Valid Signal privacy issues shrugged off while patches quietly rolled out - vulnerability still active on macOS

Intro
Signal provides a free, cross-platform private messenger app. Folks in all kinds of unsafe situations rely on Signal, as a highly visible and popular app which the security and privacy professional communities endorse. Journalists rely on Signal to ensure confidential communication with their sources.

What privacy guarantees does one really have though if you can't prove the identity of who you're communicating with?

The problem
Mid-May, I got a new phone. At the time I understood that with *any change* to the device or installation of either party in a chat with message history, the Signal chat "safety number" changes. This used to be but (following an involved email back-and-forth with the Signal team over the course of a month) is no longer reflected in the Signal support documentation.

When a safety number changes, Signal shows a message to both parties in the conversation. The most recent alert I recall seeing prior to this adventure (which I believe was initially received April 14, about a month before I changed phones) looks like this:

https://403forbiddenblog.blogspot.com/2021/06/signal-safety-numbers.html

#signal #messenger #privacy #issue
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_FR
📡@BlackBox_Archiv

FBI sought info on who read USA Today news article for case

The FBI sought information about readers of an online article as part of an investigation, it has emerged.

The agency demanded the newspaper USA Today hand over records on who had read an article about the killing of two FBI agents.

The newspaper's owner is resisting the request and asked a judge to quash the demand.

It says the FBI's demand is a "clear violation" of protections to press freedom.

The FBI issued a subpoena - an order to submit evidence - to USA Today's owner Gannett, asking it for information about anyone who clicked on an article published in February about the fatal shooting of two of the bureau's agents in Florida.

The subpoena sought the IP addresses and phone numbers for readers of the piece during a 35-minute window. IP addresses can be used to find a computer's location and owner.

https://www.bbc.co.uk/news/world-us-canada-57367093

#usa #fbi #subpoena #investigation #usatoday #pressfreedom
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_FR
📡@BlackBox_Archiv

Mail-in-a-Box (v0.53a / May 8, 2021)

Take back control of your email with this easy-to-deploy mail server in a box.

What is it?

Mail-in-a-Box lets you become your own mail service provider in a few easy steps. It’s sort of like making your own gmail, but one you control from top to bottom.

Technically, Mail-in-a-Box turns a fresh cloud computer into a working mail server. But you don’t need to be a technology expert to set it up.

💡 Here’s how you can get a Mail-in-a-Box running:
https://www.youtube.com/watch?v=9WOmkoEYMIg

Current Version: v0.53a / May 8, 2021

– install

– release notes

– upgrade instructions

💡 Need Help?
- Check the maintenance guide.
- Ask on the forum. Other users may be able to help.
- Found a bug? Open an issue on github.
- Or try our Slack chatroom.

https://mailinabox.email/

#mailinabox #email #server #guide #tool #download
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_FR
📡@BlackBox_Archiv

Bypassing an Outlook Dark Pattern

Tldr: Outlook on Android tries to force you into linking Outlook to your Google Account, giving itself access to more data than you might want. I found out that can be bypassed by quickly toggling the internet connection off at the right time.

https://palone.blog/bypassing-an-outlook-dark-pattern/

#palone #outlook #dark #pattern #bypass
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_FR
📡@BlackBox_Archiv

EFF 30 Fireside Chat Surveillance, With Edward Snowden

Democracy, social movements, our relationships, and your own well being all require private space to thrive. But state actors and law enforcement reach for persistent mass surveillance tech with disturbing frequency. Privacy activists and ordinary people around the world stand before a growing arsenal of invasive tools in the hands of criminals and state actors alike. How has mass surveillance changed us and what are our odds in fighting back?

In this livestream conversation, NSA whistleblower Edward Snowden joins EFF Executive Director Cindy Cohn, EFF Director of Engineering for Certbot Alexis Hancock, and EFF Policy Analyst Matthew Guariglia as they weigh in on surveillance in modern culture, activism, and the future of privacy.

https://archive.org/details/eff-30-fireside-chat-surveillance-with-edward-snowden

#surveillance #digital #rights #nsa #EFF #police #spy #technology #privacy #PRISM #snowden
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_FR
📡@BlackBox_Archiv

ODO - the “swiss army knife” for the development of distributed communication apps

What is ODO?

ODO wants to become the “swiss army knife” for the development of distributed communication apps. It will allow developing such apps for various platforms: mobile, desktop, server, maybe even IoT devices. A layered API will allow quick development of simple apps in a low-code-manner, or complex apps using all the features of modern software development environments.

Get rid of Backend Servers

One of the key ideas is to get rid of central servers, meaning the app is really just the app on the device it is running on, no backends, no serers. All data is encrypted and distributed over all devices having ODO installed (using IPFS). This means that an app with ODO can be run with minimal resources on the operator side, as you don’t need AWS, Firebase, Azure or whatever.

Make Privacy and Security easy

One of the main goals of the layered API is to make it easy to develop secure apps with good privacy by design. Of course it is not possible, to have an API which technically prevents all possible security vulnerabilities and privacy problems. But an API can focus on privacy and security, and make these things easy. And while categories of privacy problems arising from a single entity controlling a central server, these kinds of problems simply does not exist with ODO.

💡 Have a closer look at the top level design document for more info about the technical ideas.

👉🏼 I want to contribute! 👈🏼

If you would like to contribute, start with this document, and the go on with onboarding. Also have a look at your code of conduct.

https://straightway.codeberg.page/odo/

#odo
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_FR
📡@BlackBox_Archiv

iTrapped: All the things Apple won’t let you do with your iPhone

Have you ever tried to swap Siri for a better voice assistant on your iPhone? Don’t bother, you can’t.

Tried to buy e-books from the Kindle app? Can’t do that, either.

Send iMessages to someone with an Android phone? Nope. Backup your iPhone to Google Drive? Nope. Get your own iPhone repair parts from Apple? Nope. Transfer your digital life to a different kind of smartphone? Good luck, my friend. When you buy an iPhone, it isn’t really yours.

It’s time to reclaim our iPhones. The debate that’s happening in courts and Congress about Big Tech’s power is also playing out in the palm of our hands.

I’ve used an iPhone for the last 12 years, and like most of you I am not looking to change. But we’ve become so accustomed to restrictions Apple built into the iPhone, we don’t even realize how we’re contorting ourselves to comply — or what we’re missing out on. One sign we’re being manipulated by a monopoly is when it’s hard to even consider an alternative. Apple says it’s protecting our security and privacy, but it has become clear that locking down our iPhones is also about controlling us so Apple can make more money.

https://www.seattletimes.com/business/technology/itrapped-all-the-things-apple-wont-let-you-do-with-your-iphone/

#apple #iphone #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_FR
📡@BlackBox_Archiv

Anti-Forensics: Reverse Engineering a Leading Phone Forensic Tool

How can vulnerabilities in forensic software affect cases brought to the courts? That question was the impetus of what kicked off my research on the Cellebrite UFED - a widely-used phone forensic tool. This talk will cover what my reverse engineering process was, what I found, how I went about reporting my findings, and the concerns, hopes, and fears I had along the way.

https://i.blackhat.com/asia-21/Friday-Handouts/AS-21-Bergin-Anti-Forensics-Reverse-Engineering-A-Leading-Phone-Forensic-Tool.pdf

#cellebrite #ufed #phone #forensic #tool #reverse #engineering #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_FR
📡@BlackBox_Archiv

Anonymous Message To Elon Musk

https://www.youtube.com/watch?v=tvPYidBtkz8

#anonymous #musk #video
📽@cRyPtHoN_INFOSEC_DE
📽@cRyPtHoN_INFOSEC_EN
📽@cRyPtHoN_INFOSEC_FR
📽@BlackBox_Archiv

Global strike against drug traffickers

The FBI is said to have cracked the encrypted communications of suspected drug traffickers. On Monday, there were searches around the world, including in Germany.

It is probably one of the biggest blows against organized crime ever. In a coordinated effort, police units in 16 countries moved in Monday morning, storming homes, warehouses, garages and offices.

This happened among others in #Australia, #Canada, #Estonia, #Lithuania, the #Netherlands, #Sweden, #UK, the #USA and also in #Germany. In Hesse alone, around 60 properties were affected, and there were also raids in numerous other states such as North Rhine-Westphalia. German investigators speak of an unprecedented operation, with a large number of special police forces deployed.

Drugs, weapons, money laundering

According to research by NDR and WDR, the U.S. Federal Bureau of Investigation (FBI) recently gained access to the data of a provider of encrypted communications through which numerous criminal networks and gangs are said to have conducted drug transactions worldwide. Today's raids in Germany were planned under the strictest secrecy. Among other things, they are to be directed against suspected drug laboratories, cannabis plantations and cocaine storage sites.

However, the data related to Germany is also said to be about trafficking in weapons of war, weapons with silencers, money laundering and numerous other offenses. According to sources, the data set is supposed to be highly topical information.

https://www.tagesschau.de/inland/organierte-kriminalitaet-durchsuchungen-101.html

#EncroChat #police #fbi #germany #international #bust
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Special Operation Ironside

Operation IRONSIDE is a long-term, covert investigation into transnational and serious organised crime allegedly responsible for large drug imports, drug manufacturing and attempts to kill.

- https://intelnews.org/2021/06/08/01-3016/

- https://www.abc.net.au/news/2021-06-08/fbi-afp-underworld-crime-bust-an0m-cash-drugs-murder/100197246

- https://www.youtube.com/watch?v=qq9wnMXvgOc

#ironside #ANØN #trojanshield #bust #video
📽@cRyPtHoN_INFOSEC_FR
📽@cRyPtHoN_INFOSEC_EN
📽@cRyPtHoN_INFOSEC_DE
📽@BlackBox_Archiv

Security researcher says attacks on Russian government have Chinese fingerprints – and typos, too

Malware was too loose to have come from a Western nation, according to Sentinel Labs

An advanced persistent threat that Russia found inside government systems was too crude to have been the work of a Western nation, says security researcher Juan Andrés Guerrero-Saade of Sentinel Labs, before suggesting the malware came from a Chinese entity.

Russian telco and IT services provider Rostelecom and the nation's National Coordination Center for Computer Incidents, an arm of the Russian Federal Security Service (FSB), in May published a joint report that detailed their assessment of attacks on several Russian government entities detected in 2020.

The report said the attacks were made using malware named "Mail-O" and asserted that attackers used cloud storage services provided by Russian companies Yandex and Mail.ru Group. The malware mimicked legitimate cloud storage management apps Disk-O and Yandex Disk.

Guerrero-Saade wrote that he feels the security industry has quickly defaulted to a view that Western actors were behind the attacks.

"I think we'll be relieved to find out that was most likely not the case – if solely because we've come to expect a higher standard for Western malware development," he wrote.

Guerrero-Saade reached that opinion after assessing samples of Mail-O and suggesting it is "a variant of a relatively well-known malware called PhantomNet or SManager used by a threat actor 'TA428'."

The researched makes that assertion because Mail-O, PhantomNet and SManager all share a function called "Entery" that he supposes is a misspelling of "Entry".

"Misspellings are a true gift for malware researchers," Guerrero-Saade wrote.

https://www.theregister.com/2021/06/09/mail_o_malware_maybe_chinese/

#russia #malware #china
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Trump: The solution to cyberattacks is to stop using computers

https://www.youtube.com/watch?v=0iCElbVyGSw

#trump #ToddlerTrump #cyberattacks #video
📽@cRyPtHoN_INFOSEC_FR
📽@cRyPtHoN_INFOSEC_EN
📽@cRyPtHoN_INFOSEC_DE
📽@BlackBox_Archiv

ThunderCats Hack the FSB | Your Taxes Didn’t Pay For This Op

Key Findings

👉🏼 This research focuses on the ‘Mail-O’ malware used against the FSB and other Russian government organizations, detailed in the May 2021 FSB NKTsKI and Rostelecom-Solar report.

👉🏼 Early armchair commentary presumed that given the targets, this attack would undoubtedly be the work of a Western government, Five Eyes, or the United States.

👉🏼 Our analysis disproves that hypothesis.

👉🏼 Instead, we present the argument that the Mail-O malware is a variant of a relatively well-known malware called PhantomNet or SManager used by a threat actor ‘TA428’

👉🏼 Previous reporting on TA428 points to Chinese origin and details a history of attacks against South East Asian and Russian targets.

https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/

#thundercats #fsb #hack
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Android spy impersonates Spanish shipping company MRW

From infected device it steals contact list, SMS messages, location and sends them to C&C server at 85.220.103[.]7

https://nitter.pussthecat.org/LukasStefanko/status/1402648145394294788

via Twitter

#android #malware #mrw #stefanko
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Darknet Diaries - Ep 94: Mariposa Botnet

Chris Davis has been stopping IT security threats for decades. He’s currently running the company Hyas that he started. In this episode he tells a few tales of some threats that he helped stop.

#truecrime #darknetdiaries #podcast
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv

How to circumvent Sci-Hub ISP block

In the UK, many internet service providers (ISPs) block Sci-Hub. However, a simple proxy is enough to circumvent this (you don’t even need a VPN). Routing requests through a suitable1 proxy lets you open Sci-Hub in your regular browser as if it weren’t blocked.

(Changing your DNS resolver to a public one like Google’s instead of your ISP’s is not sufficient as of 2021 – for two ISPs I’ve tested, and I suspect all UK ISPs2. My guess is that instead of merely blocking the request to resolve sci-hub.se at the DNS resolver level, the ISPs are also doing a reverse lookup on every requested IP address to check whether it corresponds to a blacklisted domain.)

Routing all your traffic through a proxy may come with privacy and security concerns, and will slow your connection a bit. We want to use our proxy only for accessing Sci-Hub.

You can use extensions like ProxySwitchy to tell your browser to automatically use certain proxies, or no proxy at all, for sets of websites that you define.

Unfortunately, this extension, and others like it, require permissions to insert arbitrary JavaScript into any page you visit (the web store accurately explains that the extension can “read and change all your data on the websites you visit”). That’s likely due to insufficiently granular permission definitions by Chrome, and is not the fault of the presumably well-intentioned extension authors. But it freaks me out a little bit (bad things have happened).

Luckily, we can achieve the same effect by writing our own proxy auto-configuration file. A proxy auto-configuration or PAC file contains just a single JavaScript function like this:

https://fragile-credences.github.io/scihub-proxy/

💡 Or simply use this Telegram-Bot made by the Scihub Founder

👉🏼 @scihubot

#uk #scihub #circumvent #isp #blocking
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

"What we are seeing out of India so far, it appears to be erring more towards a China model. That’s all something that we need to pay attention to… do we want the global internet to follow that."

https://nitter.pussthecat.org/tame_wildcard/status/1401964276659589122

via Twitter

https://www.theweek.in/news/biz-tech/2021/06/08/india-moving-towards-chinese-model-on-internet-control-says-cloudflare-ceo.html

#india #censorship #surveillance #china #cloudflare
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Confirmation from Freenode staff that, for some period of time, an IRCop had "their bot" signed in as nickserv and was receiving passwords sent by users attempting to authenticate. Note this was sent as a wallops message (not a global notice), which most users would not see.

https://nitter.pussthecat.org/plainoldchair/status/1402689883760640004

via Twitter

#freenode
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

ALPACA Attack

Introduction

TLS is an internet standard to secure the communication between servers and clients on the internet, for example that of web servers, FTP servers, and Email servers. This is possible because TLS was designed to be application layer independent, which allows its use in many diverse communication protocols.

ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.

We investigate cross-protocol attacks on TLS in general and conducted a systematic case study on web servers, redirecting HTTPS requests from a victim's web browser to SMTP, IMAP, POP3, and FTP servers. We show that in realistic scenarios, the attacker can extract session cookies and other private user data or execute arbitrary JavaScript in the context of the vulnerable web server, therefore bypassing TLS and web application security.

💡 ALPACA will be presented at Black Hat USA 2021 and at USENIX Security Symposium 2021.

💡 Recommended articles: Ars Technica (Dan Goodin), Golem (Hanno Böck; German)

https://alpaca-attack.com/

#alpaca #attack #tls
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

EA hacked and source code stolen

Hackers have stolen valuable information from major game publisher Electronic Arts (EA), the company said.

The attackers claimed to have downloaded source code for games such as FIFA 21 and for the proprietary Frostbite game engine used as the base for many other high-profile games.

News of the hack was first reported by news site Vice, which said some 780GB of data was stolen.

EA said no player data had been stolen in the breach.

The firm is one of the largest games companies in the world. It counts major series such as Battlefield, Star Wars: Jedi Fallen Order, The Sims, and Titanfall among the titles it develops or publishes - as well as a vast array of annual sports games.

https://www.bbc.com/news/technology-57431987

https://www.vice.com/en/article/wx5xpx/hackers-steal-data-electronic-arts-ea-fifa-source-code

#hacker #hacked #ea #games
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv