Weekly thread for highlighting and discussing the past week’s notable threats, vulnerabilities, breaches and more!

Feel free to comment on what I’ve collected or share things you have found useful or interesting!

• MongoDB Data Breach
• Google OAuth is broken
• Terrapin Attack exposes weakness in SSH

** Late post sorry!! ** - Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Comcast Cable Communications, doing business as Xfinity, disclosed on Monday that attackers who breached one of its Citrix servers in October also stole customer-sensitive information from its systems.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Hello everyone!

My name is Anton Kachanov, I am an information security specialist and I have 7 years experience in developing different secure solutions for the pharmaceutical industry and for some big international binary trading platforms.

Every year we have fewer and fewer rights to privacy online. Our messages and our files from online storage may be easily disclosed to third parties. And our money from online payment systems may be easily stolen.

It doesn’t have to be this way, and today I will look at several real cases of privacy violations and talk about my products and how I am going to ensure the privacy of my online life and, I hope, yours.

Messengers

In 2023 our life is impossible without messengers. I use various instant messengers every day at work and at home. It’s free, fast and easy. But I would also like it to be safe and private.

Unfortunately, all well-known and widely used instant messengers are not safe and private.

On the Tor network it is easy to find a person willing to hack your account in Viber, WhatsApp, Telegram, Facebook and Instagram for only 100–200 dollars.

In addition, using your messenger, it is easy to violate human rights. One of my familiar persons from Russia was the admin of a small group in a Telegram and he actively spoke out against the War between Russia and Ukraine in this group. In Russia, a criminal case was opened against him for insulting government officials and slander.

In addition, for the last couple of years I have been regularly receiving spam from scammers 2–3 times a month.

All this prompted me to create my own messenger called “Mystery Messenger”. It does not have the shortcomings that I indicated above.

The main highlight of my messenger is lack of registration. You don’t need to create an account and you don’t need to verify your phone number.

All information about yourself like avatar, name, last name, and all messages will be stored on your device. No need to worry about free space on your phone. In fact, it does not take up as much space as it might seem at first glance. All instant messengers store local copies of all your messages on your phone to reduce the load on their servers.

Due to the fact that your account is not stored on the server, it is impossible to find you on the server by name or by telephone number. This will completely rid you of spammers and scammers.

To start a new chat with somebody, you need to share your QR-code with him. After that, he will be saved in your contacts list and you will be able to write to him any time.

All messages and all information about you will be encrypted with an asymmetric cipher on your device and sended to your opponent in encrypted form through my servers and will be completely deleted from the server after receiving them.

So if someone hacks my server, they won’t be able to get access to all your messages. And even if he will get access to one or two of your undelivered messages, he will not be able to read them. I also will not be able to read your messages because using asymmetric cipher only the sender and the recipient can decrypt it. You can read more about asymmetric ciphers on the internet.

I have already developed the server and the client application will be available in May 2024.

This and other projects you can find on my official website. The link will be at the end of this article.

Cloud storage

Today, cloud storage is a popular and most convenient way to store your data.

Firstly, you save space on your device. Secondly, it is very convenient to share your data with anyone. This is convenient for individual use and for business.

However, today cloud-based storage is one of the leading targets for hackers:

• In 2022 39% of businesses experienced a data breach in their cloud environment;
• In 2023 75% of businesses said more than 40% of data stored in the cloud is sensitive (on average only 45% of this sensitive data is encrypted).

Giants that provide cloud storage services, such as Google, Microsoft and Dropbox, don’t want to provide reliable protection of users’ data!

Unfortunately, until recently I was forced to choose one of the existing public solutions, but last month I launched beta testing of my secure online storage “FortressCloud”. And anyone can participate in beta testing and give me feedback on how I can make it better.

The main highlight of my solution is the key generation algorithm.

Each file will be encrypted with a set of unique keys, so one file will be separated into many chunks and each chunk will be encrypted with its own unique key! Decryption keys or their hash sums are not stored either on the server or on the user’s device.

Keys will be generated on the fly using your key-phrase on the client side after that file will be encrypted on your device and sended to the server in encrypted form.

Thus, hacking my server or even a user’s personal device usually will not allow an attacker to gain access to files stored in the cloud!

This and other projects you can find on my official website. The link will be at the end of this article.

Finance

Today, many of us use different payment systems for quick transfers to other countries. It’s easy and fast.

But find a reliable and proven solution is not easy. Some payment systems are unreliable and some allow themselves to block customer accounts, sometimes without giving reasons.

Personally, I have a problem with several payment systems that I use. So I’m Russian and I live in Cyprus, but I do not have citizenship and I recently renewed my residence permit.

Despite the fact that I submitted an application for renewal of the permit a month before the expiration of the first one, I received a new one 1.5 months after the expiration of the old one.

And many payment systems just froze my accounts until I provided them with a renewed document. This was honestly earned money, on which taxes were paid. But payment systems don’t care.

But for today, to avoid such problems, you can use cryptocurrencies. Many crypto wallets do not require you to verify your identity, and you will not have the same problems as I did. But many people do not understand what cryptocurrencies are and how to work with them.

My payment system is called “Black” (It’s not racism, it’s just my favorite color. Sorry) should solve this problem.

Firstly, it does not require identification confirmation. And secondly my product will allow you to deposit crypto (or easily buy it with P2P payments) and convert it to any of 159 fiat currencies without commissions inside the “Black” system. You can use dollars, euros, swiss francs, sterlings and more other currencies inside the “Black”.

You will be able to withdraw it to your crypto-wallet or to your bank card with P2P payments.

In the future, it is planned to add the ability to pay for purchases but now I have MVP where you can just make deposit from your crypto-wallet to your “black”-account, convert to any of 159 currencies, send and receive money in useful fiat currency from other customers and withdraw them to your crypto-wallet.

This and other projects you can find on my official website. The link will be at the end of this article.

Before conclusion

While working on the above products I asked myself a question:

Having given the world anonymous messengers, anonymous cloud storage and even an anonymous payment system, will criminals use my products?

I have researched this issue, and I have a strong answer “NO”. Criminals developing and using their own anonymous solutions. They will never trust and use third-party services.

So my projects will in no way increase the number of criminals and, unfortunately, will not reduce their number in any way.

But my projects will help make the online life private for everyone. I believe that every person deserves it.

Conclusion

Thank you for reading this article to the end.

I tried to make this article as short as possible and include only key highlights of my solutions to this article.

But if you are interested, you can find more details on my official website: https://akachanov.org/

There you can learn more about me and about all my projects, and contact me for any reason.

I will be glad to receive any feedback, advice and any support for my projects. All of them are currently being developed by one person and have no funding.

Best regards.

Weekly thread for highlighting and discussing the past week’s notable threats, vulnerabilities, breaches and more!

Feel free to comment on what I’ve collected or share things you have found useful or interesting!

• 5Ghoul: Unleashing Chaos on 5G Edge Devices
• Sierra:21 : Supply Chain Vulnerabilities in IoT/OT routers
• Struts 2 Critical RCE 😱
• China’s cyber army is invading critical U.S. services
• Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

I am reading a lot about this currently.

Basically:

• podman, flatpak, some Browsers use user namespaces to isolate activities from the main system
• they are widely used as a security measurement
• on Linux Flatpak uses them, as bubblewrap creates new user namespaces for each application
• Flatpakked browsers cant use user namespaces themselves, as this is not compatible with flatpak. So their security especially in Chromium is reduced.

But that is as far as I go. The hardened Linux Kernel disables user namespaces. There is bubblewrap-suid which avoids using user namespaces.

Unflatpakked browsers are more secure as they can use their builtin sandbox to do things like tab isolation. But does this even work when user namespaces are disabled, or does this also break sandboxing?

Are user namespaces secure, is not using them even worse, what are hidden implications?

I also read that firejail runs as root, so if it has a security hole the sandboxed program can get root privileges. Isnt that the same with bubblewrap-suid ?

I brought this display. I've read a few reviews, most are positive, but some say it doesnt work with the pwnagotchi. Can anyone tell me how to enable this display?

Introducing Threat Thursday! Weekly thread for highlighting and discussing the past week’s notable threats, vulnerabilities, breaches and more!

Feel free to comment on what I’ve collected or share things you have found useful or interesting!

• Design flaw in Google Workspace (DeleFriend)
• Sumo Logic concludes security breach investigation
• New Relic issues security incident advisory
• Explanation of “Looney Tunables“ (CVE-2023-4911) vulnerability by Mohamed Sayed
• Extracting Training Data from ChatGPT
• BLUFFS Bluetooth attack
• Update on most recent Okta breach
• AutoSpill vulnerability
• SLAM vulnerability
• LogoFAIL vulnerability

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

I talk about a report I've made to MSRC in the beginning of the year regarding vscode.

It's a bit different. There's no in depth technical stuff, because I basically just reported the feature, not a bug.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

• Security researchers have discovered new Bluetooth security flaws that allow hackers to impersonate devices and perform man-in-the-middle attacks.

• The vulnerabilities impact all devices with Bluetooth 4.2 through Bluetooth 5.4, including laptops, PCs, smartphones, tablets, and others.

• Users can do nothing at the moment to fix the vulnerabilities, and the solution requires device manufacturers to make changes to the security mechanisms used by the technology.

Research paper: https://dl.acm.org/doi/pdf/10.1145/3576915.3623066

Github: https://github.com/francozappa/bluffs

CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-24023

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

(Final) Weekly thread to discuss industry certifications, trainings and other courses/learning. Ask questions, share your experiences and help others!

NOTE: I’ve decided to sunset this weekly thread. Doesn’t seem like there’s much interest by the community in this discussion at this time.

cross-posted from: https://links.hackliberty.org/post/454425

When I visit this post:

https://jlai.lu/post/2250911

the embedded short abstract intro to the article is “403 Blocked www.lecho.be” When I try visiting the link directly I get “403 bot detection”. This suggests that everyone who opens that thread independently visits that webpage by way of some javascript that’s not under the user’s control. If 1000 people open that thread, then 1000 separate fetches are made. That’s a poor design. The server could do that job just once and the results would be more reliable. As opposed to everyone getting different results.

This is also a #privacy #security bug. Someone who opens a thread does not necessarily intend to fetch the linked article. Non-tor users are under surveillance in some countries (e.g. the US, where Trump enacted law s.t. ISPs can collect data on users without consent). So they should have control over what sites they visit. Merely opening a thread is an abuse because it makes users actions instantly trackable. IOW, users share information with their ISP without their knowledge or control.

Note that the example thread shows the full text of the article because the author was diligent about copying it. But that’s not the general case.

#bug #lemmyBug