0 Persons are tagged with #vulnerability

#vulnerability

danie10@squeet.me
Danie

Next level Hack: Hackers can steal cryptographic keys by video-recording power LEDs 18 metres away without any probe or radio connections

Bild/Foto
By carefully monitoring characteristics such as power consumption, sound, electromagnetic emissions, or the amount of time it takes for an operation to occur, attackers can assemble enough information to recover secret keys that underpin the security and confidentiality of a cryptographic algorithm.

The first attack uses an Internet-connected surveillance camera to take a high-speed video of the power LED on a smart card reader—or of an attached peripheral device—during cryptographic operations. The other allowed the researchers to recover the private SIKE key of a Samsung Galaxy S8 phone by training the camera of an iPhone 13 on the power LED of a USB speaker connected to the handset, in a similar way to how Hertzbleed pulled SIKE keys off Intel and AMD CPUs.

So now you know, cover the LEDs etc when you’re using a keypad, or better still, cover it with your hat and peek through the side. This is exactly why we used to wear hats!

See https://arstechnica.com/information-technology/2023/06/hackers-can-steal-cryptographic-keys-by-video-recording-connected-power-leds-60-feet-away/
#Blog, #hacking, #security, #technology, #vulnerability

One person like that
One person like that
danie10@squeet.me
Danie

Inaudible ultrasound attack can stealthily control your phone, smart speaker

Bild/Foto
The team of researchers consists of professor Guenevere Chen of the University of Texas in San Antonio (UTSA), her doctoral student Qi Xia, and professor Shouhuai Xu of the University of Colorado (UCCS).

The team demonstrated NUIT attacks against modern voice assistants found inside millions of devices, including Apple’s Siri, Google’s Assistant, Microsoft’s Cortana, and Amazon’s Alexa, showing the ability to send malicious commands to those devices.

The main principle that makes NUIT effective and dangerous is that microphones in smart devices can respond to near-ultrasound waves that the human ear cannot, thus performing the attack with minimal risk of exposure while still using conventional speaker technology.

We’ve actually heard about these near ultrasound attacks before, but further work has been done on demonstrating how it can work. It does not require someone to be near-by to the listening device at all, as it can be transmitted inaudibly to the human ear during a Zoom call, or even via a YouTube video.

So yes, absolutely nothing special required for this to work. The bigger challenge to the attacker is finding someone who actually has smart speakers to respond with, and them having some or other automation that can be weaponised. But that said, almost everyone has a smartphone or two, and many have default Siri, Alexa or Google Assistant standing by to tell them what the weather forecast is for today. Many of those assistants can also perform phone actions like enable WiFi, open a specific website, disable screen lock, and much more…

If you can authenticate on your smart device using your own vocal fingerprint, it is recommended that you activate this additional security method. Chen also advised that users monitor their devices closely for microphone activations, which have dedicated on-screen indicators on iOS and Android smartphones. And just using earphones also cuts out that sound being able to travel to smart speakers.

See https://www.bleepingcomputer.com/news/security/inaudible-ultrasound-attack-can-stealthily-control-your-phone-smart-speaker/
#Blog, #security, #smartassistant, #smartspeaker, #technology, #vulnerability

2 Likes
2 Comments
1 Shares
tekaevl@diasp.org
Tek aEvl

Lame

anonymiss - 2023-01-26 16:06:03 GMT

#GTA V #vulnerability exposes #PC users to partial #remote code execution attacks

Source: https://www.itpro.co.uk/security/vulnerability/369913/gta-v-vulnerability-exposes-pc-users-to-remote-code-execution-attacks

Hackers had initially used the flaw to give themselves elevated levels within the game and ban other users, but it has since become apparent that the same exploits can be used to achieve partial RCE on victims' PCs.

#news #security #game #gamer #fail #software #problem #hack

anonymiss

2 Comments
anonymiss@despora.de
anonymiss

#GTA V #vulnerability exposes #PC users to partial #remote code execution attacks

Source: https://www.itpro.co.uk/security/vulnerability/369913/gta-v-vulnerability-exposes-pc-users-to-remote-code-execution-attacks

Hackers had initially used the flaw to give themselves elevated levels within the game and ban other users, but it has since become apparent that the same exploits can be used to achieve partial RCE on victims' PCs.

#news #security #game #gamer #fail #software #problem #hack

GTA V vulnerability exposes PC users to partial remote code execution attacks | IT PRO

Millions of GTA Online players could fall prey to malware or data corruption

One person like that
california@diaspora.permutationsofchaos.com
California Girls Hacker

security.txt

A proposed #standard which allows websites to define #security #policies.

Take a look: https://securitytxt.org

“When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.”

#web #www #website #vulnerability #cybercrime #privacy #advice #instructions #communication #software #bug #research

4 Likes
1 Shares
anonymiss@despora.de
anonymiss

The Hacking of #Starlink Terminals Has Begun

source: https://www.wired.com/story/starlink-internet-dish-hack/

Today, Lennert Wouters, a #security researcher at the Belgian university KU Leuven, will reveal one of the first security breakdowns of Starlink’s user terminals, the satellite dishes (dubbed Dishy McFlatface) that are positioned on people’s homes and buildings. At the #BlackHat security conference in Las Vegas, Wouters will detail how a series of #hardware vulnerabilities allow attackers to access the Starlink system and run custom code on the devices.

#internet #news #hack #hacker #vulnerability #software #infrastructure

The Hacking of Starlink Terminals Has Begun

It cost a researcher only $25 worth of parts to create a tool that allows custom code to run on the satellite dishes.

4 Likes
1 Comments
anonymiss@despora.de
anonymiss

(Time)Stamping Out The #Competition in #Ethereum

source: https://medium.com/@aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fef

Thus, a #miner who wishes to replace the last block on the #blockchain, can do so by #mining a new #block of its own which has a #timestamp which is low enough to increase the block’s mining difficulty. This can be useful, for example, in cases where this last block has high paying transactions, or in order to double-spend a transaction contained within the block. Another possibility is for an attacker to preemptively mine blocks with such false timestamps, in order to make sure they win in case of ties with other blocks which might be mined concurrently, or which might’ve been mined in the recent past but haven’t reached the attacker yet.

#scam #fail #software #attack #cybercrime #problem #money #finance #security #problem #news #bug #vulnerability

Uncle Maker: (Time)Stamping Out The Competition in Ethereum

The First Evidence of An Attack on a Major Cryptocurrency

1 Comments
5 Likes
anonymiss@despora.de
anonymiss

#Hertzbleed is a new family of side-channel attacks: #frequency side channels.

Source: https://www.hertzbleed.com

Hertzbleed takes advantage of our experiments showing that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed. This means that, on modern processors, the same program can run at a different CPU frequency (and therefore take a different wall time) when computing, for example, 2022 + 23823 compared to 2022 + 24436.

...

Am I affected by Hertzbleed? Likely, yes.

#cpu #x86 #security #Encryption #news #attack #hack #vulnerability #problem #software #hardware

2 Likes
57b731e9@nerdpol.ch
A6BDBF57_57B731E9

Serious security vulnerability in Tails 5.0

Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information.

The problem is that Tails 5.0 uses version 11.0.11 of the Tor Browser. This is based on a version of Firefox that contains vulnerabilities in its JavaScript interpreter. The current version of the Tor Browser is 11.0.13, and this new version is not vulnerable to the attacks that work against version 11.0.11 and earlier. If you use the Tor Browser with other OSes (not Tails), you should check to see that you have the newest version.

If you keep JavaScript disabled this vulnerability does not affect you. The Tor Browser makes it very easy to disable JavaScript. This problem will also not affect you if you don't enter any sensitive information into web sites.

If you start Tails today, Tails itself will warn you about this. Oddly the Tails home page has no such warning.

Here is the page about the vulnerability. https://tails.boum.org/security/prototype_pollution/

Here is the Tails home page. https://tails.boum.org/

The recommendation from Tails is that you don't use the Tor Browser in Tails until the next version of Tails is released. This should be version 5.1 and it should be released on 31 May 2022.

#tails #tor #tor-browser #vulnerability #bug #security #privacy #surveillance #firefox #mozilla

2 Shares
danie10@squeet.me
Danie

High‑impact UEFI vulnerabilities discovered (again) in over a hundred of models of Lenovo consumer laptops

Bild/Foto
Yes, two of the drivers immediately caught attention by their very unfortunate (but surprisingly honest) names: SecureBackDoor and SecureBackDoorPeim. I also seem to recall Lenovo had a similar issue about 5 or 6 years ago, so not a first time.

Altogether, the list of affected devices contains more than one hundred different consumer laptop models with millions of users worldwide, from affordable models like Ideapad-3 to more advanced ones like Legion 5 Pro-16ACH6 H or Yoga Slim 9-14ITL05. The full list of affected models with active development support is published in the Lenovo Advisory.

Bottom line though is, if you have a consumer Lenovo device, you really want to check if there is a firmware update.

See https://www.welivesecurity.com/2022/04/19/when-secure-isnt-secure-uefi-vulnerabilities-lenovo-consumer-laptops/

#technology #security #vulnerability #lenovo #backdoor
#Blog, ##backdoor, ##lenovo, ##security, ##technology, ##vulnerabilty

3 Likes
1 Comments
anonymiss@despora.de
anonymiss

CVE-2022-21449: Psychic #Signatures in #Java

source: https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/

The long-running BBC sci-fi show Doctor Who has a recurring plot device where the Doctor manages to get out of trouble by showing an identity card which is actually completely blank. Of course, this being Doctor Who, the card is really made out of a special “psychic paper“, which causes the person looking at it to see whatever the Doctor wants them to see: a security pass, a warrant, or whatever.It turns out that some recent releases of Java were vulnerable to a similar kind of trick, in the implementation of widely-used #ECDSA signatures.

#security #fail #software #trust #news #problem #vulnerability #signature

CVE-2022-21449: Psychic Signatures in Java

The long-running BBC sci-fi show Doctor Who has a recurring plot device where the Doctor manages to get out of trouble by showing an identity card which is actually completely blank. Of course, thi…

4 Likes
anonymiss@despora.de
anonymiss

#iCloud #crypto wallet #attack saw $650K stolen from trader within seconds; #MetaMask #vulnerability revealed

source: https://9to5mac.com/2022/04/19/icloud-crypto-wallet-attack-metamask/

An estimated $650,000-worth of cryptocurrencies and NFTs were gone in an instant.

...

The answer, as unearthed by a crypto #security expert who goes by Serpent, is that using the MetaMask app on #iPhone automatically stores a seed phrase file onto iCloud […]

#software #fail #news #finance #hack #hacker

iCloud crypto wallet attack saw $650K stolen from trader within seconds; MetaMask vulnerability revealed

An iCloud crypto wallet attack saw an estimated $650,000 worth of cryptocurrency and NFTs stolen from a trader within seconds ...

anonymiss@despora.de
anonymiss

#Missouri #governor is calling for criminal charges against a #journalist who found social #security numbers exposed on a public #website

source: https://www.businessinsider.in/tech/news/missouri-governor-is-calling-for-criminal-charges-against-a-journalist-who-found-social-security-numbers-exposed-on-a-public-website/articleshow/87065823.cms

"Hitting F12 in a #browser is not hacking," SocialProof Security CEO Rachel Tobac said in a tweet. "Fix your website." Another #cybersecurity researcher, Matt Blaze, admonished Parson for moving to "call the cops" on someone who "quite responsibly" disclosed the #vulnerability.

#politics #problem #hack #crime #intelligence #www #internet #news #usa

Missouri governor is calling for criminal charges against a journalist who found social security numbers exposed on a public website

Republican Gov. Mike Parson labeled the reporter a "hacker" and demanded an investigation - which cyber experts say makes no sense.

4 Likes
7 Comments
3 Shares