So Google is now preventing people from removing location data from photos taken with Pixel phones.
Remember when Google's corporate motto was "don't be evil?"
Obviously, accurate location data on photos is more useful to a data mining operation like Google.
From Google: "Important: You can only update or remove estimated locations. If the location of a photo or video was automatically added by your camera, you can't edit or remove the location."
The rogue 2FA app that steals scanned secrets is now ranked 18 on the German App Store for the productivity category. No wonder! The app disguises as a Microsoft app. It is the top hit when you search for "Microsoft Authenticator" and the developer has updated the screenshots in the ad card to highlight the word "Microsoft". Surprisingly, the product page of the app shows different screenshots with the word "Microsoft" removed.
The app now has 1.2K reviews, as opposed to 18 when we first addressed the app.
🙏 Boosting this post will help spread the word. Thank you!
Bank: “Please create a secure password”
Me: Types in secure password
Bank: “thats too secure, fuck yourself”
Me: what?
Bank: i dont like those characters
Me: types new password
Bank: “you misspelled it once and you cant see it, fuck yourself”
Me: “ok” uses password generator
Bank: “we dont allow copy paste, fuck yourself”
Bank: “you did it too much. Gotta call us. 3 hour wait.” :)
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵
1/2 Looking at one of the #xz writeup, this struck my eye: “The release tarballs upstream publishes don't have the same code that GitHub has. This is common in C projects so that downstream consumers don't need to remember how to run autotools and autoconf.” Ah, GNU AutoHell, I remember it well. Tl;dr: With AutoHell, even if you're building for a 19-bit Multics variant from 1988, it’s got your back. Except for it’s just too hard to understand and use, thus the above.
#Bluesky continues to be entirely non-responsive to the numerous security vulnerabilities I've reported to them, so I spent the evening writing up a nice README and a framework with exploit modules, and just made it all public.
I just spent a day or so figuring this out, and CVE-2022-41099 is... really stupid...
I decided to call this "push button decrypt".
basically when you boot to WinRE tied to an OS install, keys for the os volume are derived (this is done by having a sha256 hash of a wim in the bitlocker metadata)
anyway, WinRE does not require bitlocker recovery key when choosing to "reset my PC" and "remove everything".
When choosing "just remove my files", winre starts to decrypt the bitlocker volume at ~98%.
Hard resetting (hard power off / power on) here will reboot back into WinRE and show an error.
Clicking OK on the error will cause a reboot back to the OS, and starts windows setup which shows an "upgrade" screen.
...where Shift+F10 works to get a shell, you can then pause the decryption, remove all key protectors, then dump plaintext VMK, decrypt the FVEK with that, and use that FVEK to decrypt a disk image you made earlier.
This is the second time that Shift+F10 in setup to get a shell broke bitlocker.
The fix removes "reset my PC" -> "remove everything" from the list of options that are allowed to start with the osvolume unlocked and without entering a recovery key. (leaving only one in place: startup repair)
Because this is an issue with code running in winre usermode, this affects legacy integrity validation as well as secure boot integrity validation.
Look what came in the mail? My @purism Librem 5, but I am still waiting on my SIM card For the Librem cell service for some testing between that and @Efani but this will be an interesting review of the battle of the privacy phone ecosystems I have made.
Android/Graphene OS on Pixel 7a and PureOS on Purism Librem 5 #infosec#cybersecurity#linux#opensource#cellphone#review#privacy
I want a usable de-Googled phone OS. I like /e/OS's Nextcloud integration, but CalyxOS seems to be more up-to-date (already on Android 13, where /e/OS is Android 12). CalyxOS also makes it easier to re-lock the bootloader.
Ça fait deux jours que je suis fasciné par ce qui se passe dans le monde de la sécurité informatique, autour de la backdoor XZ. Je vais essayer de vous l'expliquer, ça va être technique, mais c'est important.
Pour Internet, c'est l'équivalent d'un gros astéroïde qui serait passé à 5000km de la Terre. Pas d'impact, pas de dégâts directs, mais on aurait pu tous y passer et personne ne l'a vu venir.
Je vais chercher à vulgariser un maximum, tout en donnant des liens vers les sources directes, qui sont souvent très techniques et en anglais. Ça va être un peu long, mais c'est passionnant.
I don't know who needs to hear this but #TruthSocial, which is running a forked version of Mastodon, does not from the source code appear to have appropriate mitigations in place for CVE-2023-36460, which theoretically allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution https://nvd.nist.gov/vuln/detail/CVE-2023-36460 (probably other CVE's as well, but some rely on federation which Truth Social doesn't use?) #infosec
I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.
I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.
As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.
PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.
Cyber insurer startup Coalition says ransomware attackers are asking for much higher ransoms (average US$1.62M), but it has been able to negotiate the amounts down to 44% of the original demands. Also, ransomware claims are through the roof right now. Another interesting statistic: “When reasonable and necessary,” 36% of Coalition’s policyholders opted to pay a ransom in the first half of this year. #infosechttps://info.coalitioninc.com/rs/566-KWJ-784/images/Coalition_2023-Claims-Mid-Year-Update.pdf
Stories like this remind us why being mindful of protecting one's privacy online is important and that "private" messages in the majority of places aren't private at all without end-to-end encryption.
Be mindful of what sensitive data you're relinquishing to companies.
I’ve said it before and I’ll say it again. Remember that AI like ChatGPT is meant to EVOKE the essence of the right answer, not DEPICT the actual right answer. Yes there are definitely areas of concern. But making ChatGPT “respond inaccurately” is not Skynet coming to wipe you out.
The weird side conversations you end up having at a baby shower with normals…
Just throwing this out there: For my free lancing I often need to share passwords or other secrets with clients. (Or they with me.)
I usually suggest Signal for that, but obviously most people don't have that.
Is there a a good (and not too pricey - I only do very few free lance projects, so only need it once every few months) password sharing option for this?
I tried 1Password shared vaults, but even that is just too complex for many of my clients.
Open to self hosted ideas, as I have a server I could install this on.
Ideally a very simple thing where both my clients can securely input passwords to share with me without having to create an account (secret link and OTP, or something like that) and I can share links with clients.
As more walls are raised around gardens and users are even more aggressively preyed upon by greedy corpo overlords, I feel it becomes an #InfoSec community responsibility to arm normal users, not just the tech-savvy, with knowledge and alternatives to break the cycle of exploitation we know drives this business model.
Do ya'll study or work on security-related stuff on the weekends? For the most part I do..reading about diff vulnerabilities or doing TryHackMe or writing a script but sometimes I just chill and do nothing lol. Today I'm on HackTheBox prepping for the interview