Vulnerabilities

5 Likes

Follow-up:

3 Likes

adventure time table flip GIF

4 Likes
6 Likes

Un-carrier? Definitely Unsecure: T-Mobile US admits 48m customers’ details stolen after downplaying reports

6 Likes

Apple’s NeuralHash Algorithm Has Been Reverse-Engineered - Schneier on Security

Early tests show that it can tolerate image resizing and compression, but not cropping or rotations.

Um…

Not “reverse engineered” as such. It has been extracted from iOS 14.3, where it was already, unannounced, and put in a test harness. The investigators demonstrated two images, quite distinct, with the same hash, which means Bad Guys can launch DOS attacks by generating n → ∞ matching images and overloading the manual verification.

From the blog Comments:

One wonders if Apple’s client-side scanning isn’t ultimately intended for markets where false positives are even less of an issue than in the US and the technology is merely being labelled as anti-pedophilia for western consumption.

:bell::bell::bell: … well duh … there are major “markets” in jurisdictions where not having a back door would be considered “obstruction of justice”.

One is also led to suspect that Apple announced its Neural Hash/CSAM protection thing as cover when they knew the algorithm was about to be outed.

Edit: Apple claims to have mitigation strategies. I suspect the hashes of images of interest will leak eventually. Cross posted to “Apple Privacy Issues”.

2 Likes

One is also led to suspect that Apple announced its Neural Hash/CSAM protection thing as cover when they knew the algorithm was about to be outed.

Further thought: it would be interesting to find out if any other Apple sub-systems send a quiet, probably well hashed, note to the Mother Ship when they encounter text of interest (the ghost, no doubt, of the old NSA Line Eater of days of yore).

Again, assume that anything that is technically feasible and deemed to be of sufficient value is actually being done, if not by Our Team then almost certainly by Their Team. Moral/legal/security judgments or personal feelings on said activity are a separate issue.

4 Likes

I really do not feel like learning how to do deep packet inspection against “myself”.

3 Likes

Agreed.

I find the whole situation with state and commercial surveillance, NSO and friends, beyond egregious. We’re left trying to secure our lives and our businesses against an infrastructure fundamentally designed with the goal of making us vulnerable, be it to commercial suasion for profit, or to state oversight in the name of preventing Bad Things.

Pluralistic July 27, 2021: The infosec apocalypse is nigh. Edit: No, re-read CD’s piece, he’s right.

The few times I’ve talked to our :canada: Privacy Commissioner’s office, it appears there is little will to reign it all in. The idea that surveillance shouldn’t be a business model seems hard for them to swallow, probably in part because it is feeding (functionally sacrosanct) state surveillance, but also because it is employing a lot of people and there’s no political will to use that human potential in more useful ways.

5 Likes

We’re left trying to secure our lives and our businesses against an infrastructure fundamentally designed with the goal of making us vulnerable

…which, to no-one’s surprise, is a blade with two edges…

Bloomberg, Cybersecurity
Hackers Release Data Trove From Belarus in Bid to Overthrow Lukashenko Regime
Pilfered data includes lists of alleged police informants and information on government spies.
By Ryan Gallagher
August 24, 2021, 8:37 a.m. EDT

(via Pluralistic)

5 Likes

Microsoft Azure cloud vulnerability is the ‘worst you can imagine’

“We are not aware of any customer data being accessed because of this vulnerability.”
- says company unaware for two years of massive vulnerability.

4 Likes

Bumble fumble: Dude divines definitive location of dating app users despite disguised distances

Up until this year, dating app Bumble inadvertently provided a way to find the exact location of its internet lonely-hearts, much in the same way one could geo-locate Tinder users back in 2014.

In a blog post on Wednesday, Robert Heaton, a security engineer at payments biz Stripe, explained how he managed to bypass Bumble’s defenses and implement a system for finding the precise location of Bumblers.

“Revealing the exact location of Bumble users presents a grave danger to their safety, so I have filed this report with a severity of ‘High,’” he wrote in his bug report.

[…]

2 Likes

Azure’s now-fixed Cosmos DB flaw could have been exploited to read, write any database

Infosec outfit Wiz has revealed that Microsoft’s flagship Azure database Cosmos DB could have been exploited to grant any Azure user full admin access – including the ability to read, write, and delete data – to any Cosmos DB instance on Azure. Without authorization. For months.

[…]

3 Likes

Yep.

If you store anything important in Azure, you should consider it compromised.

3 Likes

Leaked Guntrader firearms data file shared. Worst case scenario? Criminals plot UK gun owners’ home addresses in Google Earth

The names and home addresses of 111,000 British firearm owners have been dumped online as a Google Earth-compatible CSV file that pinpoints domestic homes as likely firearm storage locations – a worst-case scenario for victims of the breach.

As an exercise in amplifying a data theft to levels that endanger public safety, the latest evolution of the Guntrader database break-in is likely to become an infosec case study in how security breaches can become worse over time as stolen information is put to ever more intrusive uses.

Leaked online last week via an animal rights activist’s blog, the stolen reformatted Guntrader database was explicitly advertised as being importable into Google Earth so randomers could “contact as many [owners] as you can in your area and ask them if they are involved in shooting animals.”

Names, home addresses, postcodes, phone numbers, email addresses and IP addresses are included in the Google Drive-hosted CSV file – along with precise geographic coordinates for a large number of the 111,295 people listed in the breach.

[…]

4 Likes

If you want to see change, you need to incentivize change. For example, if you want to see Microsoft have a heart attack, talk about the idea of defining legal liability for bad code in a commercial product. If you want to give Facebook nightmares, talk about the idea of making it legally liable for any and all leaks of our personal records that a jury can be persuaded were unnecessarily collected. Imagine how quickly Mark Zuckerberg would start smashing the delete key.

:bell:

Personally, I think private information storage in electronic form should be permitted only in support of a substantial commercial transaction or ongoing commercial relationship with a contract and significant payment involved. Otherwise, the system enabling surveillance for the legitimate will always turn into surveillance by criminals or by the enemy.

6 Likes

Zero-click … so if you get the text message, you’re hacked.

Starting in February 2021, we began to observe NSO Group deploying a new zero-click iMessage exploit that circumvented Apple’s BlastDoor feature. We refer to the exploit as FORCEDENTRY , because of its ability to circumvent BlastDoor . Amnesty Tech also observed zero-click iMessage exploitation activity around the same time, and referred to the activity they observed as “Megalodon.”

4 Likes

 

2 Likes

Follow-up:

Guntrader breach perp: I don’t think it’s a crime to dump 111k people’s details online in Google Earth format

3 Likes

[W]e must embrace the “data minimisation principle” – the idea that only necessary personal data should be collected and retained. We also need an approach that minimises centralised data collection, and gives more control to individuals.

:+1:

4 Likes