IoT Hacking and Rickrolling My High School District

On April 30th, 2021, I rickrolled my high school district. Not just my school but the entirety of Township High School District 214. It's the second-largest high school district in Illinois, consisting of 6 different schools with over 11,000 enrolled students.

This story isn't one of those typical rickrolls where students sneak Rick Astley into presentations, talent shows, or Zoom calls. I did it by hijacking every networked display in every school to broadcast "Never Gonna Give You Up" in perfect synchronization. Whether it was a TV in a hall, a projector in a classroom, or a jumbotron displaying the lunch menu, as long as it was networked, I hacked it!

In this post, I'll be explaining how I did it and how I evaded detection, as well as the aftermath when I revealed myself and didn't get into trouble.

https://whitehoodhacker.net/posts/2021-10-04-the-big-rick

⚠️ Always remember to use these techniques, instructions, or hardware only on devices whose owners or users have allowed it. Unauthorized access to other people's infrastructure is punishable by law.

#educational #iot #hacking
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Howto: Anonymous Internet Using Tor (+ Proxychains)

What proxies are and how to use them to make internet connections more anonymous/private: using Proxychains and Tor.

Proxychains allows you to string together as many proxies together as you like using a simple configuration file format.

We go into Tor Browser Preferences to help Windows users learn to configure a proxy without access to proxychains. This configuration applies to other browsers as well.

https://devtube.dev-wiki.de/videos/watch/991657ca-0f61-401d-bee0-19969271d442

#howto #guide #tor #proxys #privacy #internet #video
🎥@cRyPtHoN_INFOSEC_FR
🎥@cRyPtHoN_INFOSEC_EN
🎥@cRyPtHoN_INFOSEC_DE
🎥@BlackBox_Archiv

Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsets

Study reveals scale of data-sharing from Android mobile phones

An in-depth analysis of a range of popular Android mobile phones has revealed significant data collection and sharing, including with third parties, with no opt-out available to users.

Prof. Doug Leith at Trinity College Dublin along with Dr Paul Patras and Haoyu Liu at the University of Edinburgh examined the data sent by six variants of the Android OS developed by Samsung, Xiaomi, Huawei, Realme, LineageOS and /e/OS.

https://www.tcd.ie/news_events/articles/study-reveals-scale-of-data-sharing-from-android-mobile-phones/

👉🏽 PDF: https://www.scss.tcd.ie/Doug.Leith/Android_privacy_report.pdf

#android #privacy #snooping #samsung #huawai #xiaomi #realme #lineage #eOS #study #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

[Reported] - Breach Exposed records from Brazil E-commerce platforms including MercadoLivre, amazonBR and many other.

https://canaltech.com.br/seguranca/brecha-expoe-17-bilhao-de-registros-de-plataforma-brasileira-de-e-commerce-198373/

https://nitter.pussthecat.org/hak1mlukha/status/1447889984615223297

via Twitter

#brazil #breach #MercadoLivre #amazonBR
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Adobe Uses DMCA to Nuke Project That Keeps Flash Alive, Secure & Adware Free

In January 2021, development and support for Adobe Flash was discontinued. That marked the end of an era but in reality, Flash wasn't quite dead. Flash Player is still available in China, something that was exploited by the Clean Flash project to continue making the software more widely and safely available. Adobe has now used the DMCA to shut the project down.

As far back as 2012, Adobe was planning for the eventual demise of its iconic Flash Player. Gradually superceded by new technologies, the importance Flash diminished over time and as dawn broke on 2021, Adobe ceased to develop and support it. Well, sort of.

While Adobe has indeed stopped shipping new global versions of Flash, the technology is still supported in two markets – Enterprise and China via Flash.cn – a site managed by Zhong Cheng Network, the only authorized distributor of Flash in China.

This was a significant move for local companies that still rely on Flash Player but also provided a limited opportunity to keep Flash alive, something of importance to those who don’t want historic Flash content to be rendered useless.

https://torrentfreak.com/adobe-uses-dmca-to-nuke-project-that-keeps-flash-alive-secure-adware-free-211012/

#adobe #flash #dmca
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Hacking the Furbo Dog Camera: Part I

The Furbo is a treat-tossing dog camera that originally started gaining traction on Indegogo in 2016. Its rapid success on the crowdfunding platform led to a public release later that year. Now the Furbo is widely available at Chewy and Amazon, where it has been a #1 best seller. The Furbo offers 24/7 camera access via its mobile application, streaming video and two-way audio. Other remote features include night vision, dog behavior monitoring, emergency detection, real-time notifications, and the ability to toss a treat to your dog. Given the device's vast feature set and popularity, Somerset Recon purchased several Furbos to research their security. This blog post documents a vulnerability discovered in the RTSP server running on the device. The research presented here pertains to the Furbo model: Furbo 2.

Once we got our hands on a couple of Furbos we began taking a look at the attack surface. Initially, the Furbo pairs with a mobile application on your phone via Bluetooth Low Energy (BLE), which allows the device to connect to your local WiFi network. With the Furbo on the network a port scan revealed that ports 554 and 19531 were listening. Port 554 is used for RTSP which is a network protocol commonly used for streaming video and audio. Initially the RTSP service on the Furbo required no authentication and we could remotely view the camera feed over RTSP using the VLC media player client. However, after an update and a reset the camera required authentication to access the RTSP streams.

https://www.somersetrecon.com/blog/2021/hacking-the-furbo-part-1

#hacking #furbo #camera
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Facebook Dangerous Individuals and Organizations List

https://theintercept.com/document/2021/10/12/facebook-dangerous-individuals-and-organizations-list-reproduced-snapshot/

#facebook #DeleteFacebook #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Influence government: exploring practices, ethics, and power in the use of targeted advertising by the UK state.

PDF: https://www.sccjr.ac.uk/wp-content/uploads/2021/09/SCCJR-Briefing-Paper_Influence-Government.pdf

💡 Read as well:
From Surveillance Capitalism to “Influence Government”: Using Microtargeted Ads to “Nudge” People’s Everyday Behavior
https://t.me/BlackBox_Archiv/2562

#surveillance #capitalism #influence #uk #government #microtargeting #ads #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Kim Dotcom: The Most Wanted Man Online (Cyber Crime Documentary)

A true-crime documentary, but with a cyber twist!

Tech entrepreneur and owner of the popular file-sharing site, MegaUpload, Kim Dotcom arrived in New Zealand with his family in late 2010. Seeking peace and quiet, Dotcom rented the largest mansion in the land and settled down into an extravagant, luxurious life with his family.

In January 2012, it all came crashing down. At the FBI's behest, 70 heavily armed officers stormed the mansion, arresting Dotcom and his coders on a range of charges relating to alleged copyright infringement by MegaUpload.

https://devtube.dev-wiki.de/videos/watch/7548c758-a752-4e80-9c72-6d90e82353a6

#truecrime #cybercrime #dotcom #MegaUpload #docu #video
🎥@cRyPtHoN_INFOSEC_FR
🎥@cRyPtHoN_INFOSEC_EN
🎥@cRyPtHoN_INFOSEC_DE
🎥@BlackBox_Archiv

Customers On Alert as E-Commerce Player Leaks 1.7+ Billion Records

A Brazilian e-commerce firm has unwittingly exposed close to 1.8 billion records, including customers’ and sellers’ personal information, after misconfiguring an Elasticsearch server, according to researchers.

A team at SafetyDetectives led by Anurag Sen made the discovery in June and quickly traced the leak back to Hariexpress — a firm that allows vendors to manage and automate their activity across multiple marketplaces, including Facebook and Amazon.

Although the firm replied to the researchers just four days after they alerted it to the leak in early July, it was subsequently uncontactable. Infosecurity is currently trying to confirm if the issue has been fixed or not.

The server was left unencrypted with no password protection in place. It contained 610GB of data, including customers’ full names, home and delivery addresses, phone numbers and billing details. Also exposed were sellers’ full names, email and business/home addresses, phone numbers and business/tax IDs (CNPJ/CPF).

SafetyDetectives could not confirm the total number of those affected due to the size of the trove and the potential for duplicate email addresses.

“A data breach of this magnitude could easily affect hundreds of thousands, if not millions of Brazilian Hariexpress users and e-commerce shoppers. Hariexpress’ leaked server’s content could also affect its own business,” it claimed.

“We cannot know whether unethical hackers have discovered Hariexpress’ unsecured Elasticsearch server. Users, couriers, consumers, and Hariexpress itself should understand the risks they could face from this data breach.”

These include phishing and social engineering attempts built around legitimate user and business details, tax rebate and returns scams using CPF information, and even theft of items from the homes of customers who ordered high-value goods.

https://www.infosecurity-magazine.com/news/ecommerce-player-leaks-billion/

💡 Read as well:
[Reported] - Breach Exposed records from Brazil E-commerce platforms including MercadoLivre, amazonBR and many other.
https://t.me/BlackBox_Archiv/2567

#brazil #breach #MercadoLivre #amazonBR #hariexpress
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

redact: tool for building decentralized, end-to-end encrypted websites

Hello Rust community! I'm very excited to show off for the first time a passion project a friend and I have been working on for about 4 months now, called Redact.

Redact is a tool for building end-to-end encrypted, zero-trust websites. By end-to-end encrypted we mean that not only is your connection to the website server protected by TLS, but each individual input field, and any user-submitted data displayed on the page, is a black-box inaccessible by either the host's server or the host's client-side Javascript. Websites that use Redact will store references to data in their databases, place those references in their HTML, and the user's device fills in the blank in an opaque way when the page loads. We do this with no Javascript and no in-browser encryption. We're like Signal/Telegram but for entire websites instead of just messaging. This is paired with a CRUD-only, encrypted storage provider that can be either third-party owned, or for the technically savvy, run solely by the user.

This project was initially motivated as a response to the large number of data breaches and data privacy concerns that have arisen in the last few years. The fundamental question we wanted to answer was: how can we keep the utility and rich content experience of a website in a modern browser, while at the same time assuring that a user's data cannot be stolen or unethically used? Our proposed solution is Redact.

We believe this project fits squarely within the "web3" space. Although we don't use blockchains, our project assumes zero-trust, decentralizes the storage of user data, and allows users to be self-sovereign by giving them ownership and control of their data

What we're looking for now is to see if anyone else sees this as a valuable idea, get feedback as to our architecture, and hear out any criticisms (some of which we already anticipate).

💡 You can find more information about how it works here: https://redact.ws/how-it-works

And if you're feeling brave, you can try connecting to the first ever "redacted" website by following our getting started docs here: https://docs.redact.ws/en/latest/getting-started.html

💡 Codebases:

— Local client: https://github.com/pauwels-labs/redact-client.git

— Storage server: https://github.com/pauwels-labs/redact-store.git

— Library that allows us to fluidly serialize, deserialize, and CRUD encrypted data: https://github.com/pauwels-labs/redact-crypto.git

https://old.reddit.com/r/rust/comments/q79grm/redact_tool_for_building_decentralized_endtoend/

#redact #encryption #websites
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Darknet Diaries - EP 102: Money Maker

Frank Bourassa had an idea. He was going to make money. Literally. Listen to the story of a master counterfeiter.

https://darknetdiaries.com/episode/102/

💡 Read as well:
On Master Counterfeiter Frank Bourassa
https://www.loyalnana.com/stories-1/2019/2/25/on-master-counterfeiter-frank-bourassa

#truecrime #darknetdiaries #podcast
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv

Restor is a science-based open data platform to support and connect the global restoration movement

Restor is accelerating the global restoration movement by connecting everyone, everywhere to local restoration. Restor connects people to scientific data, supply chains, funding, and each other to increase the impact, scale, and sustainability of restoration efforts. We believe that anyone can be a restoration champion, including you.

https://www.restor.eco/

#restor #nature #restoration #movement #video
🎥@cRyPtHoN_INFOSEC_FR
🎥@cRyPtHoN_INFOSEC_EN
🎥@cRyPtHoN_INFOSEC_DE
🎥@BlackBox_Archiv

Unique on Facebook: Formulation and Evidence of (Nano)targeting Individual Users with non-PII Data

The privacy of an individual is bounded by the ability of a third party to reveal their identity. Certain data items such as a passport ID or a mobile phone number may be used to uniquely identify a person. These are referred to as Personal Identifiable Information (PII) items.

Previous literature has also reported that, in datasets including millions of users, a combination of several non-PII items (which alone are not enough to identify an individual) can uniquely identify an individual within the dataset. In this paper, we define a data-driven model to quantify the number of interests from a user that make them unique on Facebook.

https://arxiv.org/abs/2110.06636

#facebook #DeleteFacebook #nanotargeting #targeting #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

If you need another reason to switch to Tor Browser, check out @arthuredelstein's http://privacytests.org, an open-source tool using rigorous automated privacy tests to find out what kind of data different browsers leak.

https://nitter.pussthecat.org/torproject/status/1448411718749593604

via Twitter

https://privacytests.org/

#browser #privacy #tor
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Leave no trace: how a teenage hacker lost himself online

Edwin Robbe had a troubled life, but found excitement and purpose by joining an audacious community of hackers. Then the real world caught up with his online activities

José Robbe was leaving her place of work in Rotterdam when she saw a man and a woman walking towards her. It was a Tuesday afternoon, 20 March 2012. “Are you Mrs Robbe?” She nodded. The woman, who was wearing jeans and a black windcheater, explained that she was with the police. “I’d like to talk to you for a minute. It’s about your son, Edwin. We’re arresting him.” José stared, frozen. The woman asked if she would accompany them. Warily, José agreed.

At the police car, the officer told her they intended to surprise her son at the family home in Barendrecht, just south of Rotterdam, and arrest him on the spot. She asked if José wanted to be there for her son’s arrest. “No,” she replied grimly. It felt as if she had just betrayed her son. To stand by and watch would make it even worse. The police asked José for her house keys and dropped her off at a plaza by the local supermarket a few blocks from her house. She felt terrible as the officers drove away to arrest her eldest child, just a troubled 17-year-old. A little while later, three officers emerged from the house, escorting Edwin between them. He offered no resistance.

Edwin was taken to a detention centre in Houten, near Utrecht. Once he was gone, José finally re-entered her house. She sat on the living-room sofa, watching as officers rummaged through cabinets, filed up and down the stairs and bagged up flash drives, CD-Roms and telephones.

https://www.theguardian.com/technology/2021/oct/14/leave-no-trace-how-a-teenage-hacker-lost-himself-online

#teen #hacker
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

UK schools will use facial recognition to speed up lunch payments

Facial recognition may soon play a role in your child's lunch. The Financial Times reports that nine schools in the UK's North Ayrshire will start taking payments for canteen (aka cafeteria) lunches by scanning students' faces. The technology should help minimize touch during the pandemic, but is mainly meant to speed up transaction times. That could be important when you may have roughly 25 minutes to serve an entire school of hungry kids.

Both the schools and system installer CRB Cunningham argued the systems would address privacy and security concerns. CRB Cunningham noted its hardware wasn't using live facial recognition (actively scanning crowds), and was checking against encrypted faceprint templates. Schools were already using fingerprint readers, too, so this was more of a shift in biometric technology than a brand new layer of security. There were also concerns about fraud using conventional PINs — facial recognition is theoretically safer. North Ayrshire's council added that 97 percent of children or parents had offered consent.

https://telegra.ph/UK-schools-will-use-facial-recognition-to-speed-up-lunch-payments--Engadget-10-18

via www.engadget.com

#uk #facial #recognition
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

DPC sent "take down request" to noyb, after publishing a problematic Draft Decision stripping Facebook users of their rights under GDPR

Yesterday night, the Irish Data Protection Commission (DPC) sent an extraordinary letter (PDF) to noyb, saying it would "require [noyb] to remove the draft decision from your website forthwith, and to desist from any further or other publication or disclosure of same". noyb refused to self-censor and limit the public's access to problematic decisions. Alternatively, noyb invited the DPC to bring legal proceedings before the relevant Court in Austria, instead of sending letters that are intended to intimidate complainants.

— Take Down" request by the DPC of 14.10.2021 (PDF)
— Response by noyb of 15.10.2021 (PDF)
— noyb's posting on the draft decision

https://noyb.eu/en/dpc-requires-noyb-take-down-documents-website

#schrems #noyb #dpc #irland #austria #gdpr #facebook #DeleteFacebook #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Disinformation guru “Hacker X” names his employer: NaturalNews.com

Statement: 10/18/21

I decided to write this statement after seeing the continued escalation of dis/misinformation towards innocent bystanders, my background, and who the organization is/was. After reading many comments on the Ars article, I realize that many people feel that I am protecting the organization by not naming them. Some also feel that my coming forward was about me seeking to redeem myself publicly, and this couldn’t be further from the truth; I personally was on nobody’s radar prior to voluntarily coming forward, this was completely unforced. I came out a couple years ago masked, and I feel like I had to come forward unmasked to inform the public on how this news traveled, the mechanisms behind it, and the role I played in one of the organizations at the time, so the public could piece together what happened to better understand how to fight it and to help wake people up who are actively being manipulated. I knew there would be fallout from this, and if anyone thinks someone is willing to go under the constant horrible threats that I have gone under willingly to try to wake people up, I don’t know what more I can say.

I see things mentioned about money. I made very little money from this, I was frugal and saved, which is how I was able to have enough to get into the infosec industry full time.

I am seeing many conspiracy theories about Ax Sharma. Ax and I are not the same person. There wasn’t any ‘conspiracy’ associated with the article, or anything between him and I. He was wrongfully fired from Ars Technica. The only times I have spoken to Ax have been him getting quotes from me or asking me something about an article he was doing involving the hacking group I’m a part of.

https://robertwillishacking.com/statement-10-18-21/

#disinformation #hackerX #hacker #infosec #NaturalNews
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Ongoing Cyber Threats to U.S. Water and Wastewater Systems

Note: This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) to highlight ongoing malicious cyber activity—by both known and unknown actors—targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) Sector facilities. This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities. Note: although cyber threats across critical infrastructure sectors are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others.

To secure #WWS facilities—including Department of Defense (#DoD) water treatment facilities in the United States and abroad—against the TTPs listed below, #CISA, #FBI, #EPA, and #NSA strongly urge organizations to implement the measures described in the Recommended Mitigations section of this advisory.

https://us-cert.cisa.gov/ncas/alerts/aa21-287a

#usa #cyber #threats
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Agencies say agriculture groups being targeted by BlackMatter ransomware

A trio of federal agencies on Monday sounded the alarm about critical infrastructure groups, particularly agricultural organizations, being targeted by a prolific ransomware group.

The FBI, the Cybersecurity and Infrastructure Security Agency #CISA and the National Security Agency #NSA put out a joint advisory warning of targeting by “ #BlackMatter ransomware,” connecting the group to previous attacks this year.

“Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations,” the agencies wrote.

https://thehill.com/policy/cybersecurity/577266-agencies-say-agriculture-groups-being-targeted-by-blackmatter-ransomware

https://us-cert.cisa.gov/ncas/alerts/aa21-291a

#usa #cyber #ransomware #cisa #fbi #cybersecurity #agriculture #blackmatter
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv