#cybersecurity
How to Protect Yourself From the Salt Typhoon #Hack, No Matter What the #FBI Says
source: https://theintercept.com/2024/12/11/fbi-phone-encryption-salt-typhoon/
“If the FBI cannot keep their #wiretap #system safe, they absolutely cannot keep the skeleton key to all Apple phones safe,” Vitka said.
#china #hacker #cybersecurity #encryption #usa #police #surveillance #security #privacy #politics #news #internet #smartphone #communication #chat #online
"Total app reliance" is a phrase now. I'm surprised it's taken this long.
"Members use the Zipcar app to locate cars, unlock and lock them, share images of the vehicle (for proof that you didn't damage it), and report concerns. One typically goes through the entire Zipcar rental process without interacting with a human."
"Without the app support, people could not unlock cars to start rentals, open cars that didn't come with keys, lock cars, and/or return cars before their rental period expired."
"Users reported long wait times with customer support, enduring cold temperatures while locked out of vehicles, and trepidation regarding cars they couldn't lock. 404 Media spoke with an unnamed person who said their friend's passport was locked in a Zipcar, adding that he 'missed his flight last night and his final exam today because of this.'"
Das #BSI warnt vor #Schadsoftware auf #IoT - Geräten - nur Schade, dass die Betroffenen wohl kaum die Pressemeldungen des BSI lesen 🧐🪲💾
Es ist eine Seuche, dass jedes IoT-Gerät heute zwangsläufig in der Cloud hängt (ob es Sinn macht oder nicht). Dadurch sind diese Geräte natürlich beliebte Angriffsziele, weil sie meist gar nicht geschützt sind und auch nie ein Update erhalten.
#Android #BadBox #ChinaSchrott #Technologie #Problem #Gefahr #Warnung #Sicherheit #Cybersecurity #Software #Cybercrime #Angriff #Infrastruktur #Internet #Schutz #Verbraucher #Update #Patch #cloud #Schaden
Researchers find #security flaws in #Skoda cars that may let hackers remotely track them
The vulnerabilities, discovered in the vehicle’s MIB3 infotainment unit, could allow attackers to achieve unrestricted code execution and run malicious code every time the unit starts. This could let an attacker obtain live vehicle #GPS coordinates and speed data, record conversations via the in-car #microphone, take screenshots of the infotainment display, and play arbitrary sounds in the car, according to PCAutomotive.
#news #car #surveillance #tracking #software #cybersecurity #fail
#Microsoft's Multi-Factor Authentication (MFA) implementation, allowing attackers to bypass it
The bypass was simple: it took around an hour to execute, required no user interaction and did not generate any notification or provide the account holder with any indication of trouble.
#news #software #cybersecurity #cloud #security #hacker #fail #mfa
#SichuanSilence used the #exploit to infiltrate approximately 81,000 #firewall devices, including a firewall device used by a U.S. #government agency.
Source: https://rewardsforjustice.net/rewards/sichuan-silence-information-technology/
Produkthaftung für #Hardware und #Software in der #EU
Liest sich zwar gut und ist überfällig doch könnte das Gesetz Nebenwirkungen haben. Wenn das alles so durchgesetzt wird dann ist das, dass Ende von billig Hardware. Jetzt mögen einige denken kein Chinaschrott mehr und das ist gut so aber viel teurere Router werden zum Problem für Verbraucher und sorgen für digitale Spaltung. Abgesehen davon bringt das Gesetz alleine keinen Sicherheitsgewinn und die offiziell Verantwortlichen gehen bei schlimmen Schäden pleite ohne, dass es die Verursacher trifft.
Meiner Meinung nach kann man mehr Sicherheit für Verbraucher nur mit Open Source erreichen. Alles muss im Quellcode hinterlegt werden und wird freigegeben sobald der Hersteller nicht adequat auf Sicherheitsvorfälle reagiert. Entsprechend geförderte Stiftungen kontrollieren Stichprobenartig die Qualität und machen Vorgaben für die Sicherheit.
#politik #cybersecurity #zukunft #Sicherheit #VerbraucherSchutz #wirtschaft #verantwortung #Problem #Technologie #europa #Handel
Russian programmer says #FSB agents planted #spyware on his #Android phone
According to the report, the fake app was able to access location information, read and send text messages, install other applications, read the calendar, take screenshots and record from the video camera, see a list of other applications, answer phone calls, and view user account details — all permissions that the real Cube Call Recorder does not have.
#spy #surveillance #russia #policestate #news #technology #smartphone #Trojan #Software #cybersecurity #security #privacy #Monokle #spyware #Moskow #app
#NATO draws up plans for its own fleet of naval #surveillance #drones
Following a pattern of #undersea #cable damage across European waters in the last year, with the most recent disruptions happening just weeks ago, top NATO officials have begun envisioning a capability that would allow the alliance to have permanent eyes above and under the waterline.
#military #warfare #cybersecurity #Infrastructur #news #Europe
#URL File #NTLM Hash Disclosure #Vulnerability (0day) - and Free #Micropatches for it
Source: https://blog.0patch.com/2024/12/url-file-ntlm-hash-disclosure.html
#bug #Patch #Microsoft #Windows #Software #os #cybersecurity #0day #security #news
This #FBI #warning comes decades too late. We all now use messengers with encryption because this vulnerability has existed since the beginning of time.
#news #technology #iPhone #android #messenger #Software #hack #hacker #cybercrime #police #surveillance #Problem #cybersecurity #fail #encryption #smartphone
#CapibaraZero #firmware enables low-cost #FlipperZero alternatives based on ESP32-S3 hardware
#hack #hacker #tool #utility #cybersecurity #Software #Hardware #news #esp32 #floss #foss
The first UEFI bootkit designed for Linux systems (named Bootkitty by its creators) has been discovered.
UEFI (which stands for Unified Extensible Firmware Interface) is a modern replacement for the BIOS, the first code that runs when a computer is turned on. It's job is to load the operating system. Starting from version 2 of UEFI, cryptography is incorporated to enforce security on this whole bootstrap process.
A rootkit is a piece of malware that infects and replaces part of the operating system in such a way as to conceal itself. If that rootkit is in the boot record that the BIOS or now UEFI system uses to bootstrap the operating system, it's called a bootkit. Such bootkits can do things like defeat disk encryption because they are bootstrapped before the disk encryption system is bootstrapped and running. When the full OS is bootstrapped the bootkit can run in kernel mode with full OS privileges. In this position it can intercept anything including encryption keys and passwords.
"The bootkit's main goal is to disable the kernel's signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup). During our analysis, we discovered a possibly related unsigned kernel module -- with signs suggesting that it could have been developed by the same author(s) as the bootkit -- that deploys an ELF binary responsible for loading yet another kernel module unknown during our analysis."
ELF stands for Executable and Linkable Format and is a file format for executable code on Linux systems.
"Bootkitty is signed by a self-signed certificate, thus is not capable of running on systems with UEFI Secure Boot enabled unless the attackers certificates have been installed."
"Bootkitty is designed to boot the Linux kernel seamlessly, whether UEFI Secure Boot is enabled or not, as it patches, in memory, the necessary functions responsible for integrity verification before GRUB is executed."
"bootkit.efi contains many artifacts suggesting this is more like a proof of concept than the work of an active threat actor."
Meanwhile....
U.S. officials urge Americans to use encrypted apps amid unprecedented cyberattack
FBI and CISA officials said it was impossible to predict when the telecommunications companies would be fully safe from interlopers.
Hm. Wonder what might happen after the FBI is turned into the Museum of the Deep State ("on day one" - Patel)
#Bootkitty: Analyzing the first #UEFI #bootkit for #Linux
Source: https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/
Within this assessment, the red team (also referred to as ‘the team’) gained initial access through a web shell left from a third party’s previous security #assessment.
Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a
Today's #security measures therefore tend to reduce security rather than increase it. 🤔😖
#news #Software #vulnerability #bug #fail #cybersecurity #Problem #omg #wtf #web #webshell #internet
Why is proprietary #software so bad and full of #vulnerabilities?
The sales department probably doesn't know any better and only has its commission in mind and just sells the software, that's their job. I'm not so sure about the management, whether they are clueless or just think that no matter how bad the software is, we can earn even more money with support contracts. There are certainly a few clueless developers who are kept so busy that they barely manage to complete their tasks but have no time for quality assurance. However, a large part of the developers will realize what is being played and then either change jobs after 2 years if it becomes unbearable or try to justify the quality of the software according to the motto it is a feature and not a bug. Ultimately, the only option left to cybersecurity is to secure vulnerable software with supposedly better security software. Bugs are not fixed unless public pressure is so strong that it is unavoidable and with one fixed bug, three new ones are installed. The supposedly secure security software all too often turns out to be snake oil, which only brings further security risks, which then have to be secured by further security software and you find yourself in a never-ending cascade, which becomes ever more dangerous and expensive but brings no security gain. There is even a technical term for this, called security theater. At the end of the day, all the management wants to say in its press release is that the hackers were diabolical criminals and probably had state support, but that the company had done everything it could to defend itself with the latest security software. The starting position is therefore clear. There is money to be made from security vulnerabilities and proper security means a lot of work. Economic considerations are therefore made here, according to which quality assurance can be saved because the customer can find and report the errors after all.
I'm pretty sure I'm not the smartest or the best developer, but I've figured it out and I'm always surprised that I often meet colleagues who are very confident about cybersecurity in the company because there is security training every year. I don't see any possibility of developing secure software at all under capitalism because profit is always valued higher than security.
#developer #management #economy #capitalism #profit #finance #security #cybersecurity #bug #fail #system #problem #hack #hacker #malware