acted on demands to unload the billions of dollars worth of IP address space the military has been sitting on, largely unused, for decades?"

The Post said it got an answer from the Defense Department on Friday in the form of a statement from the director of "an elite Pentagon unit known as the Defense Digital Service." The Post wrote:

"Brett Goldstein, the DDS's director, said in a statement that his unit had authorized a "pilot effort" publicizing the IP space owned by the Pentagon.

"This pilot will assess, evaluate, and prevent unauthorized use of DoD IP address space," Goldstein said. "Additionally, this pilot may identify potential vulnerabilities."

Goldstein described the project as one of the Defense Department's "many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated."

https://arstechnica.com/information-technology/2021/04/pentagon-explains-odd-transfer-of-175-million-ip-addresses-to-obscure-company/

#usa #pentagon #ip #adresses #why
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

NewPipe Releases (unofficial) - NewPipe's GitHub releases

The APK sent here cannot be installed over F-Droid's one because they use different signing keys (details)

This pull request adds an experimental SponsorBlock integration, the fork's apk is linked there

👉🏼 https://t.iss.one/newpipe_releases 👈🏼

💡 read this as well: YouTube video hosting alternatives
https://t.iss.one/NoGoolag/2284

#newpipe #youtube #alternatives
📡 @nogoolag 📡 @blackbox_archiv

Arch User Repository Blocks Pamac

Pamac is causing an excessive amount of requests to aur.archlinux.org

Hi.
Today we had an incident where aur.archlinux.org went down for a couple of hours. In investing the issue, we found out that Pamac user agent was responsible for making a very large number of requests to the AUR that caused it to stop responding to new requests.
We have completely blocked the Pamac user agent, to restore service for the users. It seems there's an issue with the latest pamac version that's causing this number of requests.

https://gitlab.manjaro.org/applications/pamac/-/issues/1017

#arch #archlinux #pamac
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Reproducing Spectre Attack with gem5, How To Do It Right?

💡Table of Contents:

1. Introduction
2. HowTo
2.1. How to Setup the Native ARM System
2.2. How to Perform the Spectre Attack
2.3. How to Setup gem5 for a Full-System Simulation
2.4. How to Simulate Spectre with gem5
2.5. How to Visualize the Pipeline of a gem5 Processor with Konata
3. Implementations
3.1. Spectre
3.2. gem5
4. Appendices

https://pierreay.github.io/reproduce-spectre-gem5/

#attack #spectre #gem5
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

NoFb Event Scraper

This app scrapes Facebook event links and adds the event to your calendar

https://github.com/akaessens/NoFbEventScraper

https://f-droid.org/repo/com.akdev.nofbeventscraper

The purpose of this application is to get access to Facebook events without an account.
Therefore it does not use the Facebook API.
Instead it opens the Facebook event URI and downloads the website HTML code.
This source should contain the event information in form of structured data.
That data is extracted and used to create Android events.

Features:
* Does not use Facebook API
* Supports "open-with" and "share-to"
* Independent from Facebook regional sub-domain URLs
* Saves history of scraped events
* Handles upcoming events from pages


#fb #Facebook #deletefacebook
📡 @libreware 📡 @nogoolag 📡 @blackbox_archiv

Why is Telegram no longer updated in the Play store?

All third party clients will be removed from play.

As you know, Telegram Android's code is full of coupling, complexity, and shit. They compress a month's worth of shit into one commit at a time and release it, then close the issue section. But is there more?

Last year, the Play store required all apps to update their target API to 29 (Android Pie).

One year later, what has Telegram changed? Just a requestLegacyExternalStorage cheat symbol.

Back to the question, why is Telegram no longer updated in the play store? Because they don't want to modify their shit mountain for their users; to avoid being unexplainable, they stop updating a month in advance, and once they are taken down by Google, it can be attributed to censorship.

Oppose censorship, but don't support being fed shit.

If this happens, please don't support Telegram, for the sake of true freedom.

https://telegra.ph/Why-is-Telegram-no-longer-updated-in-the-Play-store-04-26

#telegram #google #playstore #updates #censorship #comment
📡 @nogoolag 📡 @blackbox_archiv

Payments 2.0, Scheduled Voice Chats, New Web Versions

This update brings Payments 2.0 for all Telegram chats, Scheduling and Mini Profiles for Voice Chats, new versions of Telegram Web for your browser, and more.

Payments 2.0
• Offer real goods and services for sale in any group, channel or bot – Telegram doesn't charge a commission.
• Pay for goods securely using one of the 8 integrated payment providers – Telegram doesn't collect your payment info.
• See how this works in our @TestStore.

Scheduled Voice Chats
• Schedule voice chats to let participants know about them in advance.
• View a countdown to the voice chat and get notified when it starts.

New Web Versions
• Try two new, fully-featured versions of Telegram Web – both supporting animated stickers, dark mode, chat folders and more: https://webk.telegram.org/ and https://webz.telegram.org/.

More about this update:
https://telegram.org/blog/payments-2-0-scheduled-voice-chats

#telegram #update
📡 @nogoolag 📡 @blackbox_archiv

Firefox and Chromium - Madaidans-Insecurities (Last edited: April 26, 2021)

Chromium is vastly more secure than Firefox. Firefox's sandboxing and exploit mitigations are much weaker than Chromium's. This article is not blindly hating on Firefox but is a factual analysis of its weaknesses.

https://madaidans-insecurities.github.io/firefox-chromium.html

💡 read this as well:
https://t.iss.one/BlackBox_Archiv/831

#madaidan #insecurities #information #android #linux #ff #chrome #chromium #bsd #vpn #thinkabout
📡 @nogoolag 📡 @blackbox_archiv

Google Promised Its Contact Tracing App Was Completely Private—But It Wasn’t

Researchers say hundreds of preinstalled apps can access a log found on Android devices where sensitive contact tracing information is stored.

When Google and Apple introduced their COVID-19 contact tracing framework in April 2020, the companies aimed to reassure people worried about sharing private health information with major corporations.

Google and Apple provided assurances that the data generated through the apps—people’s movements, who they might have come in contact with, and whether they reported testing positive for COVID-19—would be anonymized and would never be shared with anyone other than public health agencies.

“Our goal is to empower [public health agencies] with another tool to help combat the virus while protecting user privacy,” Google CEO Sundar Pichai wrote in a tweet last May, when the framework became publicly available.

Apple CEO Tim Cook provided similar assurances.

Since then, millions of people have downloaded contact tracing apps developed through Apple’s and Google’s framework: The U.K.’s National Health Services’ app has at least 16 million users, while Canada’s Digital Service COVID Alert app boasted more than six million downloads in January, and Virginia’s Department of Health noted more than two million residents were using its COVIDWISE app.

California governor Gavin Newsom endorsed his state’s version of the app, calling it “100% private & secure” in a tweet last December.

But The Markup has learned that not only does the Android version of the contact tracing tool contain a privacy flaw, but when researchers from the privacy analysis firm AppCensus alerted Google to the problem back in February of this year, Google failed to change it. AppCensus was testing the system as part of a contract with the Department of Homeland Security. The company found no similar issues with the iPhone version of the framework.

https://themarkup.org/privacy/2021/04/27/google-promised-its-contact-tracing-app-was-completely-private-but-it-wasnt

#google #DeleteGoogle #contact #tracing #app #privacy
📡 @nogoolag 📡 @blackbox_archiv

Cellebrite Pushes Update After Signal Owner Hacks Device

The law enforcement forensics provider updated some of its products a few days after a security researcher claimed to have found critical vulnerabilities in Cellebrite’s devices.

Cellebrite, a well-known provider of phone-unlocking and hacking technology for law enforcement agencies, pushed an update to its products less than a week after the CEO of Signal claimed to have hacked one of the company's products.

Moxie Marlinspike, the founder of the popular encrypted messaging app Signal, explained in a blog post last week that he had obtained a Cellebrite device and found that "industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present." According to him, that allowed an attacker to embed malicious files in their app or phone—once connected to a Cellebrite unlocking device—that would then exploit the Cellebrite devices and manipulate what kind of data the device could access, potentially compromising police investigations.

https://telegra.ph/Cellebrite-Pushes-Update-After-Signal-Owner-Hacks-Device-04-27

via www.vice.com

💡 read this as well:
https://t.iss.one/BlackBox_Archiv/2073

#signal #hack #forensics #cellebrite #israel #vulnerabilities
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

The Shameless EXTORTION in Mobile Gaming

The mobile gaming industry has long been dominated by scams, false advertising, and shady business practices but today we can add extortion to the list, because 37GAMES, a world renowned developer with top 100 properties on the app-store, has decided to extort their low paying users (not their whales) for large amounts of cash.

In the world of exploit or "glitch" punishment by gaming developers, this might be the worst response I have ever seen.

https://www.youtube.com/watch?v=ZADqK-D6vPo

#mobile #gaming #industry #extortion #video
🎥 @nogoolag 🎥 @blackbox_archiv

Cellebrite Physical Analyzer no longer fully available for iPhones following Signal blog post

The Cellebrite Physical Analyzer – the most intrusive phone-cracking tool offered by the company – no longer fully supports iPhones, according to a document shared with us. The company has ceased offering this deep dive into data stored on iPhones following the discovery and exploitation of a vulnerability by secure messaging app Signal.

Signal discovered multiple security vulnerabilities in Cellebrite’s software, and was able to find a way to booby-trap iPhones to corrupt the results of a scan using Physical Analyzer …

💡Background

Cellebrite offers hardware and software designed to allow users to break into smartphones, and extract data from them. The company’s products are used by law enforcement agencies around the world, including those in some unsavory nation states likely to be using them to crack down on political dissidents.

Signal managed to get its hands on the software suite, including the Physical Analyzer module, which offers the deepest dive into the data stored on a smartphone. The messaging company carried out its own analysis of the software, finding a surprising number of security vulnerabilities.

It was able to exploit one of these to allow any iPhone to corrupt the data on any machine running the software. This would not only render useless the scan of the connected iPhone, but also corrupt the results of both past and future scans using the same machine.

All that was required, Signal said in a blog post, was to place a carefully crafted file onto the device. The post said that the company was now doing this for all Signal users. Indeed, even some non-Signal users chose to install the app simply to get this protection.

https://9to5mac.com/2021/04/27/cellebrite-physical-analyzer-iphone/

#cellebrite #physical #analyzer #iphone #hack #signal
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Hack Across America - USB drop attack in the Death Valley

This time on Hack Across America, we don't go to Death Valley for a very special USB drop attack and your Q&A!

https://www.youtube.com/watch?v=tvRRR71HZ60

#hak5 #usb #drop #attack #video
🎥@cRyPtHoN_INFOSEC_FR
🎥@cRyPtHoN_INFOSEC_EN
🎥@cRyPtHoN_INFOSEC_DE
🎥@BlackBox_Archiv
🎥@NoGoolag

DigitalOcean says customer billing data ‘exposed’ by a security flaw

DigitalOcean has emailed customers warning of a data breach involving customers’ billing data, TechCrunch has learned.

The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has “confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account.” The company said the person “gained access to some of your billing account details through a flaw that has been fixed” over a two-week window between April 9 and April 22.

The email said customer billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date, and the name of the card-issuing bank. The company said that customers’ DigitalOcean accounts were “not accessed,” and passwords and account tokens were “not involved” in this breach.

“To be extra careful, we have implemented additional security monitoring on your account. We are expanding our security measures to reduce the likelihood of this kind of flaw occuring [sic] in the future,” the email said.

DigitalOcean said it fixed the flaw and notified data protection authorities, but it’s not clear what the apparent flaw was that put customer billing information at risk.

In a statement, DigitalOcean’s security chief Tyler Healy said 1% of billing profiles were affected by the breach, but declined to address our specific questions, including how the vulnerability was discovered and which authorities have been informed.

Companies with customers in Europe are subject to GDPR, and can face fines of up to 4% of their global annual revenue.

https://telegra.ph/DigitalOcean-says-customer-billing-data-exposed-by-a-security-flaw--TechCrunch---IATA-News-04-28

via www.iatanews.com

#digitalocean #breach #leak #customer #data
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Facebook hides posts calling for PM Modi’s resignation in India

Facebook has hidden all posts with the hashtag “Resign Modi” in India a few days after the US Social Jaguar Note responded to orders from New Delhi with Twitter. Censored some posts critical of the Indian government’s treatment of the coronavirus pandemic..

Facebook says it hides posts with the “Resign Modi” hashtag on its website. This is because some posts violate community standards. (Searching for “Resign Modi” will return some results to US users.) At this time, it’s unclear whether Facebook was ordered to receive this call or did it voluntarily.

The tweet of “#ResignModi” at the time of publication was seen in India. With more than 450 million WhatsApp users and nearly 400 million Facebook users, India is the largest market for social enterprises on a user-based scale.

Recently, in South Asian countries, many citizens have begun to complain to the government on social channels as they struggle to find empty beds, oxygen supplies and medicines in hospitals.

https://telegra.ph/Facebook-hides-posts-calling-for-PM-Modis-resignation-in-India--TechCrunch---California-News-Times-04-28

via californianewstimes.com

💡 read this as well:
https://t.iss.one/BlackBox_Archiv/2080

#facebook #DeleteFacebook #ResignModi #modi #india #covid #corona
📡 @nogoolag 📡 @blackbox_archiv

Data security is cool again - Data security might have new life!

LET’S BE FRANK

Given the buzz around Snowflake and Databricks, data is becoming a hot topic again. With this comes concern around the security and privacy of that data. I’ve been seeing more content being written about this space, but in my opinion, the content has been disappointing because it doesn’t contain the proper context. I don’t blame them though because data security has had a long and complicated history, and I’ve had the “privilege” of seeing various versions of it play out in the last 10+ years.

A couple of threads/articles that have hit my radar are Will Lin’s VC view on Security Week and Renee Shah’s Twitter thread. Both are definitely worth a read, but I wanted to give everyone my take, which will fill in some missing pieces.

If you don’t want to read the articles, here are the tl;drs. Will’s article proposes a data security firewall to merges visibility and control (side comment: are firewalls still cool?). Renee’s Twitter thread discusses the need for 3-5 solutions for different parts of data security, which seems like where the space is heading, but more on that later.

Let’s start with an extremely brief history of data security. First, the biggest part of data security in the past has been data loss prevention (DLP). Symantec and Varonis are two of the major players. These products have been the bane of a CISO’s existence because they are extremely difficult to deploy and use. That’s how DLP became a dirty acronym and has made data security a dirty term. Second, CISOs have been forced to use these tools because of compliance, making data security primarily a compliance issue. This dynamic has made go-to-market extremely complicated. Finally, VCs have shied away from this space because there have been only bad exits. If you know of any good data security exit in the last 10 years, please let me know. I have still yet to come up with one.

https://franklyspeaking.substack.com/p/franklyspeaking-042721

#franklyspeaking #data #security
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Darknet Diaries - EP 91: WEBJEDI

What happens when an unauthorized intruder gets into the network of a major bank? Amélie Koran, aka webjedi, was there for one of these intrusions and tells us the story of what happened.

You can find more talks from Amélie at her website webjedi.net.

https://darknetdiaries.com/episode/91/

👉🏼 https://webjedi.net/

#truecrime #darknetdiaries #podcast
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv
🎙@NoGoolag

A forked version of dnscrypt-proxy for μODNS

This repo is a forked version of dnscrypt-proxy. From the original version, this has been modified to employ a PoC implementation of μODNS that is a multiple-relay-based anonymization protocol for DNS queries.

μODNS has been designed to protect user privacy in DNS even if a relay(s) collude with a resolver(s), which cannot be solved in existing DNS anonymization protocols. For the detailed information of μODNS, please refer to our concept paper below:

https://github.com/junkurihara/dnscrypt-proxy-modns

#dnscrypt #proxy #modns #μODNS
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

secml-malware: A Python Library for Adversarial Robustness Evaluation of Windows Malware Classifiers

Machine learning has been increasingly used as a first line of defense for Windows malware detection. Recent work has however shown that learning-based malware detectors can be evaded by well-crafted, adversarial manipulations of input malware, highlighting the need for tools that can ease and automate the adversarial robustness evaluation of such detectors. To this end, we presentsecml-malware, the first Python library for computing adversarial attacks on Windows malware detectors.

https://arxiv.org/pdf/2104.12848.pdf

https://github.com/zangobot/secml_malware

#secml #malware #windows #attacks
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag