Here we go again…
D. Evtyushkin et al., “BranchScope: A New Side-Channel Attack on Directional Branch Predictor”
http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf (PDF)
This is not exactly surprising: the branch predictor is the new vulnerability Klondike.
https://alephsecurity.com/2017/03/08/nexus9-fiq-debugger/
"This vulnerability has a very unusual attack vector – headphones. By exploiting this vulnerability we managed to leak stack canaries, derandomize ASLR, conduct a factory reset, and even access HBOOT, allowing for communication with internal System-on-Chips (SoCs) through I2C"
Class.
Tavis Ormandy and Natalie Silvanovich claiming discovery of " the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. 🔥🔥🔥
Attack works against a default install, don't need to be on the same LAN, and it's wormable."
https://twitter.com/taviso/status/860681252034142208
Interactive worm wiggling in browser.
Best project milestone ever.
https://github.com/openworm/OpenWorm/milestones
One a more serious note OpenWorm is an amazing project so please support then and/or contribute if you have the skills.
http://www.openworm.org/
RCE on Imgur servers using command line argument injection in GraphicsMagick utility : https://hackerone.com/reports/212696
Nice find and writeup (rewarded 5,000) #bugbounty
New post: "Compromise recovery on Qubes OS":
https://www.qubes-os.org/news/2017/04/26/qubes-compromise-recovery/
Because fuckups happen... and it's good to have a reasonable Plan B.
Once again guy gets caught coz poor opsec.
http://www.thedailybeast.com/articles/2017/04/25/the-republican-lawmaker-who-secretly-created-reddit-s-women-hating-red-pill.html
Remember the #1 rule of opsec: Compartmentalize!
Also opsec starts from day0.
It's remarkably common that people start to properly isolate identities once their project is well underway, but in the begging they simply didn't do it (properly).
Those mistakes will come back and haunt you. Happened to DPR/Silkroad too.
"So, out of boredom, we tried some common default credentials. admin:admin, administrator:administrator, the usual culprits. Imagine our surprise when test:test are valid."
https://pastebin.com/raw/Y1yf8kq0
#flexispy #infosec
Cool phising technique:
FancyBear creates fake legitimate looking OAuth apps that the victim authorises.
I love how simple it is and it completely bypasses any 2FA.
Not to mention users (especially Android) are primed to accept whatever permissions an app asks for.
http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks/ https://mastodon.social/media/uBKqr5xft3Tl8m9g9MM
I really like draw.io, a free Visio alternative, which also works fine in *offline* mode as a Chrome app (I tested it in offline VM).
But it would be even cooler if there was an easy way to package Chrome Apps as RPM or DEB, as then it could be easily installed in a template VM for use in many different AppVMs. Anyone knows how to do that?
(The diagram below is for an upcoming post on Qubes Compromises Recovery, BTW)
The story of getting ssh port 22 https://www.ssh.com/ssh/port
Some "OSINT" (if you will) observations on the last few months of going through arXiv papers:
1) there is a huge focus in China on malware taxonomies and ML-based analysis. I've started filtering papers based on names I now recognise in the field because literally everyone is working on this,
2) there is gently smouldering return in interest on honeypots. The odd paper resurfaces and discusses old techniques again.
3) tracking people & users is big in the Western world. This is not surprising
https://alastairreid.github.io/alastairreid.github.io/ARM-v8a-xml-release/
"ARM Releases Machine Readable Architecture Specification", a very interesting post by Alistair Reid, Researchers at ARM Ltd, about the release of the architecture specification for ARM v8A.
Interesting Links:
* Trustworthy Specification for ARM v8A/v8M: https://alastairreid.github.io/papers/fmcad2016-trustworthy.pdf
* ISA-Formal verification: https://alastairreid.github.io/papers/cav2016_isa_formal.pdf
A nice instance of compiler introduced vulnerabilities: https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2017-04-17-0-apple-clang-elides-bounds-check.md
Now should I go look for these in rust and swift compilers?
E_NOTIME
Awesome read! Last Pass 2fa design flaw.
http://www.martinvigo.com/design-flaws-lastpass-2fa-implementation/
It always makes me uneasy when pentesters hoard and use 0days instead of reporting it to the vendor.
CVE-2017-0199 used by pentesting company 2 months before sample dropping FinFisher spotted in the wild, 5 months before public disclosure.
(Also OPSEC Fail...)
https://mastodon.social/media/c7aJ1NV5SsxwVC-VhPo https://mastodon.social/media/ju4HzmkDYoufXYgoUmc
The Pirate Bay founder has launched a new service to register domain names anonymously: https://njal.la/. You can sign up using XMPP+OTR and pay in BTC. The company buys the domain and then gives you the usage rights.
Seems useful mainly for people worried about content takedowns.
Thoughts?
I am not into this to press up of mass amounts of records.
I'm not into this to be travelling around the motherfucking world. I am not into this to impress anybody, I am into this for my own heart and soul. A lot of people, after work, you go home you take a bath. A lot of people you go home you fuck your wife, a lot of people go home, you cut your grass. I go home and I fuck that motherfucking MPC all fucking night.
http://www.redbullmusicacademy.com/lectures/moodymann-henny-and-kenny
