Archive.org, one of the only entities to attempt to preserve the entire history of the World Wide Web and much of the broader Internet, was recently compromised in a hack that revealed data on roughly 31 million users.
archive.org is not loading right now.
Source: http://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b
The #surveillance systems believed to be at issue are used to cooperate with requests for domestic information related to criminal and national security investigations. Under federal law, telecommunications and broadband companies must allow authorities to intercept electronic information pursuant to a court order. It couldn’t be determined if systems that support foreign #intelligence surveillance were also vulnerable in the breach.
Like all backdoors, this #backdoor is also a #security risk and not a gain.
#news #cybersecurity #cybercrime #privacy #politics #police #justice #communication #crime #Problem #USA #fail #hacker #Software #vulnerability #spy
Den angeblich sicheren ePerso gibt es doch schon
Trotzdem kündigt das Innenministerium von Frau Faeser nun an: "Wir wollen, dass Bürgerinnen und Bürger ihre Identität schnell, sicher und unkompliziert direkt über ihr Smartphone nachweisen können – ohne eine zusätzliche Karte oder ein Lesegerät."
Geht's noch?
Was bliebe, wäre ein Bild/Foto vom ePerso. Das wäre das Gegenteil von sicher. Aber sicher ist der ePerso ja auch nicht, siehe z.B. "Identitätsdiebstahl wird einfacher - Pressemitteilung zum Hack des elektronischen Personalausweis" bereits vor 14 Jahren ...
Natürlich wird eine EUDI-Wallet nicht ohne Verschlüsselung und dazu notwendig Zertifikate auskommen, die garantiert komplizierte Technik benötigen. schon deshalb, weil die IT Konzerne mit dem Produkt wieder einen großen Reibach machen wollen - und der Staat muss das (zumindest vor-) finanzieren. Die Erfahrungen mit dem Mautsystem, ALG-II, der Gesundheits-Infastruktur der Gematik, der Luca-App, ... lassen uns Schlimmes ahnen.
Aber statt uns weiter über so viel Technikgläubigkeit aufzuregen, schauen wir mal wie bmi.bund.de das Produkt weiter ankündigt: "Die EUDI-Wallet wird höchste Sicherheitsstandards gewährleisten und die Privatsphäre der Nutzerinnen und Nutzer schützen. Die EUDI-Wallet wird kostenfrei verfügbar sein und zur digitalen Inklusion beitragen, da alle Menschen – unabhängig von ihrer finanziellen Situation – Zugang zu digitalen Diensten erhalten."
Das Versprechen des "kostenlos" sollten wir vorsichtshalber einrahmen - mal sehen wir lange das gilt. Allerdings sehen wir noch nicht, wie man – unabhängig von der finanziellen Situation – in den Besitz eines Smartphones kommt. Wenn dann auch noch irgendwann die EUDI-Wallet zur Pflicht wird, wäre das ein weiterer Schritt zur Zwangsdigitalisierung.
Es kommt noch besser
"Um Bürgerinnen und Bürgern Wahlfreiheit zu geben und Innovation zu fördern, sollen neben der staatlichen EUDI-Wallet die Voraussetzungen für nicht-staatliche Anbieter geschaffen werden. So wird es auch Unternehmen, Stiftungen oder Forschungseinrichtungen möglich sein, eigene EUDI-Wallets zu entwickeln und in Deutschland anerkennen zu lassen." Scheinbar hat man die schlechten Erfahrungen mit "privaten" Anwendungen beim ePerso einfach vergessen. Kaum ein Unternehmen wollte sich auf den Aufwand dafür Anwendungen zu programmieren einlassen. Statt dessen machen Private lieber eigene Anwendungen, die nur für sie funktionieren, um die Menschen an ihr Unternehmen zu binden.
Nach Paypal, Apple Pay und Lidl Pay könnte es dann auch Apple- oder Lidl-Identitäten geben, mit denen man dann beim Einkauf evtl. ein paar Cents sparen oder an einer bevorzugten Kasse schneller bedient wird ...
Im Internet gibt es schon einige Vermutungen, wie es weitergehen wird.
Mehr dazu bei https://www.bmi.bund.de/SharedDocs/pressemitteilungen/DE/2024/09/eudi-wallet-sep.html
Kategorie[21]: Unsere Themen in der Presse Short-Link dieser Seite: a-fsa.de/d/3D5
Link zu dieser Seite: https://www.aktion-freiheitstattangst.org/de/articles/8921-20241002-eudi-wallet-auf-dem-handy.html
Link im Tor-Netzwerk: http://a6pdp5vmmw4zm5tifrc3qo2pyz7mvnk4zzimpesnckvzinubzmioddad.onion/de/articles/8921-20241002-eudi-wallet-auf-dem-handy.html
Tags: #EUDI-Wallet #ePerso #Ausweis #ePA #Hack #kostenlos #QRcode #RFID #Gefahr #Kosten #Smartphone #Handy #Verhaltensänderung #Privatisierung #Diskriminierung #Ungleichbehandlung #Verbraucherdatenschutz #Biometrie #Datensicherheit
This is very close to something we used to do in the Navy. See below.
I always like a good hack. And this story delivers. Basically, the New York City bikeshare program has a system to reward people who move bicycles from full stations to empty ones. By deliberately moving bikes to create artificial problems, and exploiting exactly how the system calculates rewards, some people are making a lot of money.
At 10 a.m. on a Tuesday last month, seven Bike Angels descended on the docking station at Broadway and 53rd Street, across from the Ed Sullivan Theater. Each rider used his own special blue key -- a reward from Citi Bike— to unlock a bike. He rode it one block east, to Seventh Avenue. He docked, ran back to Broadway, unlocked another bike and made the trip again.\
\
By 10:14, the crew had created an algorithmically perfect situation: One station 100 percent full, a short block from another station 100 percent empty. The timing was crucial, because every 15 minutes, Lyft’s algorithm resets, assigning new point values to every bike move.\
\
The clock struck 10:15. The algorithm, mistaking this manufactured setup for a true emergency, offered the maximum incentive: $4.80 for every bike returned to the Ed Sullivan Theater. The men switched direction, running east and pedaling west.
OK. So here's the Navy thing mentioned above. It was called a "trim party." On nuclear-powered submarines there was a watch station in the Control Room called Chief of the Watch (the COW, not to be confused with the COB, Chief of the Boat^1^, which was a job title, not a watch station, but I digress). One of the jobs of the COW was to keep the submarine in trim. What does that mean? It means ensuring that if all propulsion is stopped, the submarine will neither slowly sink to the bottom of the ocean or slowly rise to the surface, and that it will remain perfectly level (not list to port or starboard, fore or aft). This is accomplished with trim tanks. Water in trim tanks can be pumped out into the ocean, allowed in from the ocean, or moved from one trim tank to another. Got it?
OK. So here's how a trim party works. Someone finds out that a new person is qualifying to stand COW. This person gets together a crew of about six people who are off-watch, they all go together to the forward end of the torpedo room, as far forward as you can be. One member of the party watches the indicator on the trim tank there to see when the new COW has pumped out water to correct the trim. Then the whole party goes to the aft end of the engine room, as far aft as you can go. Someone monitors the indicator on the trim tank there. This is repeated until the victim catches on and stops reacting to the trim party.
#bikeshare #bike-angels #rewards-system #hack #schneier #bruce-schneier #schneier-on-security #blog
^1^ Submarines, no matter how large, are called boats.
Exposing The Flaw In Our #Phone System: https://www.youtube.com/watch?v=wVyu7NB7W6Y
#hack #security #mobile #ss7 #network #vulnerability #surveillance #attack
Telegram is a “safe haven for hackers, cybercriminals, and drug dealers,” a spokesperson for Amsterdam’s IT alderman Alexander Scholtes told the broadcaster. The city is also concerned about possible espionage through the app, even though it no longer has official ties to #Russia. Telegram was set up in Russia, but the head office has since moved to #Dubai, and the #company is officially located in the Virgin Islands.
#news #software #messenger #crime #cybercrime #cybersecurity #security #problem #Netherlands #hack #hacker
Lastly, I want to re-emphasise a point I made earlier on: there were no email addresses in the social security number files. If you find yourself in this data breach via HIBP, there's no evidence your SSN was leaked, and if you're in the same boat as me, the data next to your record may not even be correct. And no, I don't have a mechanism to load additional attributes beyond email address into HIBP nor point people in the direction of the source data (some of you will have received a reminder about why I don't do that just a few days ago). And I'm definitely not equipped to be your personal lookup service, manually trawling through the data and pulling out individual records for you! So, treat this as informational only, an intriguing story that doesn't require any further action.
https://www.troyhunt.com/inside-the-3-billion-people-national-public-data-breach/
Source: https://www.wired.com/story/vss-atm-vulnerabilities-defcon-2024/
“The #problem is, in order to do all of that, they decrypt the system, which opens up the opportunity,” Burch says. “The core deficiency that I’m exploiting is that the #Linux partition was not encrypted.”
#security #economy #finance #money #encryption #hack #hacker
politico! das ist springer presse! denen kann man erst mal nichts glauben ...
##springer #usa #uglyTrump #hack
Fefebot wrote the following post Sun, 11 Aug 2024 10:56:04 +0200
[l] Hacker hacken ... Trumps Wahlkampf-Organisation.
<
p>Gibt ein paar lustige Details. Erstens: Trump sitzt so tief in Putins Arsch, dass sie nicht "DIE RUSSEN!!1!" gerufen haben sondern "DER IRAN!!1!" :-)
Zweitens: Aber natürlich sind die in die Cloud gezogen und dort gehackt worden!
The campaign blamed “foreign sources hostile to the United States,” citing a Microsoft report on Friday that Iranian hackers “sent a spear phishing email in June to a high-ranking official on a presidential campaign.” Microsoft did not identify the campaign targeted by the email and declined to comment Saturday.
Ist ja komisch! Ihr habt euch komplett abhängig gemacht von gammeliger Microsoft-Cloud-Scheiße und jetzt wurden ihr gehackt? NA SOWAS! Hätte euch doch nur vorher jemand gewarnt!
Wisst ihr, bei manchen Leuten bin ich ja ganz froh, dass die nicht auf mich hören.
Ich persönlich würde ja bestreiten, dass die Hacker "hostile to the United States" sind. Das sind Freunde in der Not!1!!
Using a custom-made analysis tool they called #5GBaseChecker, the researchers uncovered #baseband vulnerabilities made by #Samsung, #MediaTek, and #Qualcomm, which are used in phones made by #Google, #OPPO, #OnePlus, #Motorola, and Samsung.
#security #smartphone #technology #communication #privacy #surveillance #hack #hacker #bug #software #problem #news
To overcome the limitation of a single packet attack, I used IP fragmentation and TCP sequence number reordering.
Using IP layer fragmentation, a single TCP packet can be split into multiple IP packets, which allows the full utilization of the TCP window size.
Additionally, by re-ordering the TCP sequence numbers, I prevented the target server from processing any of the TCP packets until I sent the final packet.Thanks to these techniques, we can significantly exploit a minor limit-overrun vulnerability, potentially leading to severe vulnerabilities like the authentication bypass of one-time token authentication. During testing, I was able to send 10,000 requests in about 166ms.
#network #tcp #ip #internet #hack #hacker #exploit #news #software #limit #knowledge
You can block EDR telemetry reaching its cloud servers by performing a Person-in-the-Middle (PitM) attack and filtering telemetry packets, effectively hiding alerts from the SOC team. This can be achieved by conducting ARP poisoning against target host(s) and configuring iptables. Instead of blocking a wide range of IP subnets, we can use Server Name Indication (SNI) in the TLS Client Hello packets to identify specific IP addresses to block. While unsent alerts get cached on the host, they are cleared upon reboot.
source: https://tierzerosecurity.co.nz/2024/07/23/edr-telemetry-blocker.html
Source: https://techcrunch.com/2024/07/11/mspy-spyware-millions-customers-data-breach/
Some of those emails and messages include requests for customer support from several senior-ranking U.S. #military personnel, a serving U.S. federal appeals court judge, a U.S. #government department’s watchdog, and an Arkansas county sheriff’s office seeking a free license to trial the app.
source: https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/
#password #leak #online #cybercrime #news #security #login #hack #hacker #internet #software
source: https://blog.sucuri.net/2024/06/caesar-cipher-skimmer.html
#hack #hacker #software #coder #cybersecurity #security #tutorial #knowledge
