Vulnerabilities


Un-carrier? Definitely Unsecure: T-Mobile US admits 48m customers’ details stolen after downplaying reports

6 Likes

Apple’s NeuralHash Algorithm Has Been Reverse-Engineered - Schneier on Security

Early tests show that it can tolerate image resizing and compression, but not cropping or rotations.

Um…

Not “reverse engineered” as such. It has been extracted from iOS 14.3, where it was already, unannounced, and put in a test harness. The investigators demonstrated two images, quite distinct, with the same hash, which means Bad Guys can launch DOS attacks by generating n → ∞ matching images and overloading the manual verification.

From the blog Comments:

One wonders if Apple’s client-side scanning isn’t ultimately intended for markets where false positives are even less of an issue than in the US and the technology is merely being labelled as anti-pedophilia for western consumption.

:bell::bell::bell: … well duh … there are major “markets” in jurisdictions where not having a back door would be considered “obstruction of justice”.

One is also led to suspect that Apple announced its Neural Hash/CSAM protection thing as cover when they knew the algorithm was about to be outed.

Edit: Apple claims to have mitigation strategies. I suspect the hashes of images of interest will leak eventually. Cross posted to “Apple Privacy Issues”.

2 Likes

One is also led to suspect that Apple announced its Neural Hash/CSAM protection thing as cover when they knew the algorithm was about to be outed.

Further thought: it would be interesting to find out if any other Apple sub-systems send a quiet, probably well hashed, note to the Mother Ship when they encounter text of interest (the ghost, no doubt, of the old NSA Line Eater of days of yore).

Again, assume that anything that is technically feasible and deemed to be of sufficient value is actually being done, if not by Our Team then almost certainly by Their Team. Moral/legal/security judgments or personal feelings on said activity are a separate issue.

4 Likes

I really do not feel like learning how to do deep packet inspection against “myself”.

3 Likes

Agreed.

I find the whole situation with state and commercial surveillance, NSO and friends, beyond egregious. We’re left trying to secure our lives and our businesses against an infrastructure fundamentally designed with the goal of making us vulnerable, be it to commercial suasion for profit, or to state oversight in the name of preventing Bad Things.

Pluralistic July 27, 2021: The infosec apocalypse is nigh. Edit: No, re-read CD’s piece, he’s right.

The few times I’ve talked to our :canada: Privacy Commissioner’s office, it appears there is little will to reign it all in. The idea that surveillance shouldn’t be a business model seems hard for them to swallow, probably in part because it is feeding (functionally sacrosanct) state surveillance, but also because it is employing a lot of people and there’s no political will to use that human potential in more useful ways.

5 Likes

Microsoft Azure cloud vulnerability is the ‘worst you can imagine’

“We are not aware of any customer data being accessed because of this vulnerability.”
- says company unaware for two years of massive vulnerability.

4 Likes

Up until this year, dating app Bumble inadvertently provided a way to find the exact location of its internet lonely-hearts, much in the same way one could geo-locate Tinder users back in 2014.

In a blog post on Wednesday, Robert Heaton, a security engineer at payments biz Stripe, explained how he managed to bypass Bumble’s defenses and implement a system for finding the precise location of Bumblers.

“Revealing the exact location of Bumble users presents a grave danger to their safety, so I have filed this report with a severity of ‘High,’” he wrote in his bug report.

[…]

2 Likes

Infosec outfit Wiz has revealed that Microsoft’s flagship Azure database Cosmos DB could have been exploited to grant any Azure user full admin access – including the ability to read, write, and delete data – to any Cosmos DB instance on Azure. Without authorization. For months.

[…]

3 Likes

Yep.

If you store anything important in Azure, you should consider it compromised.

3 Likes

The names and home addresses of 111,000 British firearm owners have been dumped online as a Google Earth-compatible CSV file that pinpoints domestic homes as likely firearm storage locations – a worst-case scenario for victims of the breach.

As an exercise in amplifying a data theft to levels that endanger public safety, the latest evolution of the Guntrader database break-in is likely to become an infosec case study in how security breaches can become worse over time as stolen information is put to ever more intrusive uses.

Leaked online last week via an animal rights activist’s blog, the stolen reformatted Guntrader database was explicitly advertised as being importable into Google Earth so randomers could “contact as many [owners] as you can in your area and ask them if they are involved in shooting animals.”

Names, home addresses, postcodes, phone numbers, email addresses and IP addresses are included in the Google Drive-hosted CSV file – along with precise geographic coordinates for a large number of the 111,295 people listed in the breach.

[…]

4 Likes

If you want to see change, you need to incentivize change. For example, if you want to see Microsoft have a heart attack, talk about the idea of defining legal liability for bad code in a commercial product. If you want to give Facebook nightmares, talk about the idea of making it legally liable for any and all leaks of our personal records that a jury can be persuaded were unnecessarily collected. Imagine how quickly Mark Zuckerberg would start smashing the delete key.

:bell:

Personally, I think private information storage in electronic form should be permitted only in support of a substantial commercial transaction or ongoing commercial relationship with a contract and significant payment involved. Otherwise, the system enabling surveillance for the legitimate will always turn into surveillance by criminals or by the enemy.

6 Likes

Zero-click … so if you get the text message, you’re hacked.

Starting in February 2021, we began to observe NSO Group deploying a new zero-click iMessage exploit that circumvented Apple’s BlastDoor feature. We refer to the exploit as FORCEDENTRY , because of its ability to circumvent BlastDoor . Amnesty Tech also observed zero-click iMessage exploitation activity around the same time, and referred to the activity they observed as “Megalodon.”

4 Likes

2 Likes

Follow-up:

Guntrader breach perp: I don’t think it’s a crime to dump 111k people’s details online in Google Earth format

3 Likes

[W]e must embrace the “data minimisation principle” – the idea that only necessary personal data should be collected and retained. We also need an approach that minimises centralised data collection, and gives more control to individuals.

:+1:

4 Likes

https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444

6 Likes

I suppose it’s human nature to try and exploit a resource until it collapses. Seems CVE-1999-0517 is still out there.

“For quite a while, this focus on the core business processes worked pretty well,” Rudis continues, suggesting that executives have their confirmation bias dopamine fix reinforced year after year by not having down time or breaches.
“Organisations also try to keep capital investments (computer systems) going for as long as possible with as little interaction (updates) as possible,” he says.

We used to call that Technical Debt.; I know frightening examples that have cost businesses hundreds of millions of dollars. Part of me knows I should be running OpenBSD on everything but…

containers… VM’s… 3D… shiny things…

2 Likes

Far right registrar and web hosting company Epik just got pwned by Anonymous.

More details:

Twitter thread:

The press release:
https://4chan.partyvan.epikfail.win:55899/

3 Likes

Actually, if it’s coming in via email, we most likely will stop it…

1 Like

← previous page