Code Execution Flaw in Vim and Neovim

Razmjou discovered a flaw in the way Vim editor handles "modelines," a feature that's enabled-by-default to automatically find and apply a set of custom preferences mentioned by the creator of a file near the starting and ending lines in the document.

Though the editor only allows a subset of options in modelines (for security reasons) and uses sandbox protection if it contains an unsafe expression, Razmjou revealed that using ":source!" command (with a bang [!] modifier) can be used to bypass the sandbox.

https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md

Patches and NVIM 0.3.6:
https://github.com/vim/vim/commit/5357552

https://github.com/neovim/neovim/pull/10082

https://github.com/neovim/neovim/releases/tag/v0.3.6

#patch #vulnerability #vim #neovim #alert #update
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

Amazon is the most valuable brand in the world

An increase in value of more than 52 percent last year made Amazon the most valuable company in the world, according to a report. The online retailer is now ahead of Apple and Google for the first time.

Google was the most valuable brand in 2018, but now fell to third place with a brand value of just under 273 billion dollars. Apple remained in second place with a good 273.5 billion dollars. Visa ranked fifth, Facebook sixth. The seventh place went to the Chinese online retailer Alibaba, which climbed two places with a brand value of 116 billion dollars. He thus positioned himself ahead of Tencent. McDonald's and the telecommunications group AT&T ranked ninth and tenth respectively.

📺 https://youtu.be/ti5manNDF_c
https://www.brandz.com/

#DeleteAmazon #DeleteGoogle #DeleteApple #DeleteFacebook #brandz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

Risky Business #543 -- NYTimes blames NSA for Baltimore hacks, Assange faces espionage charges

NYTimes report blames Baltimore ransomware attack on leaked NSA exploit
Assange to face espionage charges, extradition fight looming
SanboxEscaper just keeps dropping those 0days
Fury over Facebook’s response to doctored Pelosi video
The news that in 2019 Germany had decided to support backdoors in messengers such as Whatsapp and Threema
Much, much more

📻 Risky Business #543 #podcast
https://risky.biz/RB543/

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

Bellingcat’s Online Investigation Toolkit

Welcome to Bellingcat’s freely available online open source investigation toolkit.

You can follow our work on via our website, Twitter and Facebook. (We also provide three to five day open source investigation workshops.) This is version 4.7 (May 13, 2019). The list includes satellite and mapping services, tools for verifying photos and videos, websites to archive web pages, and much more. The list is long, and may seem daunting. There are guides at the end of the document, highlighting the methods and use of these tools in further detail. We also provide tailored digital forensics workshops. Feel free to suggest tools via email (christiaantriebert@bellingcat.com) or Twitter (@trbrtc). To view an outline of the document, click “View” and then “Show document outline”. There’s also one below. The “OSINT Landscape” — a condensed version of the online investigation toolkit below — can be download in high resolution here. https://pbs.twimg.com/media/DXM63T0WsAA7E-a.jpg:large

https://docs.google.com/document/d/1BfLPJpRtyq4RFtHJoNpvWQjmGnyVkfE2HYoICKOGguA/mobilebasic

#Bellingcat #investigation #tool
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

Each of us eats one credit card per week.

The particles are smaller than five millimeters and are found in food, drinking water and air. Depending on where they live and their diet, people take in five grams of microplastic every week. The big question is: How bad is this for the body?

People consume microplastics daily - through food, drinking water or just breathing. Up to five grams of these tiny particles enter the body of an earth citizen every week - depending on his or her circumstances. This is appreciated by researchers at the University of Newcastle (Australia), who have taken a closer look at existing studies on behalf of the environmental foundation WWF. By way of comparison, a credit card also weighs about five grams.

The researchers' study is based on data on microplastics - particles smaller than five millimetres - in the air we breathe, in drinking water, in salt, beer and in shellfish. According to WWF microplastics expert Caroline Kraas, microplastics, which may be recorded in other ways, was not included in the Australian analysis. The researchers also excluded fish despite available data, as it is not clear how much microplastic is eaten and how much remains in the animals' intestines.

The WWF calls for a global agreement against plastic pollution with binding targets. "If we don't want plastic in our bodies, we must prevent millions of tons of plastic waste from ending up in nature every year," said Heike Vesper, head of marine conservation at WWF Germany, according to a statement.

PDF Frauenhofer:
https://www.umsicht.fraunhofer.de/content/dam/umsicht/de/dokumente/publikationen/2018/kunststoffe-id-umwelt-konsortialstudie-mikroplastik.pdf

PDF WWF:
https://www.wwf.de/fileadmin/fm-wwf/Publikationen-PDF/WWF-Faktenblatt-Mikroplastik.pdf

Read more 🇩🇪:

https://www.welt.de/gesundheit/article195127017/Mikroplastik-Jeder-von-uns-isst-eine-Kreditkarte-pro-Woche.html

#microplastics #pollution #why #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

Hongkong - Police use tear gas against demonstrators

The protests in Hong Kong against the controversial extradition law led to riots. According to eyewitnesses, police used tear gas and pepper spray against demonstrators near government buildings and tried to disperse them.

https://twitter.com/hongkonghermit?lang=en

#freehongkong #humanrights
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

A Fake Zuckerberg Video Challenges Facebook’s Rules

Two weeks ago, Facebook declined to remove a doctored video in which the speaker of the House, Nancy Pelosi, seemed to drunkenly slur her speech. Over the weekend, two British artists released a doctored video of Facebook’s chief executive, Mark Zuckerberg, as a sly comment on the spread of false information online.

Posted to the Facebook-owned social network Instagram, the video shows Mr. Zuckerberg speaking directly into the camera, boasting of nefarious motives behind his online empire.

https://www.nytimes.com/2019/06/11/technology/fake-zuckerberg-video-facebook.html

#deepfake #video
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

🎧 Google Workers Rise Up: Inside the Protests

Google has long had a special relationship with staff, encouraging employee input on all sorts of internal matters. For the last two decades, this approach has worked well. But after a series of controversies and protests in the last two years, some workers are openly at war with Google. This week on Decrypted, editor Alistair Barr speaks to Irene Knapp, a senior software engineer who has had a front-row seat during the tumult inside the company.

📻 https://www.bloomberg.com/news/audio/2019-06-10/google-workers-rise-up-inside-the-protests-podcast

#DeleteGoogle #bloomberg #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

Critical Flaw Reported in Popular Evernote Extension for Chrome Users

As shown in the video demonstration, the researchers also developed a Proof-of-Concept (PoC) exploit that can inject a customized payload on targeted websites, and steal cookies, credentials, and other private information from an unsuspecting user.

https://thehackernews.com/2019/06/evernote-extension-hacking.html

#exploit #evernote #extension #chrome #browser #poc
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

How Hong Kong demonstrators organised
Tens of thousands of protesters have taken to Hong Kong's streets in opposition to a bill that would allow extradition to mainland China.

The demonstrators have said they are not operating in a planned movement, but have been cooperating on the ground as they have come under pressure to disperse from security forces.

📺 https://www.bbc.com/news/av/world-asia-48622346/how-hong-kong-demonstrators-organised

Hongkong - Police use tear gas against demonstrators
📺 https://t.me/BlackBox_Archiv/429

#FreeHongKong
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

📺 Language is a Weapon

“In our time it is broadly true that political writing is bad writing” wrote George Orwell 70 years ago, and the observation remains true today. But bad writing is not just bad writing; the language employed by politicians (and their string pullers) can literally be a matter of life and death. Join James today on the podcast as he delves into the tyrants’ linguistic weapons and how we can arm ourselves against them.

📺 #CorbettReport Episode 357 – #Language is a #Weapon #video #podcast
https://www.corbettreport.com/episode-357-language-is-a-weapon/

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

🎧 The “Privacy Policy” Policy

Privacy policies: most apps and websites have them, buried away somewhere. These legal documents explain how companies collect, use, and share your personal data. But let’s be honest, few of us actually read these things, right? And that passive acceptance says a lot about our complicated relationship with online privacy.

In the Season 5 premier of IRL, host Manoush Zomorodi speaks with Charlie Warzel, writer-at-large with the New York Times, about our complicated relationship with data and privacy — and the role privacy policies play in keeping things, well, confusing. You’ll also hear from Parker and Lila, two young girls who realize how gaming and personal data intersect...(...)

📻 #IRL Season 5: Episode 1 The “Privacy Policy” Policy #podcast
https://irlpodcast.org/season5/episode1/

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

Paypal subsidiary Venmo leaves transactions open on the Internet

The transactions including personal data can be retrieved via the API of the Venmo payment service. According to a report, a computer science student downloaded seven million transactions and published them on Github.

The Paypal subsidiary Venmo itself advertises its service as "the fun and easy way to send, spend and receive money". The transactions that are processed with the payment service are publicly viewable by default and can therefore be entertaining even for non-users. Computer science student Dan Salmon collected seven million transactions and published them on Github, Techcrunch reports. The payment service currently has around 40 million users. https://github.com/sa7mon/venmo-data

A year ago, programmer and privacy researcher Hang Do Thi Duc downloaded over 207 million records from Venmo. She prepared the data creatively and entertainingly with the project Public By Default (https://publicbydefault.fyi/). In addition to various statistics, she uses the data to tell little stories from the lives of Venmo users, for example about a married couple who go to the vet together, shop at Walmart and order certain dishes to take away. With this project, Do Thi Duc wanted to draw attention to the privacy problems of the payment service. She therefore published the data and stories anonymously and explained in instructions how users can remove the public attitude. https://www.vice.com/en_us/article/j5n8wk/public-by-default-venmo-privacy-settings

The Venmo data also inspired other projects, for example a Twitter bot called "Who buys drugs from Venmo? He searched the transaction comments for relevant keywords or emojis and then tweeted the profile pictures and user names of the Venmo users involved. The tweets have now been deleted.

https://www.golem.de/news/datenschutz-paypal-tochter-venmo-belaesst-transaktionen-im-internet-1906-141947.html

#DataPrivacy #Venmo #PaymentService #API #transaction #details #GitHub
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

Linux and FreeBSD Kernel: Multiple TCP-based remote denial of service vulnerabilities

Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.

The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.

There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective. We recommend that affected parties enact one of those described below, based on their environment.

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

#Linux #security #FreeBSD #Kernel #vulnerabilities #netflix #patches #alert
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

Thermomix from Lidl: Monsieur Cuisine Connect hacked

The insecurity of many "smart" devices is well known. Now there is a new example: A kitchen appliance that is supposedly extremely popular among customers runs on an old version of Android and, according to French hackers, can easily be converted into a monitoring device (build in mic). Even the good old "Doom" can be played on the miracle mixer.

📺 https://www.youtube.com/watch?v=WeTAwJisF3c

#Thermomix #lidl #hack #privacy
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

Top 20 Public Bug Bounty Programs

The HackerOne bug bounty platform shows how quickly and to what extent Intel, PayPal & Co. distribute bonuses to security researchers.

According to the report, Verizon Media has paid out the highest total amount to date, more than $4 million. The Bug Bounty Program has been in place since early 2014 and has since worked with various security researchers to solve more than 5,000 security problems.

PayPal has paid the highest premium for a security vulnerability to date at 30,000 US dollars. These are usually vulnerabilities that attackers can exploit to execute malicious code without logging on over the Internet. If an attacker is in such a position, he could, for example, bring a web server completely under his control. So-called remote code execution gaps are the most dangerous security gaps.

The provider of Shopify e-commerce software pays out the premiums on average after two days and thus leads the rankings in this area. By way of comparison, GitLab needs an average of three months for this. Starbucks responds quickly to reported vulnerabilities and gives feedback after an hour on average.

https://www.hackerone.com/sites/default/files/2019-06/H1-718_Top%2020%20Public%20Bug%20Bounty%20Programs_V2.pdf

#pdf #BugBounty #HackerOne
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

🎧 Why Silicon Valley Is Hiring Bird Experts

A few years ago, reporter Sarah McBride noticed that a top engineer at Twitter was also an expert on the brains of birds. Then, more and more, she started seeing that many top tech companies have bird brain experts in their highest ranks⁠ -- that includes Apple, Google, Intel and a secretive startup founded by Elon Musk. This week on Decrypted, Sarah and fellow reporter Ashlee Vance set out to understand why Silicon Valley is so interested in avian minds, and what they could tell us about tech’s ability to influence our own.

📻 https://www.bloomberg.com/news/audio/2019-06-18/why-silicon-valley-is-hiring-bird-experts-podcast

#podcast #bloomberg
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

🎧 The 5G Dragnet

Telecom companies are currently scrambling to implement fifth-generation cellular network technology. But the world of 5G is a world where all objects are wired and constantly communicating data to one another. The dark truth is that the development of 5G networks and the various networked products that they will give rise to in the global smart city infrastructure, represent the greatest threat to freedom in the history of humanity.

📺 #CorbettReport Episode 358 – The #5G #Dragnet #video #podcast
https://www.corbettreport.com/5g/

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

Amazon wants to sell “surveillance as a service”

Amazon has filed a patent to use delivery drones as mobile surveillance cameras. These cameras will then be used as part of "surveillance as a service" to take pictures as they approach their delivery points. Customers could also request regular fly-bys of the drones.

In case Amazon’s surveillance capabilities weren’t extensive enough with its Echo, Ring, and Key products, not to mention all the data Amazon routinely collects on its customers, the company recently received a US patent to provide “surveillance as a service.”

The patent is for an “unmanned aerial vehicle”—the technical term for a drone—that “may perform a surveillance action at a property of an authorized party” and could “image the property to generate surveillance images.” Amazon suggests in its patent, filed June 12, 2015, and granted June 4 of this year, that drone-based surveillance would be superior to traditional video-camera installations that have limited range, are liable to miss things, and can be manipulated or damaged by an intruder.

https://qz.com/1648875/amazon-receives-us-patent-for-surveillance-as-a-service/

And
https://telegra.ph/Amazon-drones-could-be-used-to-spy-on-your-home-and-spot-intruders-patent-reveals-06-21

#DeleteAmazon #surveillance #cameras #drones #why
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

Facebook usage falling after privacy scandals, data suggests

Actions such as shares and likes down nearly 20%, though user numbers still growing

Since the Cambridge Analytica scandal in April 2018, the number of likes, shares and posts has fallen by about a fifth, according to estimates by the consulting firm Mixpanel. Facebook nevertheless states that the number of its daily users* has since clearly risen to 1.56 billion people worldwide. This indicates that although many people no longer actively use Facebook, they are reluctant to leave the platform altogether - not least because of Facebook's messenger services.

Facebook usage has plummeted over the last year, according to data seen by the Guardian, though the company says usage by other measures continues to grow.

Since April 2018, the first full month after news of the Cambridge Analytica scandal broke in the Observer, actions on Facebook such as likes, shares and posts have dropped by almost 20%, according to the business analytics firm Mixpanel.

Taking that month as a baseline, total actions fell by more that 10% within a month, recovered a bit over the summer and then fell again over the autumn and winter of 2018, except for a brief rally over the period of the US midterm elections.
Likes, shares and posts on Facebook have plummeted since the Cambridge Analytica scandal of spring 2018

The decline coincided with a series of data, privacy and hate speech scandals. In September the company discovered a breach affecting 50m accounts, in November it admitted that an executive hired a PR firm to attack the philanthropist George Soros, and it has been repeatedly criticised for allowing its platform to be used to fuel ethnic cleansing in Myanmar.

Facebook’s own statistics show increases in daily and monthly active users (DAUs and MAUs), the numbers logging on to the site at least once in the respective periods, during the year ending March 2019.

In the company’s latest quarterly earnings report, published in April, it said it averaged 1.56bn DAUs in March up 8% on March 2018, and MAUs were also up 8% year on year.

The two sets of numbers can be reconciled. Anecdotal reports over the past year have suggested that while few users have deleted their Facebook accounts or stopped logging on since the scandals, many have reduced their usage.

This month a market research firm, eMarketer, reported a decline in Facebook usage in the US, saying the typical Facebook user spent 38 minutes a day on the site, down from 41 minutes in 2017.

“On top of that, Facebook has continued to lose younger users, who are spreading their time and attention across other social platforms and digital activities,” eMarketer said.

https://www.theguardian.com/technology/2019/jun/20/facebook-usage-collapsed-since-scandal-data-shows

#DeleteFacebook #analysis
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN