UK.gov wants mobile makers to declare death dates for their new devices from launch

IoT security plan suddenly thrusts into the mainstream

Phone, tablet, and IoT gadget makers will have to state when they'll stop providing security updates for new devices entering the market, the UK's Department for Culture, Media and Sport (DCMS) vowed this morning.

Today's pledge would see existing plans for internet-connected tat extended to smartphones and tablets, which is a large step for a scheme originally put together for landfill Internet-of-Things devices such as webcams.

Digital Infrastructure Minister Matt Warman said in a canned statement: "Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems."

The £70m Secure by Design plan has been telegraphed by the DCMS for years, though today's extension to everyday smartphones is notable.

On top of this, smart device makers will also be banned from publishing default admin passwords for their wares. Such admin passwords are a standard method for digital crims to break into a device or the network to which it is connected.

A government-sponsored study from University College London two years ago, highlighted today by DCMS, said typical IoT devices come with no crime prevention advice, which is presumably the sort of finding that UK.gov enjoys seeing public money poured into.

https://www.theregister.com/2021/04/21/ukgov_death_dates_smartphones_iot_security/

#smartphones #iot #security #updates
📡 @nogoolag 📡 @blackbox_archiv

Phantom Malware: Conceal Malicious Actions From Malware Detection Techniques by Imitating User Activity

State of the art malware detection techniques only consider the interaction of programs with the operating system’s API (system calls) for malware classification. This paper demonstrates that techniques like these are insufficient. A point that is overlooked by the currently existing techniques is presented in this paper: Malware is able to interact with windows providing the corresponding functionality in order to execute the desired action by mimicking user activity. In other words, harmful actions will be masked as simulated user actions.

https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9186656#fghj7

#phantom #malware #detection #antivirus #windows #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

I Made A Water Computer And It Actually Works

Computers add numbers together using logic gates built out of transistors. But they don't have to be! They can be built out of greedy cup siphons instead! I used specially designed siphones to works as XOR and AND gates and chained them together so they add 4 digit binary numbers.

https://www.youtube.com/watch?v=IxXaizglscw

#water #computer #video
📽@cRyPtHoN_INFOSEC_FR
📽@cRyPtHoN_INFOSEC_EN
📽@cRyPtHoN_INFOSEC_DE
📽@BlackBox_Archiv
📽@NoGoolag

Apple’s AirDrop leaks users’ PII, and there’s not much they can do about it

Apple has known of the flaw since 2019 but has yet to acknowledge or fix it.

AirDrop, the feature that allows Mac and iPhone users to wirelessly transfer files between devices, is leaking user emails and phone numbers, and there's not much anyone can do to stop it other than to turn it off, researchers said.

AirDrop uses Wi-Fi and Bluetooth Low Energy to establish direct connections with nearby devices so they can beam pictures, documents, and other things from one iOS or macOS device to another. One mode allows only contacts to connect, a second allows anyone to connect, and the last allows no connections at all.

A matter of milliseconds

To determine if the device of a would-be sender should connect with other nearby devices, AirDrop broadcasts Bluetooth advertisements that contain a partial cryptographic hash of the sender's phone number and email address. If any of the truncated hashes matches any phone number or email address in the address book of the receiving device or the device is set to receive from everyone, the two devices will engage in a mutual authentication handshake over Wi-Fi. During the handshake, the devices exchange the full SHA-256 hashes of the owners' phone numbers and email addresses.

Hashes, of course, can't be converted back into the cleartext that generated them, but depending on the amount of entropy or randomness in the cleartext, they are often possible to figure out. Hackers do this by performing a "brute-force attack," which throws huge numbers of guesses and waits for the one that generates the sought-after hash. The less the entropy in the cleartext, the easier it is to guess or crack, since there are fewer possible candidates for an attacker to try.

The amount of entropy in a phone number is so minimal that this cracking process is trivial since it takes milliseconds to look up a hash in a precomputed database containing results for all possible phone numbers in the world. While many email addresses have more entropy, they too can be cracked using the billions of email addresses that have appeared in database breaches over the past 20 years.

https://arstechnica.com/gadgets/2021/04/apples-airdrop-leaks-users-pii-and-theres-not-much-they-can-do-about-it

#apple #mac #iphone #airdrop #vulnerability
📡 @nogoolag 📡 @blackbox_archiv

India asks Twitter to take down some tweets critical of its COVID-19 handling

The Indian government asked social media platform Twitter (TWTR.N) to take down dozens of tweets, including some by local lawmakers, that were critical of India’s handling of the coronavirus outbreak, as cases of COVID-19 again hit a world record.

Twitter has withheld some of the tweets after the legal request by the Indian government, a company spokeswoman told Reuters on Saturday.

The government made an emergency order to censor the tweets, Twitter disclosed on Lumen database, a Harvard University project.

In the government's legal request, dated April 23 and disclosed on Lumen, 21 tweets were mentioned. Among them were tweets from a lawmaker named Revnath Reddy, a minister in the state of West Bengal named Moloy Ghatak and a filmmaker named Avinash Das.

https://www.reuters.com/world/india/india-asks-twitter-take-down-some-tweets-critical-its-covid-19-handling-2021-04-24/

💡 read this as well:
https://www.thehindu.com/news/national/other-states/seize-property-of-those-spreading-rumours-up-cm/article34404518.ece

#india #twitter #covid #corona #thinkabout
📡 @nogoolag 📡 @blackbox_archiv

University of Minnesota security researchers apologize for deliberately buggy Linux patches

The abashed University of Minnesota researchers apologized for their blunders, but the issues are far from resolved. And, Linus Torvalds briefly addresses the fouled up Linux patches.

Last week, some University of Minnesota (UMN) security researchers kicked a hornet nest, when it was revealed that they'd tried to insert deliberately buggy patches into Linux. Greg Kroah-Hartman, the well-respected Linux kernel maintainer for the Linux stable branch, responded by banning not only them but any UMN-connected developers from contributing to the Linux kernel. Now, the researchers have sort of, kind of, apologized for their mistakes: "We sincerely apologize for any harm our research group did to the Linux kernel community."

https://www.zdnet.com/article/university-of-minnesota-security-researchers-apologize-for-deliberately-buggy-linux-patches/

https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u

#opensource #security #minnesota #university #trolling #apologize
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Emotet malware self-destructs after cops deliver time-bomb DLL to infected Windows PCs

Uninstall code, distributed from backend servers seized in January, fired on Sunday

Notorious Windows malware Emotet was automatically wiped from computers yesterday by European law enforcement using a customized DLL.

This specially crafted time bomb caused the software to self-destruct on Sunday, April 25. The code was distributed at the end of January to Emotet-infected computers by the malware's command-and-control (C2) infrastructure, which had just been seized in a multinational police operation.

Those raids were largely successful: on Friday this week, malware tracker site Abuse.ch’s Emotet portal showed none of the Emotet C2 servers it tracks were online.

As the dust settled from the swoops, the officers and agents involved wondered what to do next. The answer was to set a firm death date. Infosec bods subsequently spotted that the backend systems seized by the police had made available a software update for Emotet that, once automatically downloaded and quietly installed, would activate an uninstall routine this weekend.

Infosec outfit MalwareBytes confirmed on Sunday that its updated Emotet install had indeed completely removed itself as expected.

Mariya Grozdanova, a threat intelligence analyst at Redscan, described the cops' deinstallation code to The Register: “The EmotetLoader.dll is a 32-bit DLL responsible for removing the malware from all infected computers. This will ensure that all services related to Emotet will be deleted, the run key in the Windows registry is removed – so that no more Emotet modules are started automatically – and all running Emotet processes are terminated."

https://www.theregister.com/2021/04/26/emotet_sunday_25_april_killswitch_date/

https://nitter.pussthecat.org/MBThreatIntel/status/1386413655659479043

💡 read this as well:
https://t.me/BlackBox_Archiv/1707

💡 read this as well:
https://t.me/BlackBox_Archiv/1705

💡 read this as well:
https://t.me/BlackBox_Archiv/1703

#malware #botnet #emotet #bka #europol #busted #takedown #uninstall
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

“SWAT team of nerds” - Pentagon explains odd transfer of 175 million IP addresses to obscure company

Something weird happened minutes before Trump left—US says it was security research.

The US Department of Defense puzzled Internet experts by apparently transferring control of tens of millions of dormant IP addresses to an obscure Florida company just before President Donald Trump left the White House, but the Pentagon has finally offered a partial explanation for why it happened. The Defense Department says it still owns the addresses but that it is using a third-party company in a "pilot" project to conduct security research.

"Minutes before Trump left office, millions of the Pentagon's dormant IP addresses sprang to life," was the title of a Washington Post article on Saturday. Literally three minutes before Joe Biden became president, a company called Global Resource Systems LLC "discreetly announced to the world's computer networks a startling development: It now was managing a huge unused swath of the Internet that, for several decades, had been owned by the US military."

The number of Pentagon-owned IP addresses announced by the company rose to 56 million by late January and 175 million by April, making it the world's largest announcer of IP addresses in the IPv4 global routing table.

"The theories were many," the Post article said. "Did someone at the Defense Department sell off part of the military's vast collection of sought-after IP addresses as Trump left office? Had the Pentagon finally acted on demands to unload the billions of dollars worth of IP address space the military has been sitting on, largely unused, for decades?"

The Post said it got an answer from the Defense Department on Friday in the form of a statement from the director of "an elite Pentagon unit known as the Defense Digital Service." The Post wrote:

"Brett Goldstein, the DDS's director, said in a statement that his unit had authorized a "pilot effort" publicizing the IP space owned by the Pentagon.

"This pilot will assess, evaluate, and prevent unauthorized use of DoD IP address space," Goldstein said. "Additionally, this pilot may identify potential vulnerabilities."

Goldstein described the project as one of the Defense Department's "many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated."

https://arstechnica.com/information-technology/2021/04/pentagon-explains-odd-transfer-of-175-million-ip-addresses-to-obscure-company/

#usa #pentagon #ip #adresses #why
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

NewPipe Releases (unofficial) - NewPipe's GitHub releases

The APK sent here cannot be installed over F-Droid's one because they use different signing keys (details)

This pull request adds an experimental SponsorBlock integration, the fork's apk is linked there

👉🏼 https://t.me/newpipe_releases 👈🏼

💡 read this as well: YouTube video hosting alternatives
https://t.me/NoGoolag/2284

#newpipe #youtube #alternatives
📡 @nogoolag 📡 @blackbox_archiv

Arch User Repository Blocks Pamac

Pamac is causing an excessive amount of requests to aur.archlinux.org

Hi.
Today we had an incident where aur.archlinux.org went down for a couple of hours. In investing the issue, we found out that Pamac user agent was responsible for making a very large number of requests to the AUR that caused it to stop responding to new requests.
We have completely blocked the Pamac user agent, to restore service for the users. It seems there's an issue with the latest pamac version that's causing this number of requests.

https://gitlab.manjaro.org/applications/pamac/-/issues/1017

#arch #archlinux #pamac
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Reproducing Spectre Attack with gem5, How To Do It Right?

💡Table of Contents:

1. Introduction
2. HowTo
2.1. How to Setup the Native ARM System
2.2. How to Perform the Spectre Attack
2.3. How to Setup gem5 for a Full-System Simulation
2.4. How to Simulate Spectre with gem5
2.5. How to Visualize the Pipeline of a gem5 Processor with Konata
3. Implementations
3.1. Spectre
3.2. gem5
4. Appendices

https://pierreay.github.io/reproduce-spectre-gem5/

#attack #spectre #gem5
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

NoFb Event Scraper

This app scrapes Facebook event links and adds the event to your calendar

https://github.com/akaessens/NoFbEventScraper

https://f-droid.org/repo/com.akdev.nofbeventscraper

The purpose of this application is to get access to Facebook events without an account.
Therefore it does not use the Facebook API.
Instead it opens the Facebook event URI and downloads the website HTML code.
This source should contain the event information in form of structured data.
That data is extracted and used to create Android events.

Features:
* Does not use Facebook API
* Supports "open-with" and "share-to"
* Independent from Facebook regional sub-domain URLs
* Saves history of scraped events
* Handles upcoming events from pages


#fb #Facebook #deletefacebook
📡 @libreware 📡 @nogoolag 📡 @blackbox_archiv

Why is Telegram no longer updated in the Play store?

All third party clients will be removed from play.

As you know, Telegram Android's code is full of coupling, complexity, and shit. They compress a month's worth of shit into one commit at a time and release it, then close the issue section. But is there more?

Last year, the Play store required all apps to update their target API to 29 (Android Pie).

One year later, what has Telegram changed? Just a requestLegacyExternalStorage cheat symbol.

Back to the question, why is Telegram no longer updated in the play store? Because they don't want to modify their shit mountain for their users; to avoid being unexplainable, they stop updating a month in advance, and once they are taken down by Google, it can be attributed to censorship.

Oppose censorship, but don't support being fed shit.

If this happens, please don't support Telegram, for the sake of true freedom.

https://telegra.ph/Why-is-Telegram-no-longer-updated-in-the-Play-store-04-26

#telegram #google #playstore #updates #censorship #comment
📡 @nogoolag 📡 @blackbox_archiv

Payments 2.0, Scheduled Voice Chats, New Web Versions

This update brings Payments 2.0 for all Telegram chats, Scheduling and Mini Profiles for Voice Chats, new versions of Telegram Web for your browser, and more.

Payments 2.0
• Offer real goods and services for sale in any group, channel or bot – Telegram doesn't charge a commission.
• Pay for goods securely using one of the 8 integrated payment providers – Telegram doesn't collect your payment info.
• See how this works in our @TestStore.

Scheduled Voice Chats
• Schedule voice chats to let participants know about them in advance.
• View a countdown to the voice chat and get notified when it starts.

New Web Versions
• Try two new, fully-featured versions of Telegram Web – both supporting animated stickers, dark mode, chat folders and more: https://webk.telegram.org/ and https://webz.telegram.org/.

More about this update:
https://telegram.org/blog/payments-2-0-scheduled-voice-chats

#telegram #update
📡 @nogoolag 📡 @blackbox_archiv

Firefox and Chromium - Madaidans-Insecurities (Last edited: April 26, 2021)

Chromium is vastly more secure than Firefox. Firefox's sandboxing and exploit mitigations are much weaker than Chromium's. This article is not blindly hating on Firefox but is a factual analysis of its weaknesses.

https://madaidans-insecurities.github.io/firefox-chromium.html

💡 read this as well:
https://t.me/BlackBox_Archiv/831

#madaidan #insecurities #information #android #linux #ff #chrome #chromium #bsd #vpn #thinkabout
📡 @nogoolag 📡 @blackbox_archiv

Google Promised Its Contact Tracing App Was Completely Private—But It Wasn’t

Researchers say hundreds of preinstalled apps can access a log found on Android devices where sensitive contact tracing information is stored.

When Google and Apple introduced their COVID-19 contact tracing framework in April 2020, the companies aimed to reassure people worried about sharing private health information with major corporations.

Google and Apple provided assurances that the data generated through the apps—people’s movements, who they might have come in contact with, and whether they reported testing positive for COVID-19—would be anonymized and would never be shared with anyone other than public health agencies.

“Our goal is to empower [public health agencies] with another tool to help combat the virus while protecting user privacy,” Google CEO Sundar Pichai wrote in a tweet last May, when the framework became publicly available.

Apple CEO Tim Cook provided similar assurances.

Since then, millions of people have downloaded contact tracing apps developed through Apple’s and Google’s framework: The U.K.’s National Health Services’ app has at least 16 million users, while Canada’s Digital Service COVID Alert app boasted more than six million downloads in January, and Virginia’s Department of Health noted more than two million residents were using its COVIDWISE app.

California governor Gavin Newsom endorsed his state’s version of the app, calling it “100% private & secure” in a tweet last December.

But The Markup has learned that not only does the Android version of the contact tracing tool contain a privacy flaw, but when researchers from the privacy analysis firm AppCensus alerted Google to the problem back in February of this year, Google failed to change it. AppCensus was testing the system as part of a contract with the Department of Homeland Security. The company found no similar issues with the iPhone version of the framework.

https://themarkup.org/privacy/2021/04/27/google-promised-its-contact-tracing-app-was-completely-private-but-it-wasnt

#google #DeleteGoogle #contact #tracing #app #privacy
📡 @nogoolag 📡 @blackbox_archiv

Cellebrite Pushes Update After Signal Owner Hacks Device

The law enforcement forensics provider updated some of its products a few days after a security researcher claimed to have found critical vulnerabilities in Cellebrite’s devices.

Cellebrite, a well-known provider of phone-unlocking and hacking technology for law enforcement agencies, pushed an update to its products less than a week after the CEO of Signal claimed to have hacked one of the company's products.

Moxie Marlinspike, the founder of the popular encrypted messaging app Signal, explained in a blog post last week that he had obtained a Cellebrite device and found that "industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present." According to him, that allowed an attacker to embed malicious files in their app or phone—once connected to a Cellebrite unlocking device—that would then exploit the Cellebrite devices and manipulate what kind of data the device could access, potentially compromising police investigations.

http://telegra.ph/Cellebrite-Pushes-Update-After-Signal-Owner-Hacks-Device-04-27

via www.vice.com

💡 read this as well:
https://t.me/BlackBox_Archiv/2073

#signal #hack #forensics #cellebrite #israel #vulnerabilities
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

The Shameless EXTORTION in Mobile Gaming

The mobile gaming industry has long been dominated by scams, false advertising, and shady business practices but today we can add extortion to the list, because 37GAMES, a world renowned developer with top 100 properties on the app-store, has decided to extort their low paying users (not their whales) for large amounts of cash.

In the world of exploit or "glitch" punishment by gaming developers, this might be the worst response I have ever seen.

https://www.youtube.com/watch?v=ZADqK-D6vPo

#mobile #gaming #industry #extortion #video
🎥 @nogoolag 🎥 @blackbox_archiv

Cellebrite Physical Analyzer no longer fully available for iPhones following Signal blog post

The Cellebrite Physical Analyzer – the most intrusive phone-cracking tool offered by the company – no longer fully supports iPhones, according to a document shared with us. The company has ceased offering this deep dive into data stored on iPhones following the discovery and exploitation of a vulnerability by secure messaging app Signal.

Signal discovered multiple security vulnerabilities in Cellebrite’s software, and was able to find a way to booby-trap iPhones to corrupt the results of a scan using Physical Analyzer …

💡Background

Cellebrite offers hardware and software designed to allow users to break into smartphones, and extract data from them. The company’s products are used by law enforcement agencies around the world, including those in some unsavory nation states likely to be using them to crack down on political dissidents.

Signal managed to get its hands on the software suite, including the Physical Analyzer module, which offers the deepest dive into the data stored on a smartphone. The messaging company carried out its own analysis of the software, finding a surprising number of security vulnerabilities.

It was able to exploit one of these to allow any iPhone to corrupt the data on any machine running the software. This would not only render useless the scan of the connected iPhone, but also corrupt the results of both past and future scans using the same machine.

All that was required, Signal said in a blog post, was to place a carefully crafted file onto the device. The post said that the company was now doing this for all Signal users. Indeed, even some non-Signal users chose to install the app simply to get this protection.

https://9to5mac.com/2021/04/27/cellebrite-physical-analyzer-iphone/

#cellebrite #physical #analyzer #iphone #hack #signal
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Hack Across America - USB drop attack in the Death Valley

This time on Hack Across America, we don't go to Death Valley for a very special USB drop attack and your Q&A!

https://www.youtube.com/watch?v=tvRRR71HZ60

#hak5 #usb #drop #attack #video
🎥@cRyPtHoN_INFOSEC_FR
🎥@cRyPtHoN_INFOSEC_EN
🎥@cRyPtHoN_INFOSEC_DE
🎥@BlackBox_Archiv
🎥@NoGoolag

DigitalOcean says customer billing data ‘exposed’ by a security flaw

DigitalOcean has emailed customers warning of a data breach involving customers’ billing data, TechCrunch has learned.

The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has “confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account.” The company said the person “gained access to some of your billing account details through a flaw that has been fixed” over a two-week window between April 9 and April 22.

The email said customer billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date, and the name of the card-issuing bank. The company said that customers’ DigitalOcean accounts were “not accessed,” and passwords and account tokens were “not involved” in this breach.

“To be extra careful, we have implemented additional security monitoring on your account. We are expanding our security measures to reduce the likelihood of this kind of flaw occuring [sic] in the future,” the email said.

DigitalOcean said it fixed the flaw and notified data protection authorities, but it’s not clear what the apparent flaw was that put customer billing information at risk.

In a statement, DigitalOcean’s security chief Tyler Healy said 1% of billing profiles were affected by the breach, but declined to address our specific questions, including how the vulnerability was discovered and which authorities have been informed.

Companies with customers in Europe are subject to GDPR, and can face fines of up to 4% of their global annual revenue.

https://telegra.ph/DigitalOcean-says-customer-billing-data-exposed-by-a-security-flaw--TechCrunch---IATA-News-04-28

via www.iatanews.com

#digitalocean #breach #leak #customer #data
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag