Here Is the Manual for the Mass Surveillance Tool Cops Use to Track Phones

Police departments across the U.S. have been using Fog Reveal for ‘mass surveillance on a budget,’ investigations by the EFF and Associated Press revealed. Now, we're publishing the manual.

Local police departments across the U.S. have been purchasing a tool that allows them to track individual devices without a warrant based on data harvested from ordinary smartphone apps installed on peoples’ phones, according to investigations by activist organization the Electronic Frontier Foundation (EFF) and the Associated Press.

Now, Motherboard is publishing the user manual for the tool, called Fog Reveal. Bennett Cyphers, a staff technologist at the EFF who worked on the investigation using public records requests, shared the user manual with Motherboard.

https://www.vice.com/en/article/v7v34a/fog-reveal-local-cops-phone-location-data-manual

#surveillance
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

HardeningKitty

checks and hardens your Windows configuration.

HardeningKitty supports hardening of a Windows system. The configuration of the system is retrieved and assessed using a finding list. In addition, the system can be hardened according to predefined values. HardeningKitty reads settings from the registry and uses other modules to read configurations outside the registry.

‼️ The script was developed for English systems. It is possible that in other languages the analysis is incorrect. Please create an issue if this occurs. ‼️

https://github.com/scipag/HardeningKitty

#HardeningKitty
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

The largest taxi service in Russia 'Yandex Taxi' was hacked by the Anonymous collective

A traffic jam took place in the center of Moscow when dozens of taxi were sent by the hackers to the address on Kutuzovsky Prospekt.

https://nitter.pussthecat.org/YourAnonTV/status/1565555525378506752

via Twitter

#OpRussia #anonymous
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

How to Detect and Prevent impacket's Wmiexec

This blog deep dives into wmiexec usage seen from multiple incident response investigations, and describes indicators to help defenders detect wmiexec.

Introduction

Impacket’s wmiexec.py (“wmiexec”) is a popular tool used by red teams and threat actors alike. The CrowdStrike Services team commonly sees threat actors leveraging wmiexec to move laterally and execute commands on remote systems as wmiexec leverages Windows native protocols to more easily blend in with benign activity. CrowdStrike has also identified threat actors packaging wmiexec using PyInstaller to run it as an executable on Windows systems, remotely executing data exfiltration tools such as Rclone, and Cobalt Strike beacons for lateral movement and command-and-control operations.

Impacket’s suite of tools is extremely versatile and is low impact, making detection more difficult compared to other threat actor tool sets. This blog deep dives into wmiexec usage seen from multiple incident response investigations, and describes indicators to help defenders detect wmiexec.

https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/

#wmiexec
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

The scariest piece of malware since Stuxnet (Podcast)

Back in April, cybersecurity officials discovered the notorious “Industroyer” malware in the Ukrainian electrical grid. It might have been the scariest infrastructure hack since malware destroyed centrifuges at an Iranian uranium enrichment plant in 2010 – were it not for a TGIF miracle. Plus, a visit with the IT Army of Ukraine and a different kind of information operation.

https://podcasts.apple.com/us/podcast/30-the-scariest-piece-of-malware-since-stuxnet/id1225077306

#industroyer #podcast
🎙@cRyPtHoN_INFOSEC_IT
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv

Samsung recently discovered a cybersecurity incident

At Samsung, security is a top priority. We are reaching out to inform you that Samsung recently discovered a cybersecurity incident that affected some of your information.

In late July 2022, an unauthorized third party acquired information from some of Samsung's U.S. systems. On or around August 4, 2022, we determined through our ongoing investigation that personal information of certain customers was affected.

We have taken actions to secure the affected systems, and have engaged a leading outside cybersecurity firm and are coordinating with law enforcement. We want to assure our customers that the issue did not impact Social Security numbers or credit and debit card numbers, but in some cases, may have affected information such as name, contact and demographic information, date of birth, and product registration information. The information affected for each relevant customer may vary.

At Samsung, we value the trust our customers place in our products and services ‑ trust that we have built up over many years. By working with industry ‑ leading experts, we will further enhance the security of our systems ‑ and your personal information ‑ and work to maintain the trust you have put into the Samsung brand for more than 40 years.

We regret any inconvenience this may cause you and appreciate your trust in us. We have set up an FAQ page on our website for additional questions and answers along with recommended actions.

If you'd like to check your credit report, you are entitled under U.S. law to one free credit report annually from each of the three major nationwide credit reporting agencies. More information can be found below.

If you have any questions regarding this issue, please visit our website at www.samsung.com/us/support/securityresponsecenter.

#samsung #breach
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Wi-Fi Hacking: Using wifite for Multiple Attack Strategies against Wi-Fi AP's

Often, when doing a pentest, we have multiple Wi-Fi access points to test for security. Rather than testing each one individually with tools such as aircrack-ng, Reaver, pyrit, and hcxdumptool, and others, we can automate that testing with a single tool such as wifite. Wifite enables us to test all of the Wi-Fi AP's with a single tool automatically using multiple strategies against different security protocols.

‼️ only for educational purposes ‼️

https://www.hackers-arise.com/post/wi-fi-hacking-using-wifite-for-multiple-attack-strategies-against-wi-fi-ap-s

#wifi #hacking
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

James Webb JPEG With Malware

Tools: jpegdump.py, base64dump.py, pecheck.py, headtail.py

ISC diary entry: James Webb JPEG With Malware

Sample: 3bdf6d9f0f35be75d8345d897ec838ae231ba01ae898f6d0c8f920ff4061fc22, MalwareBazaar

Video: https://youtu.be/_JHYGpYAuAQ

#jameswebb #jpeg #malware
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Malware dev open-sources CodeRAT after being exposed

The source code of a remote access trojan (RAT) dubbed 'CodeRAT' has been leaked on GitHub after malware analysts confronted the developer about attacks that used the tool.

The malicious operation, which appears to originate from Iran, targeted Farsi-speaking software developers with a Word document that included a Microsoft Dynamic Data Exchange (DDE) exploit.

The exploit downloads and executes CodeRAT from the threat actor's GitHub repository, giving the remote operator a broad range of post-infection capabilities.

More specifically, CodeRAT supports about 50 commands and comes with extensive monitoring capabilities targeting webmail, Microsoft Office documents, databases, social network platforms, integrated development environment (IDEs) for Windows Android, and even individual websites like PayPal.

https://www.bleepingcomputer.com/news/security/malware-dev-open-sources-coderat-after-being-exposed/

#CodeRAT
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

I ran the worlds largest DDoS-for-Hire empire and CloudFlare helped

Today CloudFlare is in the spotlight for their decision to revoke access to a website behind their network, the timing comes just 3 days after they published a blog post discussing their abuse policies and making the following statement:

"Some argue that we should terminate these services to content we find reprehensible so that others can launch attacks to knock it offline. That is the equivalent argument in the physical world that the fire department shouldn't respond to fires in the homes of people who do not possess sufficient moral character"

I agree with CloudFlare's analogy, the fire department should respond to a fire at any home regardless of who lives in it. However this real world example is not an accurate representation of the situation CloudFlare is presenting. As the operator of the largest DDoS-for-Hire empire in the history of the internet, I have a unique perspective on the situation CloudFlare finds themselves in.

https://rasbora.dev/blog/I-ran-the-worlds-largest-ddos-for-hire-empire-and-cloudflare-helped

#cloudflare #ddos
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

After self-hosting my email for twenty-three years I have thrown in the towel.

The oligopoly has won.

Many companies have been trying to disrupt email by making it proprietary.

Many companies have been trying to disrupt email by making it proprietary. So far, they have failed. Email keeps being an open protocol. Hurray?

No hurray. Email is not distributed anymore. You just cannot create another first-class node of this network.

Email is now an oligopoly, a service gatekept by a few big companies which does not follow the principles of net neutrality.

I have been self-hosting my email since I got my first broadband connection at home in 1999. I absolutely loved having a personal web+email server at home, paid extra for a static IP and a real router so people could connect from the outside. I felt like a first-class citizen of the Internet and I learned so much.

Over time I realized that residential IP blocks were banned on most servers. I moved my email server to a VPS. No luck. I quickly understood that self-hosting email was a lost cause. Nevertheless, I have been fighting back out of pure spite, obstinacy, and activism. In other words, because it was the right thing to do.

But my emails are just not delivered anymore. I might as well not have an email server.

https://cfenollosa.com/blog/after-self-hosting-my-email-for-twenty-three-years-i-have-thrown-in-the-towel-the-oligopoly-has-won.html

#email
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

E-Mail Done My Way, Part 0 - The journey

Warning. This whole series is not a simple HOWTO. This series is about how I run my mail server. I go through the configuration, line by line and explain. It’s not going to be a simple Copy/Paste to run your own mail server. You have been warned.

This will be at least a three part series. Maybe more. We will see.

E-Mail, while being one of the oldest services on the internet, is a complex beast to tame. You have to be careful at every step of setting it up. Failure can cost you dearly. Open relays, blacklists, Denial of Service. There be dragons. These are the building blocks I use and will explain:

https://jan.wildeboer.net/2022/08/Email-0-The-Journey-2022/

💡 Read as well:
After self-hosting my email for twenty-three years I have thrown in the towel
https://t.iss.one/BlackBox_Archiv/3017

#email
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

The entire Irish healthcare system was impacted by ransomware, restoration took months even with decryption key, required the army being called in (!)...

...and they put the entire major incident report public, all 157 pages:
https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf

#irland #ransomware #pdf
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

TikTok Data Breach

This is your forewarning. #TikTok has reportedly suffered a #data #breach, and if true there may be fallout from it in the coming days. We recommend you change your TikTok #password and enable Two-Factor Authentication, if you have not done so already.

https://nitter.pussthecat.org/BeeHiveCyberSec/status/1566340883959746562

https://gist.github.com/troyhunt/d238ded80353cce53bea4545545ed172

💡read as well (German)
https://tarnkappe.info/artikel/hacking/bluehornet-sicherheitsforscher-hackt-tiktok-255255.html

#TikTok #breach
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

NHS 111 software outage confirmed as cyber-attack

The problems are reported to have impacted referrals from the NHS 111 helpline to out-of-hours GPs.

A software outage affecting the NHS 111 service was caused by a cyber-attack, it has been confirmed.

Advanced, a firm providing digital services for NHS 111, said the attack was spotted at 07:00 BST on Thursday.

The attack targeted the system used to refer patients for care, including ambulances being dispatched, out-of-hours appointment bookings and emergency prescriptions.

But the NHS said disruption was minimal.

The National Crime Agency said it was "aware of a cyber incident" and was working with Advanced.

"A security issue was identified yesterday, which resulted in loss of service," said Advanced boss Simon Short.

"We can confirm that the incident is related to a cyber-attack and as a precaution, we immediately isolated all our health and care environments."

He said the issue had been contained "to a small number of servers".

Advanced has indicated the issue might not be fully resolved until next week.

https://www.bbc.co.uk/news/uk-wales-62442127

#cyberattack #advanced #nhs #uk
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Check out what online companies know about you

https://clario.co/blog/which-company-uses-most-data/

#bigdata #DeleteFacebook #DeleteMeta
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Legitimate SaaS Platforms Being Used to Host Phishing Attacks

Executive Summary

Instead of creating phishing pages from scratch, more and more cybercriminals are now abusing legitimate software-as-a-service (SaaS) platforms, including various website builders or form builders, to host their phishing pages. Since these URLs are hosted on legitimate domains, they can be especially difficult for many phishing detection engines to detect. Furthermore, these platforms typically require little to no coding experience, significantly lowering the barrier to entry for creating and launching phishing attacks.

From the beginning of 2020 to June 2022, Palo Alto Networks analyzed the URLs detected by our Advanced URL Filtering service, and discovered that the number of phishing URLs hosted on legitimate SaaS platforms has continued to increase at an alarming rate. In fact, from June 2021-June 2022, the rate of newly detected phishing URLs hosted on legitimate SaaS platforms has increased over 1100%.

The Palo Alto Networks Advanced URL Filtering uses deep learning to analyze the content of each webpage at the URL level instead of the domain level. Customers with an Advanced URL Filtering subscription therefore receive protections from these platform-abuse phishing attacks.

Table of Contents

- Introduction to Platform-Abuse Phishing Attacks
- Methodology
- Results: Platform-Abuse Phishing Is on the Rise
- Platform-Abuse Phishing Case Studies
- Conclusion
- Acknowledgements

https://unit42.paloaltonetworks.com/platform-abuse-phishing/

#phishing
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

In wake of EPIC data breach - Samsung forcing users to accept T&Cs or risk their data

Users attempting to take sensible precautions after a recent spate of data breaches at Korean techmonger, Samsung, are being forced to accept updated terms and conditions in order to do so.

Samsung has fallen prey to two data breaches in 2022 to date. The first orchestrated by the notorious Lapsus$ group, saw 190GB of data exfiltrated from the company, and included algorithms for all biometric unlocking operations, source code for the bootloader for newer Samsung products, and all the source code behind the process of authorizing and authenticating Samsung accounts.

The second affected users directly and saw Samsung wait a month before notifying customers that a huge trove of personally identifying information was now in the hands of criminals.

While the understated press release from Samsung reassured customers that there was no need for panic, prudent users - perhaps alarmed at Samsung’s lack of alarm - immediately logged into their Samsung account to change their password.

Many users create a Samsung account when they buy their phones and then immediately forget about it. Some read the terms and conditions, and some don’t. You should always read the terms and conditions.

And if you created your account before September 2021, Samsung is under no obligation to notify you when those terms change - unless you attempt to log into your online account, that is.

Samsung’s terms and conditions were last updated on 30 September 2021, in a change that went largely unnoticed by everyone.

While it’s technically possible to request a password reset without logging in and accepting the updated terms and conditions, you do need to accept them in order to access other security features of your Samsung account.

https://thecrow.uk/in-wake-of-epic-data-breach-samsung-forcing-users-to-accept-new-terms-or-risk-their-data/

#samsung #breach
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Kiwi Farms all but finished after bill comes due for years of trolling and harassment

There’s an old saying, “You play with the bull, you get the horns.” One of the most noxious corners of the tubes learned that the hard way this weekend. Kiwi Farms, a message board notorious for vicious and criminal harassment of vulnerable people—especially trans people—was essentially driven out of existence over the weekend. In the wake of heightened scrutiny over Kiwi Farms’ tactics, multiple companies cut ties with the site, rendering it all but inaccessible.

The beginning of the end came when Cloudflare, which protected Kiwi Farms from DDoS attacks, dropped Kiwi Farms (diaried here) after increasingly threatening posts led Cloudflare to reverse its initial decision to continue working with the site. In the last 24 hours, multiple companies, including its replacement DDoS protector, cut ties with the site as well. It as been offline since late Sunday night/early Monday morning, and the site’s founder and administrator suggests it may be awhile before it comes back—if it does come back.

https://www.dailykos.com/stories/2022/9/5/2120881/-Kiwi-Farms-all-but-finished-after-bill-comes-due-for-years-of-trolling-and-harassment

#kiwifarms
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

CSharp PoC for transacted hollowing

https://github.com/daem0nc0re/TangledWinExec/commit/f898bf157ad993f900985d78b8d8fdc22df0163c

#CSharp #poc #hollowing
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Uninvited Guests: Analyzing the Identity and Behavior of Certificate Transparency Bots

https://www.securitee.org/files/ctpot_usec2022.pdf

#pdf #bots
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv