Safari and iOS users: Your browsing activity is being leaked in real time

Unfixed bug violating the Internet's most foundational rules is easy to exploit.

For the past four months, Apple’s iOS and iPadOS devices and Safari browser have violated one of the Internet’s most sacrosanct security policies. The violation results from a bug that leaks user identities and browsing activity in real time.

The same-origin policy is a foundational security mechanism that forbids documents, scripts, or other content loaded from one origin—meaning the protocol, domain name, and port of a given webpage or app—from interacting with resources from other origins. Without this policy, malicious sites—say, badguy.example.com—could access login credentials for Google or another trusted site when it’s open in a different browser window or tab.

https://arstechnica.com/information-technology/2022/01/safari-and-ios-bug-reveals-your-browsing-activity-and-id-in-real-time/

#safari #ios #iPadOS #exploit
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

The EU Wants Its Own DNS Resolver that Can Block ‘Unlawful’ Traffic

The EU is planning to develop its own government-run DNS resolver. The project dubbed DNS4EU is meant to offer a counterweight to the popular resolvers that are mostly based in the U.S. Aside from offering privacy and security to users, the DNS solution will also be able to block "illegal" websites, including pirate sites.

https://torrentfreak.com/the-eu-wants-its-own-dns-resolver-that-can-block-unlawful-traffic-220119/

#eu #dns
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Ads may be coming to KDE, the popular Linux desktop

Qt, the framework that powers the KDE desktop, is announcing support for ads in client-side applications. This means that application developers will now be able to serve ads in traditional desktop applications like KdenLive. Windows users have been dealing with this in Metro UI apps since Windows 8 and it’s something that’s never gone over well on the desktop.

While it’s doubtful you’ll see ads in KDE’s core applications, it would be possible for distributions that wish to further monetize their work to fork these applications, placing ads in them. From the press release:

"Our focus is to fill an existing gap in the Qt framework for developers using Qt for mobile and desktop applications. We want to enable the easy integration of advertising. Our offering aims to disrupt the IoT industry, enabling new business models and business cases that before were not possible. We enable Qt users to insert advertising as a native component to complex user interfaces."

https://www.neowin.net/news/ads-may-be-coming-to-kde-the-popular-linux-desktop/

#kde #linux #advertising
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Meet the NSA spies shaping the future

In his first interview as leader of the NSA's Research Directorate, Gil Herrera lays out challenges in quantum computing, cybersecurity, and the technology American intelligence needs to master to secure and spy into the future.

For someone with a deeply scientific job, Gil Herrera has a nearly mystical mandate: Look into the future and then shape it, at the level of strange quantum physics and inextricable math theorems, to the advantage of the United States.

Herrera is the newly minted leader of the National Security Agency’s Research Directorate. The directorate, like the rest of the NSA, has a dual mission: secure American systems and spy on the rest of the world. The budget is classified, a secret among secrets, but the NSA is one of the world’s largest spy agencies by any measure and Herrera’s directorate is the entire US intelligence community’s biggest in-house research and development arm. The directorate must come up with solutions to problems that are not yet real, in a world that doesn’t yet exist.

https://www.technologyreview.com/2022/02/01/1044561/meet-the-nsa-spies-shaping-the-future/

#nsa #research
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Study: Using Stylometry to Detect Cross-Market Vendor Profiles

Researchers analyzed the literary style of darkweb vendors to identify vendors using different identities.

Using stylometry, researchers analyzed thousands of vendor identities on four darkweb marketplaces and linked more than 700 identities. The study involved the collection of information nodes, which included vendor profiles from four defunct marketplaces, including Valhalla (522), Dream Market (2,547), Evolution (1,650), and Silk Road 2 (681).

https://darknetlive.com/post/study-using-stylometry-to-detect-a-vendors-alternate-profiles/

PDF:
https://darknetlive.com/post/study-using-stylometry-to-detect-a-vendors-alternate-profiles/documents/fingerprints.pdf

#study #stylometry #fingerprints #darkweb #marketplaces #vendors #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

FBI Admits Purchasing NSO Group's Pegasus Spyware

The FBI purchased the NSO Group’s Pegasus spyware but only for “testing and evaluation,” they claimed.

The Federal Bureau of Investigation confirmed to The Guardian that the Bureau had purchased a license to access Pegasus for “product testing and evaluation only.” NSO Group, an Israeli firm, sells spyware and hacking tools to “government intelligence and law enforcement agencies” across the globe. The company’s products are “classified as a military export by Israel.” Pegasus is “one of the world’s most sophisticated hacking tools.

https://darknetlive.com/post/fbi-admits-purchasing-nso-group-s-pegasus-spyware/

#fbi #pegasus #nso #spyware
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

SentryPeer

A distributed peer to peer list of bad actor IP addresses and phone numbers collected via a SIP Honeypot.

This is basically a fraud detection tool. It lets bad actors try to make phone calls and saves the IP address they came from and number they tried to call. Those details are then used to block them at the service providers network and the next time a user/customer tries to call a collected number, it’s blocked.

Traditionally this data is shipped to a central place, so you don’t own the data you’ve collected. This project is all about Peer to Peer sharing of that data. The user owning the data and various Service Provider / Network Provider related feeds of the data is the key bit for me. I’m sick of all the services out there that keep it and sell it. If you’ve collected it, you should have the choice to keep it and/or opt in to share it with other SentryPeer community members via p2p methods.

https://sentrypeer.org/

#sentrypeer #fraud #detection #tool
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Matrix vs. XMPP

What are XMPP and Matrix and what makes them special?

XMPP and Matrix are two decentralized and federated free software projects for chat, including true end-to-end encrypted chat.

Users can either install the software on their own server if they want, but they can also easily register on any public server—both allow any XMPP or Matrix user to talk to users on their server or on any other one. In essence, it works like email: you might have an email account on a different site than your friend, but all accounts on all sites can communicate.

In a world where most communication is done on centralized proprietary platforms without end-to-end encryption like Facebook, Telegram and Google, Matrix and XMPP both are permanent solutions to communication privacy. Even based boomerware like IRC has to play second fiddle to them.

The only question is, "Which is better? XMPP or Matrix?"

https://lukesmith.xyz/articles/matrix-vs-xmpp

💡 Read as well:
Internet Messaging versus Congested Network

#matrix #xmpp #privacy #amdocs #israel #intelligence
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

"Your account has been deactivated"

I've received that message today. I'm from Belarus.

"We noticed an issue when verifying your account. The legal entity information associated with your account fully matches a restricted party or one or more parties from the United States government's consolidated screening list, another government's sanctions list, or a restricted regions list."

I know nothing about sanctions but I'm 100% sure that's how sanctions should not work by discriminating developers from country which governments appeared in any sanctions list.

https://developer.apple.com/forums/thread/700036

#apple #developers #belarus #sanctions #usa
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Foreign Office target of 'serious cyber incident'

The UK's Foreign, Commonwealth and Development Office (FCDO) was the target of a "serious cyber-security incident", it has emerged.

The details came via a tender document published on a government website, seemingly by mistake.

It revealed that cyber-security firm BAE Systems Applied Intelligence was called on for "urgent support".

The BBC understands unidentified hackers got inside the FCDO systems, but were detected.

https://www.bbc.co.uk/news/technology-60309335

#uk #fcdo #hacked
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Belarusian activists hacked railway servers in order to interfere with Russian troop relocations.

Hackers knows as "Cyber Guerillas" have hacked and encrypted the servers and the database of the Belarus railroad company. The backups were deleted as well. The goal of the attack was to make it harder for the Russian army to move its troops into Belarus.

#Russia has been gathering troops near Ukrainian borders for several months now. Earlier, #Belarus and Russia announced joint military exercises in February.

OATHqr - Turn your secrets into scannable QR codes

OATHqr helps you create security credentials for use with 2FA/MFA and other OATH-enabled apps. Use it to generate scannable QR codes for one-time password authenticator apps such as Aegis or YubiKey. Or skip the QR code altogether and paste the formatted otpauth URI it creates directly into OpenPGP-activated password managers such as the remarkable Pass standard unix password manager.

💡 Features:

- Makes no external requests and may be run completely offline.

- Installable application can be added to mobile device home screen.

- Friendly form accessible to both sighted and non-sighted users.

- Utilizes strict default-src Content-Security Policy as sandbox.

- Proactively disables Google FLoC surveillance for affected users.

- Promotes ethical software alternatives to Google Authenticator.

- Automatic light/dark color scheme based on system preference.

https://codeberg.org/vhs/oathqr

#oathqr #qrcodes #2fa #mfa
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Binance, led by the world’s richest crypto billionaire, is taking a $200 million stake in Forbes

Binance, the world's biggest cryptocurrency exchange, is making a $200 million strategic investment in Forbes, the 104-year-old magazine and digital publisher, CNBC has learned.

The funds will help Forbes execute on its plan to merge with a publicly traded special purpose acquisition company, or SPAC, in the first quarter, according to people with knowledge of the deal.

Investors have grown skeptical of SPAC deals generally, and media deals in particular, in recent months amid the broader stock market retrenchment. Binance will replace half of the $400 million in commitments from institutional investors announced by Forbes in August, said the people, who declined to be identified before the transaction is announced.

That would make Binance one of the top two biggest owners of Forbes, which will be listed on the New York Stock Exchange under the ticker FRBS, the people said. The crypto company will also get two directors out of nine total board seats, they said.

The move shows the increasing real-world influence of the crypto sector, which has seen surging valuations and minted a new class of billionaires amid global interest in digital assets. While crypto companies have gone public, affixed their names to sports arenas and flooded airwaves with celebrity endorsements, this is the sector's first big investment in a traditional U.S. media property.

https://www.cnbc.com/2022/02/10/forbes-spac-binance-led-by-the-worlds-richest-crypto-billionaire-is-taking-a-200-million-stake-in-forbes-.html

#binance #crypto #forbes
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Bvp47: Top-tier Backdoor of US NSA Equation Group

In 2016 and 2017, “The Shadow Brokers” published two batches of hacking files claimed to be used by
“The Equation Group”. In these hacking files, researchers form Pangu Lab found the private key that can
be used to remotely trigger the backdoor Bvp47. Therefor, It can be concluded that Bvp47 is a hacker tool
belonging to " The Equation Group".

https://files.shitpost.to/rvfxfdj9zmajdtww.pdf?key=SxiRfjPs1SFpxU2gUK5PBmx08w2KTIL7

⚠️ I strongly advise everyone to pass pdfs through something like DangerZone or MAT2 before opening them.

#Bvp47 #nsa #backdoor #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

email2phonenumber

email2phonenumber is an OSINT tool that allows you to obtain a target's phone number just by having his email address.

💡 For full details check:
https://www.martinvigo.com/email2phonenumber

💡 Demo:
https://www.youtube.com/watch?v=dfvqhDUn81s

‼️ IMPORTANT:
*email2phonenumber is a proof-of-concept tool I wrote during my research on new OSINT methodologies to obtain a target's phone number. The supported services (Ebay, Lastpass, Amazon and Twitter) have long added protections to protect from these type of scraping like having to receive a code over email first or simply adding captchas. There are of course many other sites that are still leaking phone number digits but I am focused on other research projects. Feel free to submit pull request if you want to add support for new sites.

Please check out my newer tool "Phonerator", which is maintained and focuses on the novel aspect of this research, generating valid phone numbers. See more details. There is also a small OSINT challenge in there... ;)

https://github.com/martinvigo/email2phonenumber

https://www.martinvigo.com/tools/phonerator/

#osint #email2phonenumber #phonerator
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Ukraine calls on hacker underground to defend against Russia

Feb 24 (Reuters) - The government of Ukraine is asking for volunteers from the country's hacker underground to help protect critical infrastructure and conduct cyber spying missions against Russian troops, according two people involved in the project.

As Russian forces attacked cities across Ukraine, requests for volunteers began to appear on hacker forums on Thursday morning, as many residents fled the capital Kyiv. read more

"Ukrainian cybercommunity! It's time to get involved in the cyber defense of our country," the post read, asking hackers and cybersecurity experts to submit an application via Google docs, listing their specialties, such as malware development, and professional references.

Yegor Aushev, co-founder of a cybersecurity company in Kyiv, told Reuters he wrote the post at the request of a senior Defense Ministry official who contacted him on Thursday. Aushev's firm Cyber Unit Technologies is known for working with Ukraine's government on the defense of critical infrastructure.

https://www.reuters.com/world/exclusive-ukraine-calls-hacker-underground-defend-against-russia-2022-02-24/

#ukraine #russia #hacker #cyberdefence
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Bye fsb.ru

https://nitter.pussthecat.org/YourAnonNews/status/1500169119219466251

via Twitter

💡 Read as well:
Anonymous has taken down the FSB website

#OpRussia #anonymous #fsb
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Brave takes the spring out of creepy bounce tracking

Just say no to websites bypassing privacy protections with sneaky redirects

Browser maker Brave has developed a new way to ground "bounce tracking," a sneaky technique for bypassing privacy defenses in order to track people across different websites.

Bounce tracking, also known as redirect tracking, dates back at least to 2014 when ad companies were looking for ways to avoid third-party cookie blocking defenses.

"Bounce tracking is a way for trackers to track you even if browser-level privacy protections are in place," explained Peter Synder, senior director of privacy at Brave, on Tuesday.

"Privacy respecting browsers try to prevent sites from learning about your behaviors and activities on other sites. Bounce tracking attempts to circumvent these protections by gaming how your browser behaves when you browse from one site to another."

Say a website embeds a third-party script from info.tracker. When the website is visited, the third-party script tries to read third-party cookies from info.tracker that have been stored in the visitor's browser.

If it can't – because third-party cookies are blocked – the script redirects to the info.tracker domain by writing a new URL to the browser's window.location object or via some link hijacking method like injecting an info.tracker iframe into the original website.

Doing so puts info.tracker into a first-party context, enabling it to set tracking cookies.

Info.tracker then redirects back to the original website URL and info.tracker cookies can then be read in third-party contexts. By doing so across multiple different websites, info.tracker can develop a profile of the people's interests.

To curtail privacy intrusions of this sort, Brave software engineer Aleksey Khoroshilov and senior software engineer Ivan Efremov devised a defense called Unlinkable Bouncing.

https://www.theregister.com/2022/03/09/brave_bounce_tracking/

#brave #browser #bounce #tracking #privacy
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Clone Wars - Open source clones of popular sites

100+ open-source clones and alternatives of popular sites like Airbnb, Amazon, Instagram, Netflix, TikTok, Spotify, WhatsApp, YouTube, etc. List contains source code, tutorials, demo links, tech stack, and GitHub stars count. Great for learning purpose!

https://github.com/GorvGoyl/Clone-Wars

#clonewars #opensource
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Staying online during a conflict

First of all, we hope that there won't come a time where you need to read this article. Nevertheless, since it may happen, here's how you can remain connected to the internet during incertain times.

Do note that this guide is covered for two scenarios: when your connection becomes less stable because of a conflict or when your country's slowly blocking social media platforms.

💡 Element: a messaging app

Element is a messaging app that lets you talk with other users. If you pick a server in the region (e.g. one that you host yourself or one that the city's university hosts) then you won't lose your connection to the server.

Additionally, since this server can connect to any other Element (Matrix) server, you will always be able to communicate with the outside world whenever there's a brief connection.

This means it's very difficult to block. Your country cannot just block "the Signal server", they'll instead need to block every single hobbyist in the world that decides to set up a new server for Element.

💡 Mastodon: Twitter unblocked

Mastodon uses very similar protocols to what Element uses: everyone can set up their own servers, which makes Mastodon hard to block.

Take a look at mastodon.social, ru.social, pleroma.chirno.tech, glasgow.social, witches.live, and many more.

Each of them hosts their own instance, that separately needs to be blocked from the internet. You can use instances.social to find a Mastodon instance that suits best for you.

💡 PeerTube: when YouTube goes down

Do you need to share videos that YouTube may not want to share? Can you no longer access YouTube's foreign servers? Use PeerTube.

PeerTube allows you to broadcast your videos to whomever can see them. This can be very useful when your connection with YouTube is unstable and you'd like to share the videos yourself anyway.

💡 Conclusion

Using these platforms, you will be able to remain connected with the world better - in situations where connections aren't always stable, as well as if the government may decide to block websites.

Take good care of yourself, and we hope these tips will be helpful for you.

https://digital-justice.com/articles/connection-during-conflict.html

#tips #element #peertube #mastodon
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv