"We Be The Humans"
Older Retired White Guy. Buddhist.
"Non nobis solum"
Likes trees better than people. Books better than trees.
"We Be The Humans"
Joined Aug 2018
Signal Phone Numbers Exposed in Twilio Hack
Twilio was hacked earlier this month, and the phone numbers of 1,900 Signal users were exposed:
All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.
Why does Signal require a phone number to use? It doesn’t have to be that way.
https://www.schneier.com/blog/archives/2022/08/signal-phone-numbers-exposed-in-twilio-hack.html
There is no security fix for stupid.
A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicle’s manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples.
https://www.theregister.com/2022/08/17/software_developer_cracks_hyundai_encryption/
And
The USB Rubber Ducky is getting better and better.
For example, the new Ducky can run a test to see if it’s plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect.
https://www.theverge.com/23308394/usb-rubber-ducky-review-hack5-defcon-duckyscript
https://thestack.technology/keystroke-reflection-air-gap-exfiltration/
iOS VPNs Are Broken.
Third-party VPNs made for iPhones and iPads routinely fail to route all network traffic through a secure tunnel after they have been turned on, something Apple has known about for years, a longtime security researcher has claimed.
How Unmoderated Platforms Became the Frontline for Russian Propaganda
By Samantha Bradshaw, Renee DiResta, Christopher Giles
Russia’s Full Spectrum Information Operations
"Several recent reports have assessed these networks. One investigation identified over 80 channels that were reportedly part of a pro-Kremlin Telegram network to target specific populations in Ukraine."
https://www.lawfareblog.com/how-unmoderated-platforms-became-frontline-russian-propaganda-0
(excuse me, but fuck meta, I mean, really, fuck meta hard)
iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser.
The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser. The host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap.
A Taxonomy of Access Control
I can’t believe that no one has described this taxonomy of access control before.
The paper is about cryptocurrency wallet design, but the ideas are more general. Ittay points out that a key—or an account, or anything similar—can be in one of four states:
1. safe Only the user has access,
2. loss No one has access,
3. leak Both the user and the adversary have access, or
4. theft Only the adversary has access.
Hacking Starlink
This is the first—of many, I assume—hack of Starlink. Leveraging a string of vulnerabilities, attackers can access the Starlink system and run custom code on the devices.
/nosanitize
https://12ft.io/proxy?q=https%3A%2F%2Fwww.wired.com%2Fstory%2Fstarlink-internet-dish-hack%2F
Not New....
(From a few days ago, about a hack several months ago)
Twitter confirms zero-day used to expose data of 5.4 million accounts.
By Lawrence Abrams
NIST’s Post-Quantum Cryptography Standards
Current quantum computers are still toy prototypes, and the engineering advances required to build a functionally useful quantum computer are somewhere between a few years away and impossible.
Bruce Schneier
https://www.schneier.com/blog/archives/2022/08/nists-post-quantum-cryptography-standards.html
Your computer is tormented by a wicked god
When Ken Thompson accepted the 1984 Turing Prize he gave an acceptance speech called "Reflections on Trusting Trust": It's a bombshell. Thompson proposes an evil compiler, one that inserted a back-door into any operating system it compiled, and Since Thompson had created the original Unix compiler –this was a pretty wild thought experiment, especially since he didn't outright deny having done it.
By Cory Doctorow
https://pluralistic.net/2022/07/28/descartes-was-an-optimist/#uh-oh
Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us
Turns out they're not all that rare. We just don't know how to find them.
By Dan Goodin
And More:
https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/
Is It Possible to Reconcile Encryption and Child Safety?
"Recently, many of these same platforms have started to remove their ability to access a user’s content, through technologies including end-to-end encryption.
This shift fundamentally breaks most of the safety systems that protect users and that law enforcement relies on to help find and prosecute offenders."
By Ian Levy, Crispin Robinson
https://www.lawfareblog.com/it-possible-reconcile-encryption-and-child-safety
Report:
Critical Vulnerabilities in GPS Trackers
This is a dangerous vulnerability:
An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed.
Bruce Schneier
https://www.schneier.com/blog/archives/2022/07/critical-vulnerabilities-in-gps-trackers.html
Russia Creates Malware False-Flag App
The Russian hacking group Turla released an Android app that seems to aid Ukrainian hackers in their attacks against Russian networks. It’s actually malware, and provides information back to the Russians:
https://www.schneier.com/blog/archives/2022/07/russia-creates-malware-false-flag-app.html
Ring: Cops Can Still Obtain Recordings Without Warrants Or User Consent.
Welcome back to the negative news cycle, Ring! It’s been awhile.
Ring has spent years cultivating so-close-they’re-incestuous relationships with law enforcement agencies. Ring hands out free/cheap cameras to cop shops, asking in return that they hand them out to the townsfolk and nudge them towards sharing footage.
Facebook has started to encrypt links to counter privacy-improving URL Stripping.
And.
Cyber Operations and Maschmeyer’s “Subversion Trilemma”
Maschmeyer’s trilemma—based on the trade-offs among speed, intensity, and control of cyber operations—is both insightful and easy to understand, unlike many other theories of cyber conflict.
By Jason Healey
https://www.lawfareblog.com/cyber-operations-and-maschmeyers-subversion-trilemma
The First Cyber Safety Review Board Report is Out.
"Last year, President Biden created the Cyber Safety Review Board, with the intention that (akin to the National Transportation Safety Board) the new organization would review cyber incidents, examine root causes and, where necessary, make recommendations. Earlier this month the CSRB released its first report, an account of the Log4J event."
https://s3.documentcloud.org/documents/22087472/csrb-report-on-log4-july-11-2022_508.pdf
Marriott Hacked, Again. Will Face Few Repercussions, Again.
"This is all made possible because we’ve intentionally underfunded and understaffed FTC regulators in charge of privacy, refuse to pass even a baseline modern federal privacy law, and have, time and time again, prioritized wealth accumulation over the health and safety of consumers and markets alike."
Karl Bode
https://www.techdirt.com/2022/07/13/marriott-hacked-again-will-face-few-repercussions-again/
"We Be The Humans"
Older Retired White Guy. Buddhist.
"Non nobis solum"
Likes trees better than people. Books better than trees.
"We Be The Humans"
Joined Aug 2018