Beware of Applications Misusing Root Stores

We have been alerted about applications that use the root store provided by Mozilla for purposes other than what Mozilla’s root store is curated for. We provide a root store to be used for server authentication (TLS) and for digitally signed and encrypted email (S/MIME). Applications that use Mozilla’s root store for a purpose other than that have a critical security vulnerability. With the goal of improving the security ecosystem on the internet, below we clarify the correct and incorrect use of Mozilla’s root store, and provide tools for correct use.

....(....)

Misuse of Root Stores: We have been alerted that some applications are using root stores provided by Mozilla or an operating system (e.g. Linux) for purposes other than what the root store is curated for. An application that uses a root store for a purpose other than what the store was created for has a critical security vulnerability. This is no different than failing to validate a certificate at all.

https://blog.mozilla.org/security/2021/05/10/beware-of-applications-misusing-root-stores/

#mozilla #root #store #applications
📡 @nogoolag 📡 @blackbox_archiv

HakByte: How to find anything on the internet with Google Dorks

On this first episode of HakByte, we cover Google Dorking, which is an OSINT technique that takes advantage of the Google Search engine with advanced search strings. This video covers basic google dorks that will allow you to filter out irrelevant information for a google search, finding insecure websites, and even discovering exposed password databases. Finally, an open source tool called pagodo is covered, which automatically can pass thousands of google dorks while avoiding detection from google.

https://www.youtube.com/watch?v=lESeJ3EViCo

#hakbyte #osint #google #dorking #search #engine #educational #video
🎥 @nogoolag 🎥 @blackbox_archiv

Today the United States announced that it will join the Christchurch Call to Action to Eliminate Terrorist and Violent Extremist Content Online, a global pledge by member governments and technology partners to work together to address terrorist and violent extremist content online.

Countering the use of the internet by terrorists and violent extremists to radicalize and recruit is a significant priority for the United States. Joining the coalition of governments and companies that have endorsed the Christchurch Call to Action reinforces the need for collective action.

The United States applauds language in the Christchurch Call emphasizing the importance of respecting human rights and the rule of law, including the protection of freedom of expression. In joining the Christchurch Call, the United States will not take steps that would violate the freedoms of speech and association protected by the First Amendment to the U.S. Constitution, nor violate reasonable expectations of privacy.

The United States looks forward to participating in the Christchurch Call Second Anniversary virtual summit on May 14.

https://telegra.ph/Statement-by-Press-Secretary-Jen-Psaki-on-the-Occasion-of-the-United-States-Joining-the-Christchurch-Call-to-Action-to-Eliminate-05-10

via www.whitehouse.gov

#christchurch #call #action
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Apple accused of breaking UK competition law by overcharging for apps

Almost 20 million users could be eligible for compensation, with £1.5bn damages sought

Apple is facing a demand for billions of pounds of consumer compensation in a British lawsuit that accuses the company of overcharging users by up to 30% on its App Store.

The claim argues that Apple’s restrictive policies, which limit app developers to using its own payment systems, are generating “excessive” profits for the company and leading to consumers paying more than they otherwise would. As a collective action, it seeks to represent the almost 20 million people in the UK who have spent money on the App Store, and seeks damages of up to £1.5bn.

Apple has dismissed the action as “meritless”.

Leading the suit is Dr Rachael Kent, an expert in the digital economy and lecturer at King’s College, University of London, who said: “The App Store was a brilliant gateway for a range of interesting and innovative services that millions of us find useful, myself included. But 13 years after its launch, it has become the only gateway for millions of consumers. Apple guards access to the world of apps jealously, and charges entry and usage fees that are completely unjustified.

“This is the behaviour of a monopolist and is unacceptable.”

https://www.theguardian.com/technology/2021/may/11/apple-accused-of-breaking-uk-competition-law-by-overcharging-for-apps

#apple #uk #competition #law #apps #overcharging
📡 @nogoolag 📡 @blackbox_archiv

Order of the HmbBfDI: Ban of further processing of WhatsApp user data by Facebook

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) issued an order prohibiting Facebook Ireland Ltd. from processing personal data from WhatsApp for its own purposes. The order is immediately enforceable. This is done under the urgency procedure of the General Data Protection Regulation (GDPR), which provides for the adoption of provisional measures with a specified period of validity in the respective territory, in this case Germany. The background to the proceedings is the request to all WhatsApp users to agree to the new terms and privacy policy by May 15, which grant WhatsApp far-reaching powers to share data with Facebook.

https://datenschutz-hamburg.de/assets/pdf/2021-05-11-press-release-facebook.pdf

#whatsapp #DeleteWhatsApp #user #data #facebook #DeleteFacebook #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

The widely anticipated quantum internet breakthrough is finally here

A Delft University spinout is commercialising a quantum modem that can link quantum machines into superfast networks.

f you thought quantum computing was a leap forward, get ready for the next step: the quantum internet, where quantum machines can be linked to each other to create powerful networks of superfast computing power.

The vision is now even closer to becoming reality. QphoX, a Delft University spinout, has created a quantum modem that can get these machines talking to each other. It plans to be the first to take it out of the research lab and turn it into a commercial project — and has raised €2m seed round to build the company.

It is the next big step in quantum computing. Today’s biggest quantum computers have less than 100 qubits, but scientists say that the machines will need at least 1k qubits to be truly commercially useful. Scaling up the computers themselves will take time, but a quantum internet could connect smaller machines to get to 1k+ qubits faster.

“Scaling a quantum computer even beyond 100 qubits is hard at the moment, but you could link 10 together to get 1k,” says Simon Gröblacher, CEO and cofounder of QphoX. Gröblacher says they expect to have a working modem ready for customers to test within two years.

The seed funding round was led by Quantonation, Speedinvest and High-Tech Gründerfonds, with participation from TU Delft.

https://sifted.eu/articles/quantum-internet-breakthrough/

#quantum #internet #breakthrough
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Stopping the Manipulation Machines - Some things are difficult by design.

Consider Amazon. The company perfected the one-click checkout. But canceling a $119 Prime subscription is a labyrinthine process that requires multiple screens and clicks.

Or Ticketmaster. Online customers are bombarded with options for ticket insurance, subscription services for razors and other items and, when users navigate through those, they can expect to receive a battery of text messages from the company with no clear option to stop them.

https://www.nytimes.com/2021/04/30/opinion/dark-pattern-internet-ecommerce-regulation.html

#manipulation #amazon #DeleteAmazon #ticketmaster #opinion
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Facebook Ordered to Stop Collecting German WhatsApp Data

Facebook Inc. was ordered to stop collecting German users’ data from its WhatsApp unit, after a regulator in the nation said the company’s attempt to make users agree to the practice in its updated terms isn’t legal.

Johannes Caspar, who heads Hamburg’s privacy authority, issued a three-month emergency ban, prohibiting Facebook from continuing with the data collection. He also asked a panel of European Union data regulators to take action and issue a ruling across the 27-nation bloc. The new WhatsApp terms enabling the data scoop are invalid because they are intransparent, inconsistent and overly broad, he said.

“The order aims to secure the rights and freedoms of millions of users which are agreeing to the terms Germany-wide,” Caspar said in a statement on Tuesday. “We need to prevent damage and disadvantages linked to such a black-box-procedure.”

https://www.bloomberg.com/news/articles/2021-05-11/facebook-ordered-to-stop-collecting-german-whatsapp-users-data

💡 read as well (PDF)
Order of the HmbBfDI: Ban of further processing of WhatsApp user data by Facebook
https://t.iss.one/BlackBox_Archiv/2184

#whatsapp #DeleteWhatsApp #user #data #facebook #DeleteFacebook #gdpr #eu #germany
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Colonial Pipeline Hit With Ransomware; Apple AirTags Hacked - ThreatWire

A Qualcomm SoC could be exploited by attackers, the US’s biggest gas pipeline is hit with ransomware, and Apple AirTags get hacked! All that coming up now on ThreatWire.

https://www.youtube.com/watch?v=QjLvIDWnc3w

#threatwire #hak5 #video
📽@cRyPtHoN_INFOSEC_FR
📽@cRyPtHoN_INFOSEC_EN
📽@cRyPtHoN_INFOSEC_DE
📽@BlackBox_Archiv

Collection of novel security vulnerabilities that affect Wi-Fi devices

11 May 2021 — This website presents FragAttacks (fragmentation and aggregation attacks) which is a collection of novel security vulnerabilities that affect Wi-Fi devices. An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or attack devices. Three of the discovered vulnerabilities are design flaws in the Wi-Fi standard and therefore affect most devices. On top of this, several other vulnerabilities were discovered that are caused by widespread programming mistakes in Wi-Fi products. Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.

The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997! Fortunately, the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings. As a result, in practice the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit.

https://www.fragattacks.com/

#fragattacks #wifi #security #vulnerabilities #exploit #educational
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Delete Google from Your Life Now

DELETE GOOGLE!

https://www.youtube.com/watch?v=94ENNlF_05k

#google #DeleteGoogle #video
📽@cRyPtHoN_INFOSEC_FR
📽@cRyPtHoN_INFOSEC_EN
📽@cRyPtHoN_INFOSEC_DE
📽@BlackBox_Archiv

Bitcoin Privacy Feud Erupts After Edward Snowden Pans Long-Awaited Taproot Upgrade

Core devs say the Taproot software update for Bitcoin will improve privacy. Edward Snowden said it doesn't fix Bitcoin's bigger privacy problem. Who's right?

Edward Snowden is a former National Security Agency contractor who exposed a secret surveillance program of American citizens. As one of the world's foremost privacy advocates, he thinks Bitcoin isn't private enough—and that an upcoming software update could make it worse.

His comments have created something of an uproar from fellow activists such as Alex Gladstein, the Chief Strategy Officer of the Human Rights Foundation, who thinks Snowden has misrepresented the upgrade, known as Taproot. Others have argued that the Russian exile can't see the importance of mainstream adoption to the project, which could falter if it turns too far toward anonymity.

"Cryptocurrency, and by this I'm just going to say Bitcoin, is really failing comprehensively, terribly, on the privacy angle," Snowden told the Electronic Frontier Foundation's Marta Belcher at the Ethereal Summit on Thursday. Taproot, he added, isn't a good fix.

Taproot, which was first proposed in early 2018, is in the process of making its way from developers' brains to the Bitcoin protocol itself. When it does come online, it's supposed to improve privacy as well as scalability and security.

https://decrypt.co/70470/bitcoin-privacy-feud-erupts-edward-snowden-pans-long-awaited-taproot-upgrade

#bitcoin #cryptocurrency #privacy #snowden #taproot #upgrade
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Deep Web - the downfall of the Silk Road (full documentary)

Documentary about the dark side of the Internet: for some the Deep Web and for others the Dark Web, where people trade in stolen identities, illegal substances and secret knowledge. Within a short time, the Silk Road, the "Ebay for drugs," becomes a hotly contested trans-shipment center for everything forbidden. Both the FBI and Europol try everything to track down the mastermind behind the website, known on the Deep Web only as DPR - Dread Pirate Roberts.

https://www.youtube.com/watch?v=y7x4CmWIeGE

#silkroad #doku #video
📽@cRyPtHoN_INFOSEC_FR
📽@cRyPtHoN_INFOSEC_EN
📽@cRyPtHoN_INFOSEC_DE
📽@BlackBox_Archiv

Facebook says it will ignore emergency data collection ban issued in Germany over WhatApp rules

Privacy watchdog is calling on GDPR regulators to enforce an EU-wide ban

A hot potato: Germany has banned Facebook from collecting data on WhatsApp users within its borders. The Hamburg Data Protection and Freedom of Information (HmbBfDI) commission claims that the app's new data collection policies and Facebook's heavy-handed efforts to get users to accept them violate the General Data Protection Regulation (GDPR).

Johannes Caspar, the commissioner of the HmbBfDI, indicated in a press release that Facebook has a history of user-privacy abuse, pointing to the Cambridge Analytica scandal and the recent leak of 500 million records. More urgently, Caspar fears that WhatsApp's less than transparent advertising policies will influence German elections coming up in September.

"The data protection scandals of the last few years from 'Cambridge Analytica' to the data leak that recently became known, which affected more than 500 million Facebook users, show the extent and the dangers of massive profiling," said Caspar. "This affects not only privacy but also the possibility of using profiles to influence voter decisions in order to manipulate democratic decisions. In view of the nearly 60 million WhatsApp users with a view to the upcoming federal elections in Germany in September 2021, the risk is all the more concrete, as these will arouse desires after influencing the opinion-forming of Facebook's advertisers."

https://www.techspot.com/news/89639-facebook-ignore-emergency-data-collection-ban-issued-germany.html

#whatsapp #DeleteWhatsApp #user #data #facebook #DeleteFacebook #gdpr #eu #germany
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Darknet Diaries - Ep 92: The Pirate Bay

The Pirate Bay is a website, a search engine, which has an index of torrent files. A lot of copyrighted material is listed on the site, but the site doesn’t store any of the copyrighted material. It just points the user to where you can download it from. So for a while The Pirate Bay has been the largest places you can find pirated movies, music, games, and apps. But this site first came up 2003. And is still up and operation now, 18 years later! You would think someone would shut this place down by now. How does the biggest source for copyrighted material stay up and online for that long? Listen to this episode to find out.

https://darknetdiaries.com/episode/92/

#truecrime #darknetdiaries #podcast
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv

Ransomware crooks post cops’ psych evaluations after talks with DC police stall

Babuk demands $4 million, Metropolitan Police Department offers $100,000.

A ransomware gang that hacked the District of Columbia’s Metropolitan Police Department (MPD) in April posted personnel records on Tuesday that revealed highly sensitive details for almost two dozen officers, including the results of psychological assessments and polygraph tests; driver's license images; fingerprints; social security numbers; dates of birth; and residential, financial, and marriage histories.

The data, included in a 161MB download from a website on the dark web, was made available after negotiations broke down between members of the Babuk ransomware group and MPD officials, according to screenshots purporting to be chat transcripts between the two organizations. After earlier threatening to leak the names of confidential informants to crime gangs, the operators agreed to remove the data while they carried out the now-aborted negotiations, the transcripts showed.

https://arstechnica.com/gadgets/2021/05/ransomware-crooks-post-cops-psych-evaluations-after-talks-with-dc-police-stall/

#ransomware #babuk #usa #dc #police
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Brave — Stealing your cookies remotely

Brave for Android had a vulnerability that allowed a malicious web page to steal your cookies remotely. The vulnerability was reported through HackerOne and took 5 months to fix.

Introduction

During my research with Android applications, I found a few vulnerabilities in some of the most used browsers. When researching Brave, I noticed that it was using a Content Provider that was exposing all files from the public directory as well as its private files.

https://infosecwriteups.com/brave-stealing-your-cookies-remotely-1e09d1184675

#brave #browser #android #cookies #vulnerability
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

FragAttacks: Demonstration of Flaws in WPA2/3

This is not a "hacking" tutorial but a demonstration about academic IT security research. Made by Mathy Vanhoef of New York University and KU Leuven.

https://www.youtube.com/watch?v=88YZ4061tYw

💡 read as well: Collection of novel security vulnerabilities that affect Wi-Fi devices
https://t.iss.one/BlackBox_Archiv/2189

#fragattacks #wifi #security #vulnerabilities #exploit #educational #poc #video
📽@cRyPtHoN_INFOSEC_FR
📽@cRyPtHoN_INFOSEC_EN
📽@cRyPtHoN_INFOSEC_DE
📽@BlackBox_Archiv

Determining The Extent Of Video Surveillance Through Google Street View Data

Google Street View’s continuous coverage of the world’s thoroughfares represents possibly the most complete, consistent and coherent visual record of global society, with the exception of countries that impose bans on the search giant’s roving data-gathering vehicles.

As a revenue-delivering contributor to Google Maps’ infrastructure, the Google Street View panopticon is a rich data seam for machine learning analysis. Besides its propensity to unwittingly capture criminal acts, it has been used to estimate regional income from car quality in Google Street View images, evaluate greenery in urban environments, identify utility poles, classify buildings and estimate the demographic make-up of US neighborhoods, among many other initiatives.

Google Street View’s continuous coverage of the world’s thoroughfares represents possibly the most complete, consistent and coherent visual record of global society, with the exception of countries that impose bans on the search giant’s roving data-gathering vehicles.

As a revenue-delivering contributor to Google Maps’ infrastructure, the Google Street View panopticon is a rich data seam for machine learning analysis. Besides its propensity to unwittingly capture criminal acts, it has been used to estimate regional income from car quality in Google Street View images, evaluate greenery in urban environments, identify utility poles, classify buildings and estimate the demographic make-up of US neighborhoods, among many other initiatives.

Limited Statistics On Surveillance Camera Diffusion In The United States

Despite wide usage of Google Maps’ data for socially aware machine learning initiatives, there are very few Street View-based datasets that include labeled examples of surveillance cameras. The Mapillary Vistas dataset is among the small number available that offer this functionality, though it includes less than 20 labeled public video cameras in the United States.

Much of the video surveillance infrastructure in the US only intersects the State when authorities demand corroborating footage after local incidents that may have been recorded. Beyond zoning regulations, and in the context of permissive privacy laws that do little to address private surveillance of public spaces, there is no federal administrative framework that can provide hard statistics on the number of public-facing cameras in the US.

Anecdotal data and limited surveys contend that video camera diffusion in the US may be on a par with China, but it’s not easy to prove.

https://www.unite.ai/determining-the-extent-of-video-surveillance-through-google-street-view-data/

#usa #video #surveillance #google #streetview
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

WhatsApp breaks App Store guidelines by limiting functionality for users who do not accept new privacy policy

Facebook’s WhatsApp has announced that users that don’t accept a new set of terms and conditions will be barred from certain features of the messaging app.

This move goes against Apple’s App Store policies, which explicitly state that such behavior is strictly prohibited.
If WhatsApp implements the announced changes, the app could be removed from the App Store.

WhatsApp’s controversial new privacy policy, which goes into effect on May 15th, 2021, will limit functionality on the app — such as the access to the contact/chat list and the primary screen of the app if users do not accept the privacy policy. If the user continues to refuse accepting, they will eventually lose access to calls, and will no longer receive notifications, rendering the app practically useless.

💡 Quoting the App Store guideline 3.2.2 (vi):

"Apps should allow a user to get what they’ve paid for without performing additional tasks, such as posting on social media, uploading contacts, checking in to the app a certain number of times, etc. Apps should not require users to rate the app, review the app, watch videos, download other apps, tap on advertisements, enable tracking, or take other similar actions in order to access functionality, content, use the app, or receive monetary or other compensation, including but not limited to gift cards and codes."

Therefore, WhatsApp’s actions are not allowed under the App Store guidelines, which could result in the removal of the app from the App Store, or termination of their developer account, according to Apple’s policies.

https://applescoop.org/story/whatsapp-breaks-app-store-guidelines-by-limiting-functionality-for-users-who-do-not-accept-new-privacy-policy

#apple #appstore #whatsapp #DeleteWhatsApp
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv