Like Us
Support Hubzilla
Oasis Security Research Team Discovers Microsoft Azure MFA Bypass: We Expect More From An Enterprise Provider Though
há 3 meses
Oasis Security Research Team Discovers Microsoft Azure MFA Bypass: We Expect More From An Enterprise Provider Though
Oasis Security's research team uncovered a critical vulnerability in Microsoft's Multi-Factor Authentication (MFA) implementation, allowing attackers to bypass it and gain unauthorized access to the user’s account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more. Microsoft has more than 400 million paid Office 365 seats, making the consequences of this vulnerability far-reaching.
The bypass was simple: it took around an hour to execute, required no user interaction, and did not generate any notification or provide the account holder with any indication of trouble.
The news surfaced now in the last week, so Microsoft has addressed the issue already. For me, though, the real news is that a global enterprise level IT company should not have had such basic guardrails missing. It appears really that Microsoft had knowingly relaxed some measures around its 2FA to allow for convenience. But surely a lack of attack rate limiting is just unforgivable. One of the basics I always employ on my servers and blog, is attack rate limiting with lengthy blocks in place. If anyone has to guess a password or 2FA more than 3 times, there is something wrong.
Microsoft has had so many security fumbles over time that it is quite amazing that their monopoly in the workplace goes unchallenged. It seems Microsoft has very little care about their customers, as long as the money is rolling in, and if that eases, they just change the licensing parameters a bit. The recent Microsoft Recall feature was just another example of completely not appreciating their customers' privacy, and that was also only addressed after a major outcry.
Microsoft probably has too much inertia, but actually there are some pretty good alternatives around if one takes a little trouble to rise out of the deep rut. The combination of pretty admin tools, AI, and cloud services has unfortunately made many admins way too lazy today. I think the quality of our admins on the edge, is a lot weaker than it used to be two decades back. All this usually means an even greater reliance on Microsoft where it is used in a corporate environment.
Security is about keeping it simple, and having a reasonable depth of knowledge about what is being managed.
See Oasis Security Research Team Discovers Microsoft Azure MFA Bypass
#technology #security #2FA #vulnerability
Oasis Security's research team uncovered a critical vulnerability in Microsoft's Multi-Factor Authentication (MFA) implementation, allowing attackers to bypass it and gain unauthorized access to the user’s account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more. Microsoft has more than 400 million paid Office 365 seats, making the consequences of this vulnerability far-reaching.
The bypass was simple: it took around an hour to execute, required no user interaction, and did not generate any notification or provide the account holder with any indication of trouble.
The news surfaced now in the last week, so Microsoft has addressed the issue already. For me, though, the real news is that a global enterprise level IT company should not have had such basic guardrails missing. It appears really that Microsoft had knowingly relaxed some measures around its 2FA to allow for convenience. But surely a lack of attack rate limiting is just unforgivable. One of the basics I always employ on my servers and blog, is attack rate limiting with lengthy blocks in place. If anyone has to guess a password or 2FA more than 3 times, there is something wrong.
Microsoft has had so many security fumbles over time that it is quite amazing that their monopoly in the workplace goes unchallenged. It seems Microsoft has very little care about their customers, as long as the money is rolling in, and if that eases, they just change the licensing parameters a bit. The recent Microsoft Recall feature was just another example of completely not appreciating their customers' privacy, and that was also only addressed after a major outcry.
Microsoft probably has too much inertia, but actually there are some pretty good alternatives around if one takes a little trouble to rise out of the deep rut. The combination of pretty admin tools, AI, and cloud services has unfortunately made many admins way too lazy today. I think the quality of our admins on the edge, is a lot weaker than it used to be two decades back. All this usually means an even greater reliance on Microsoft where it is used in a corporate environment.
Security is about keeping it simple, and having a reasonable depth of knowledge about what is being managed.
See Oasis Security Research Team Discovers Microsoft Azure MFA Bypass
Critical vulnerability could have allowed malicious actors to gain unauthorized access to users’ Microsoft accounts.
#technology #security #2FA #vulnerability
An old Bluetooth vulnerability shows why it is vital that all OS's get updated regularly
há 1 ano
Bluetooth vulnerability exposes Android, Linux, MacOS, and iOS devices. Hackers can access your device without special hardware and run commands without your consent.
Security fix for Android 11 through 14 available, but older versions remain vulnerable. ChromeOS has been patched, but Linux-based OSs are still prone to hacking.
Some OS's update better, or are supported longer, than others. This is where Android especially suffers, as many phones only got two years of OEM updates.
If you have an Android, in particular, a bad actor could access your device if Bluetooth is simply enabled. The hack is possible on Linux if Bluetooth is discoverable, and iOS and MacOS devices that have Bluetooth enabled with a paired Magic Keyboard are vulnerable as well.
It requires nearby access, though, so this may not be very high risk unless you regularly attend conferences and spend a day sitting in such a place.
One also wants to choose new purchases to also include the consideration around how long a device will get updates in future.
See An 11-year-old bug could render your Android device prone to an attack
#technology #security #Bluetooth #vulnerability
Security fix for Android 11 through 14 available, but older versions remain vulnerable. ChromeOS has been patched, but Linux-based OSs are still prone to hacking.
Some OS's update better, or are supported longer, than others. This is where Android especially suffers, as many phones only got two years of OEM updates.
If you have an Android, in particular, a bad actor could access your device if Bluetooth is simply enabled. The hack is possible on Linux if Bluetooth is discoverable, and iOS and MacOS devices that have Bluetooth enabled with a paired Magic Keyboard are vulnerable as well.
It requires nearby access, though, so this may not be very high risk unless you regularly attend conferences and spend a day sitting in such a place.
One also wants to choose new purchases to also include the consideration around how long a device will get updates in future.
See An 11-year-old bug could render your Android device prone to an attack
Some Android users will get a patch for a big security vulnerability, but not all
#technology #security #Bluetooth #vulnerability
Cult of the Dead Cow releases Veilid: A secure open-source Peer-to-Peer network for apps that flips off the surveillance economy
há 1 ano
DEF CON Infosec super-band the Cult of the Dead Cow has released Veilid (pronounced vay-lid), an open-source project applications can use to connect up clients and transfer information in a peer-to-peer decentralized manner.
The idea being here that apps – mobile, desktop, web, and headless – can find and talk to each other across the internet privately and securely without having to go through centralized and often corporate-owned systems. Veilid provides code for app developers to drop into their software so that their clients can join and communicate in a peer-to-peer community.
If an app on one device connects to an app on another via Veilid, it shouldn't be possible for either client to know the other's IP address or location from that connectivity, which is good for privacy, for instance. The app makers can't get that info, either.
The framework is conceptually similar to IPFS and Tor, but faster and designed from the ground-up to provide all services over a privately routed network. The framework enables development of fully-distributed applications without a 'blockchain' or a 'transactional layer' at their base.
To demonstrate the concept, they have published the code for a chat app called Veilid. Veilid is designed with a social dimension in mind, so that each user can have their personal content stored on the network, but also can share that content with other people of their choosing, or with the entire world if they want. The primary purpose of the Veilid network is to provide the infrastructure for a specific kind of shared data: social media in various forms. That includes light-weight content such as Twitter's tweets or Mastodon's toots, medium-weight content like images and songs, and heavy-weight content like videos. Meta-content such as personal feeds, replies, private messages, and so forth are also intended to run atop Veilid.
The easiest way to help grow the Veilid network is to run your own node. Every user of Veilid is a node, but some nodes help the netowrk more than others. These network support nodes are heavier than the node a user would establish on their phone in the form of a chat or social media application. A cloud based virtual private server (VPS), such as Digital Ocean Droplets or AWS EC2, with high bandwidth, processing resources, and uptime availability is crucial for building the fast, secure, and private routing that Veilid is built to provide.
The interesting thing for me here is, that usually with peer-to-peer client apps, they need to know, or be able to discover, the IP addresses of other P2P client apps in order to connect over the Internet. This is obviously a major privacy issue, but without it being able to happen, a P2P network cannot be established. So, I'll be interested to read more about how they have solved this in a workable manner.
Peer-to-peer networks have always been the most censorship resistant, full ownership of identity, etc, but the downsides were the IP address advertisement, the difficulty of finding anyone else on the network, and often having a separate identity for every device. The closest I've seen so far in addressing the shortcomings has been the Nostr protocol. So, I'll be following discussions on Nostr about this to get a better idea of how Veilid compares with Nostr.
The questions really for most will be, how easy and practical will Veilid be for average users to use, and how will it fit in with the W3C standard declared for social networking (will it be yet another extra social network).
See Cult of the Dead Cow unveils Veilid peer-to-peer project
#technology #socialnetworks #privacy #Veilid #P2P
The idea being here that apps – mobile, desktop, web, and headless – can find and talk to each other across the internet privately and securely without having to go through centralized and often corporate-owned systems. Veilid provides code for app developers to drop into their software so that their clients can join and communicate in a peer-to-peer community.
If an app on one device connects to an app on another via Veilid, it shouldn't be possible for either client to know the other's IP address or location from that connectivity, which is good for privacy, for instance. The app makers can't get that info, either.
The framework is conceptually similar to IPFS and Tor, but faster and designed from the ground-up to provide all services over a privately routed network. The framework enables development of fully-distributed applications without a 'blockchain' or a 'transactional layer' at their base.
To demonstrate the concept, they have published the code for a chat app called Veilid. Veilid is designed with a social dimension in mind, so that each user can have their personal content stored on the network, but also can share that content with other people of their choosing, or with the entire world if they want. The primary purpose of the Veilid network is to provide the infrastructure for a specific kind of shared data: social media in various forms. That includes light-weight content such as Twitter's tweets or Mastodon's toots, medium-weight content like images and songs, and heavy-weight content like videos. Meta-content such as personal feeds, replies, private messages, and so forth are also intended to run atop Veilid.
The easiest way to help grow the Veilid network is to run your own node. Every user of Veilid is a node, but some nodes help the netowrk more than others. These network support nodes are heavier than the node a user would establish on their phone in the form of a chat or social media application. A cloud based virtual private server (VPS), such as Digital Ocean Droplets or AWS EC2, with high bandwidth, processing resources, and uptime availability is crucial for building the fast, secure, and private routing that Veilid is built to provide.
The interesting thing for me here is, that usually with peer-to-peer client apps, they need to know, or be able to discover, the IP addresses of other P2P client apps in order to connect over the Internet. This is obviously a major privacy issue, but without it being able to happen, a P2P network cannot be established. So, I'll be interested to read more about how they have solved this in a workable manner.
Peer-to-peer networks have always been the most censorship resistant, full ownership of identity, etc, but the downsides were the IP address advertisement, the difficulty of finding anyone else on the network, and often having a separate identity for every device. The closest I've seen so far in addressing the shortcomings has been the Nostr protocol. So, I'll be following discussions on Nostr about this to get a better idea of how Veilid compares with Nostr.
The questions really for most will be, how easy and practical will Veilid be for average users to use, and how will it fit in with the W3C standard declared for social networking (will it be yet another extra social network).
See Cult of the Dead Cow unveils Veilid peer-to-peer project
‘It’s like Tor and IPFS had sex and produced this thing’
#technology #socialnetworks #privacy #Veilid #P2P
@gadgeteer Nostr relays ARE servers. They can come and go, but the network relies on those servers to operate.
@HEAPWOLF ah got it, but yes you're very right. A lot does come down to loud marketing. The Zot protocol was also very good with its nomadic ID etc, but it did not win over ActivityPub.
@gadgeteer IP addresses can’t be “hidden”, but they don’t need to be if the packets are handled properly. There is also an endless amount of cryptographic protocols you can experiment with on top of socket, but Nostr and Veilid have their cryptographic protocols baked in.
Both the TETRA radio and Microsoft Azure Cloud vulnerabilities are 'Negligent Security Practices' and 'Security Through Obscurity' is not secure
há 1 ano
Listening to Steve Gibson's feedback today on the Security Now podcast #934 made me realise that both companies knew about the vulnerabilities but were extremely lax about doing anything (probably both trusting in their security by obscurity). Both also put government data and communications at risk globally.
It's yet again a lesson on two fronts:
1. Obscurity is no good defence against, especially, state level actors. The same goes for proprietary encryption algorithms. You actually require transparency and interrogation around what is used, and re-inventing the wheel yourself is risky. The same goes for security backdoors, as they're going to become known at some point.
2. There needs to be some legislative requirement for companies to urgently declare vulnerabilities, and to patch them. In both the cases here, months went by without any action.
Maybe both these companies are just too big, but it also goes to show that bigger, or more secretive, is just not better. I suppose both don't want to risk their global government business, but this could actually have put lives at risk.
Security through obscurity is no reliable strategy, and should again be a warning against those who think it is fine to have a security backdoor just for governments to use. It's a bad idea. You either have security, or you don't. There is no such thing as 80% secure.
The Microsoft case is highly embarrassing, and it is no wonder that the US is going to try to investigate it. All the noise about Huawei, and the real problems were right in the US's own backyard, committed by US companies. All products need the same levels of scrutiny, no matter what country they belong to. Intention and negligence can often amount to the identical consequences.
With both these vendors now, we've also seen their technology being pedalled to non-allies of the US, so that the vulnerabilities could be exploited. It's also a lesson to other governments to be very careful about what promises are made, and to remember even your 'allies' are not your friends. It is no wonder that the BRICS countries all wanted to implement their own operating systems for use across their governments (mostly self-compiled and localised Linux distros). Now we know why...
And of course, with some of Microsoft's products, once used, it may not be easy to actually switch to someone else (which is, in itself, possibly part of the problem on both sides). How does the US government actually carry through any threat not to use Microsoft? The cost, and time, to move off Huawei network hardware would pale into insignificance.
This is why security standards, interoperability standards, etc just cannot be compromised on. The standards need to be enforced no matter who the vendor is. I have myself seen standards being bent, where it is better just to say you won't procure the product in the name of 'modernisation'.
See View PDF
#technology #security #vulnerabilities #openstandards
It's yet again a lesson on two fronts:
1. Obscurity is no good defence against, especially, state level actors. The same goes for proprietary encryption algorithms. You actually require transparency and interrogation around what is used, and re-inventing the wheel yourself is risky. The same goes for security backdoors, as they're going to become known at some point.
2. There needs to be some legislative requirement for companies to urgently declare vulnerabilities, and to patch them. In both the cases here, months went by without any action.
Maybe both these companies are just too big, but it also goes to show that bigger, or more secretive, is just not better. I suppose both don't want to risk their global government business, but this could actually have put lives at risk.
Security through obscurity is no reliable strategy, and should again be a warning against those who think it is fine to have a security backdoor just for governments to use. It's a bad idea. You either have security, or you don't. There is no such thing as 80% secure.
The Microsoft case is highly embarrassing, and it is no wonder that the US is going to try to investigate it. All the noise about Huawei, and the real problems were right in the US's own backyard, committed by US companies. All products need the same levels of scrutiny, no matter what country they belong to. Intention and negligence can often amount to the identical consequences.
With both these vendors now, we've also seen their technology being pedalled to non-allies of the US, so that the vulnerabilities could be exploited. It's also a lesson to other governments to be very careful about what promises are made, and to remember even your 'allies' are not your friends. It is no wonder that the BRICS countries all wanted to implement their own operating systems for use across their governments (mostly self-compiled and localised Linux distros). Now we know why...
And of course, with some of Microsoft's products, once used, it may not be easy to actually switch to someone else (which is, in itself, possibly part of the problem on both sides). How does the US government actually carry through any threat not to use Microsoft? The cost, and time, to move off Huawei network hardware would pale into insignificance.
This is why security standards, interoperability standards, etc just cannot be compromised on. The standards need to be enforced no matter who the vendor is. I have myself seen standards being bent, where it is better just to say you won't procure the product in the name of 'modernisation'.
See View PDF
#technology #security #vulnerabilities #openstandards
European radio standard TETRA has had a baked in vulnerability known for years by the vendors: Open standards are a better way to go
há 1 ano
For more than 25 years, a technology used for critical data and voice radio communications around the world has been shrouded in secrecy to prevent anyone from closely scrutinizing its security properties for vulnerabilities. But now it’s finally getting a public airing thanks to a small group of researchers in the Netherlands who got their hands on its viscera and found serious flaws, including a deliberate backdoor.
The backdoor, known for years by vendors that sold the technology but not necessarily by customers, exists in an encryption algorithm baked into radios sold for commercial use in critical infrastructure. It’s used to transmit encrypted data and commands in pipelines, railways, the electric grid, mass transit, and freight trains. It would allow someone to snoop on communications to learn how a system works, then potentially send commands to the radios that could trigger blackouts, halt gas pipeline flows, or re-route trains.
Researchers found a second vulnerability in a different part of the same radio technology that is used in more specialized systems sold exclusively to police forces, prison personnel, military, intelligence agencies, and emergency services, such as the C2000 communication system used by Dutch police, fire brigades, ambulance services, and Ministry of Defense for mission-critical voice and data communications. The flaw would let someone decrypt encrypted voice and data communications and send fraudulent messages to spread misinformation or redirect personnel and forces during critical times.
Three Dutch security analysts discovered the vulnerabilities—five in total—in a European radio standard called TETRA (Terrestrial Trunked Radio), which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radios since the ’90s, but the flaws remained unknown because encryption algorithms used in TETRA were kept secret until now.
While the TEA1 weakness has been withheld from the public, it’s apparently widely known in the industry and governments. The issue really is that these proprietary algorithms are not subjected to the scrutiny that the open standards ones are. With a proprietary algorithm you are placing all your trust in only that vendor, and if they know about a vulnerability for years without telling you, you're just not going to know. But as we've seen many times, that does not mean someone else has not found it, and may be quietly exploiting it for a long time already.
As we also see in this very linked article, governments are no more trustworthy, as they will deliberately sell something with vulnerabilities to another country, which they think they can maybe later exploit if the need arises.
An open standard is interrogated publicly to find potential weaknesses. It is why so many researchers say it is better to adopt open standards encryption algorithms which are proven, rather than to try to be clever and develop your own one.
TETRA is also used widely in South Africa by emergency personnel. It is anyway always better to assume someone is listening in on your radio messages, than to think it is 100% secure. The advice to TETRA radio users is to check with their vendors where any patch or mitigation is available.
See Code Kept Secret for Years Reveals Its Flaw—a Backdoor
#technology #radio #TETRA #vulnerability #security
The backdoor, known for years by vendors that sold the technology but not necessarily by customers, exists in an encryption algorithm baked into radios sold for commercial use in critical infrastructure. It’s used to transmit encrypted data and commands in pipelines, railways, the electric grid, mass transit, and freight trains. It would allow someone to snoop on communications to learn how a system works, then potentially send commands to the radios that could trigger blackouts, halt gas pipeline flows, or re-route trains.
Researchers found a second vulnerability in a different part of the same radio technology that is used in more specialized systems sold exclusively to police forces, prison personnel, military, intelligence agencies, and emergency services, such as the C2000 communication system used by Dutch police, fire brigades, ambulance services, and Ministry of Defense for mission-critical voice and data communications. The flaw would let someone decrypt encrypted voice and data communications and send fraudulent messages to spread misinformation or redirect personnel and forces during critical times.
Three Dutch security analysts discovered the vulnerabilities—five in total—in a European radio standard called TETRA (Terrestrial Trunked Radio), which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radios since the ’90s, but the flaws remained unknown because encryption algorithms used in TETRA were kept secret until now.
While the TEA1 weakness has been withheld from the public, it’s apparently widely known in the industry and governments. The issue really is that these proprietary algorithms are not subjected to the scrutiny that the open standards ones are. With a proprietary algorithm you are placing all your trust in only that vendor, and if they know about a vulnerability for years without telling you, you're just not going to know. But as we've seen many times, that does not mean someone else has not found it, and may be quietly exploiting it for a long time already.
As we also see in this very linked article, governments are no more trustworthy, as they will deliberately sell something with vulnerabilities to another country, which they think they can maybe later exploit if the need arises.
An open standard is interrogated publicly to find potential weaknesses. It is why so many researchers say it is better to adopt open standards encryption algorithms which are proven, rather than to try to be clever and develop your own one.
TETRA is also used widely in South Africa by emergency personnel. It is anyway always better to assume someone is listening in on your radio messages, than to think it is 100% secure. The advice to TETRA radio users is to check with their vendors where any patch or mitigation is available.
See Code Kept Secret for Years Reveals Its Flaw—a Backdoor
A secret encryption cipher baked into radio systems used by critical infrastructure workers, police, and others around the world is finally seeing sunlight. Researchers say it isn’t pretty.
#technology #radio #TETRA #vulnerability #security
Inaudible ultrasound attack can stealthily control your phone, smart speaker
há 2 anos
The team of researchers consists of professor Guenevere Chen of the University of Texas in San Antonio (UTSA), her doctoral student Qi Xia, and professor Shouhuai Xu of the University of Colorado (UCCS).
The team demonstrated NUIT attacks against modern voice assistants found inside millions of devices, including Apple's Siri, Google's Assistant, Microsoft's Cortana, and Amazon's Alexa, showing the ability to send malicious commands to those devices.
The main principle that makes NUIT effective and dangerous is that microphones in smart devices can respond to near-ultrasound waves that the human ear cannot, thus performing the attack with minimal risk of exposure while still using conventional speaker technology.
We've actually heard about these near ultrasound attacks before, but further work has been done on demonstrating how it can work. It does not require someone to be near-by to the listening device at all, as it can be transmitted inaudibly to the human ear during a Zoom call, or even via a YouTube video.
So yes, absolutely nothing special required for this to work. The bigger challenge to the attacker is finding someone who actually has smart speakers to respond with, and them having some or other automation that can be weaponised. But that said, almost everyone has a smartphone or two, and many have default Siri, Alexa or Google Assistant standing by to tell them what the weather forecast is for today. Many of those assistants can also perform phone actions like enable WiFi, open a specific website, disable screen lock, and much more...
If you can authenticate on your smart device using your own vocal fingerprint, it is recommended that you activate this additional security method. Chen also advised that users monitor their devices closely for microphone activations, which have dedicated on-screen indicators on iOS and Android smartphones. And just using earphones also cuts out that sound being able to travel to smart speakers.
See Inaudible ultrasound attack can stealthily control your phone, smart speaker
#technology #security #smartassistants #smartspeaker #vulnerability
The team demonstrated NUIT attacks against modern voice assistants found inside millions of devices, including Apple's Siri, Google's Assistant, Microsoft's Cortana, and Amazon's Alexa, showing the ability to send malicious commands to those devices.
The main principle that makes NUIT effective and dangerous is that microphones in smart devices can respond to near-ultrasound waves that the human ear cannot, thus performing the attack with minimal risk of exposure while still using conventional speaker technology.
We've actually heard about these near ultrasound attacks before, but further work has been done on demonstrating how it can work. It does not require someone to be near-by to the listening device at all, as it can be transmitted inaudibly to the human ear during a Zoom call, or even via a YouTube video.
So yes, absolutely nothing special required for this to work. The bigger challenge to the attacker is finding someone who actually has smart speakers to respond with, and them having some or other automation that can be weaponised. But that said, almost everyone has a smartphone or two, and many have default Siri, Alexa or Google Assistant standing by to tell them what the weather forecast is for today. Many of those assistants can also perform phone actions like enable WiFi, open a specific website, disable screen lock, and much more...
If you can authenticate on your smart device using your own vocal fingerprint, it is recommended that you activate this additional security method. Chen also advised that users monitor their devices closely for microphone activations, which have dedicated on-screen indicators on iOS and Android smartphones. And just using earphones also cuts out that sound being able to travel to smart speakers.
See Inaudible ultrasound attack can stealthily control your phone, smart speaker
#technology #security #smartassistants #smartspeaker #vulnerability
American university researchers have developed a novel attack which they named "Near-Ultrasound Inaudible Trojan" (NUIT) that can launch silent attacks against devices powered by voice assistants, like smartphones, smart speakers, and other IoTs.
Zurich-based ETH research university: Threema billed as better than Signal was riddled with 7 different vulnerabilities
há 2 anos
Academic researchers have discovered serious vulnerabilities in the core of Threema, an instant messenger that its Switzerland-based developer says provides a level of security and privacy “no other chat service” can offer. Despite the unusually strong claims and two independent security audits Threema has received, the researchers said the flaws completely undermine assurances of confidentiality and authentication that are the cornerstone of any program sold as providing end-to-end encryption, typically abbreviated as E2EE.
Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other politicians in that country. Threema developers advertise it as a more secure alternative to Meta’s WhatsApp messenger. It’s among the top Android apps for a fee-based category in Switzerland, Germany, Austria, Canada, and Australia. The app uses a custom-designed encryption protocol in contravention of established cryptographic norms.
Two of the vulnerabilities require no special access to a Threema server or app to cryptographically impersonate a user. Three vulnerabilities require an attacker to gain access to a Threema server. The remaining two can be exploited when an attacker gains access to an unlocked phone, such as at a border crossing.
There’s no evidence that any of the flaws have been actively exploited, the first two attacks, 1.1 and 1.2, are likely out of reach of all but the most skilled and well-resourced attackers. By contrast, attacks 2.1, 2.2, and 2.3, which rely on a compromised Threema server, are easy to carry out on either an on-premises server operated by an organization or on Threema itself. It would also be easy for an attacker to conceal such exploits.
Most vulnerabilities are said to have been addressed, but the Ibex protocol has not yet been audited.
It goes to show again though that even though external security audits were done previously, these issues were not identified. There is still some doubt being cast on Threema's basic designs. Just because a claim is made that something is secure, does not necessarily mean it is actually secure...
See Messenger billed as better than Signal is riddled with vulnerabilities
#technology #security #Threema #vulnerability
Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other politicians in that country. Threema developers advertise it as a more secure alternative to Meta’s WhatsApp messenger. It’s among the top Android apps for a fee-based category in Switzerland, Germany, Austria, Canada, and Australia. The app uses a custom-designed encryption protocol in contravention of established cryptographic norms.
Two of the vulnerabilities require no special access to a Threema server or app to cryptographically impersonate a user. Three vulnerabilities require an attacker to gain access to a Threema server. The remaining two can be exploited when an attacker gains access to an unlocked phone, such as at a border crossing.
There’s no evidence that any of the flaws have been actively exploited, the first two attacks, 1.1 and 1.2, are likely out of reach of all but the most skilled and well-resourced attackers. By contrast, attacks 2.1, 2.2, and 2.3, which rely on a compromised Threema server, are easy to carry out on either an on-premises server operated by an organization or on Threema itself. It would also be easy for an attacker to conceal such exploits.
Most vulnerabilities are said to have been addressed, but the Ibex protocol has not yet been audited.
It goes to show again though that even though external security audits were done previously, these issues were not identified. There is still some doubt being cast on Threema's basic designs. Just because a claim is made that something is secure, does not necessarily mean it is actually secure...
See Messenger billed as better than Signal is riddled with vulnerabilities
#technology #security #Threema #vulnerability
Threema comes with unusually strong claims. They crumble under new research findings.
University of Waterloo has developed a drone-powered device that can use Wi-Fi networks to 'see' Wi-Fi devices through walls: No software patch possible
há 2 anos
The device, nicknamed Wi-Peep, can fly near a building and then use the inhabitants' Wi-Fi network to identify and locate all Wi-Fi-enabled devices inside in a matter of seconds.
The Wi-Peep exploits a loophole the researchers call polite Wi-Fi. Even if a network is password protected, smart devices will automatically respond to contact attempts from any device within range. The Wi-Peep sends several messages to a device as it flies and then measures the response time on each, enabling it to identify the device's location to within a meter.
"The Wi-Peep devices are like lights in the visible spectrum, and the walls are like glass," Abedi said. "Using similar technology, one could track the movements of security guards inside a bank by following the location of their phones or smartwatches. Likewise, a thief could identify the location and type of smart devices in a home, including security cameras, laptops, and smart TVs, to find a good candidate for a break-in. In addition, the device's operation via drone means that it can be used quickly and remotely without much chance of the user being detected."
This vulnerability relates to the location and type of devices, so is not about any access to your devices or network. It's great from thieves for example to see where your smart TVs are located in a home, and where the human's phone devices are presently. But it's also great for hostage rescuers to see where hostages are grouped in a bank vs others moving around.
As it is hardware related, there is no possible software patch, and we'll need to wait for newer Wi-Fi hardware devices to be rolled out.
See Researchers discover security loophole allowing attackers to use Wi-Fi to see through walls
#technology #security #privacy #wipeep #vulnerability
The Wi-Peep exploits a loophole the researchers call polite Wi-Fi. Even if a network is password protected, smart devices will automatically respond to contact attempts from any device within range. The Wi-Peep sends several messages to a device as it flies and then measures the response time on each, enabling it to identify the device's location to within a meter.
"The Wi-Peep devices are like lights in the visible spectrum, and the walls are like glass," Abedi said. "Using similar technology, one could track the movements of security guards inside a bank by following the location of their phones or smartwatches. Likewise, a thief could identify the location and type of smart devices in a home, including security cameras, laptops, and smart TVs, to find a good candidate for a break-in. In addition, the device's operation via drone means that it can be used quickly and remotely without much chance of the user being detected."
This vulnerability relates to the location and type of devices, so is not about any access to your devices or network. It's great from thieves for example to see where your smart TVs are located in a home, and where the human's phone devices are presently. But it's also great for hostage rescuers to see where hostages are grouped in a bank vs others moving around.
As it is hardware related, there is no possible software patch, and we'll need to wait for newer Wi-Fi hardware devices to be rolled out.
See Researchers discover security loophole allowing attackers to use Wi-Fi to see through walls
#technology #security #privacy #wipeep #vulnerability
A research team based out of the University of Waterloo has developed a drone-powered device that can use Wi-Fi networks to see through walls.
Lorenz ransomware now uses a critical vulnerability in Mitel MiVoice VoIP appliances to breach corporate networks
há 2 anos
This is an important addition to the gang's arsenal, given that Mitel Voice-over-IP (VoIP) products are used by organizations in critical sectors worldwide (including government agencies), with over 19,000 devices currently exposed to attacks over the Internet, per security expert Kevin Beaumont.
Mitel has addressed the vulnerability by releasing security patches in early June 2022 after releasing a remediation script for affected MiVoice Connect versions in April.
Makes a lot of sense as VoIP phone systems are nothing other than network devices, but are not often part of the regular IT patching and updating, yet they are all connected to the network, with wonderful "external connectivity" all of their own.
See Lorenz ransomware breaches corporate network via phone systems
#technology #ransomware #VoIP #vulnerability #security
Mitel has addressed the vulnerability by releasing security patches in early June 2022 after releasing a remediation script for affected MiVoice Connect versions in April.
Makes a lot of sense as VoIP phone systems are nothing other than network devices, but are not often part of the regular IT patching and updating, yet they are all connected to the network, with wonderful "external connectivity" all of their own.
See Lorenz ransomware breaches corporate network via phone systems
#technology #ransomware #VoIP #vulnerability #security
The Lorenz ransomware gang now uses a critical vulnerability in Mitel MiVoice VOIP appliances to breach enterprises using their phone systems for initial access to their corporate networks.
Critical flaws in $20 Micodus MV720 GPS tracker enable “disastrous” and “life-threatening” hacks
há 2 anos
A security firm and the US government are advising the public to immediately stop using a popular GPS tracking device or to at least minimize exposure to it, citing a host of vulnerabilities that make it possible for hackers to remotely disable cars while they’re moving, track location histories, disarm alarms, and cut off fuel.
An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.
Ouch, and the point often being that really cheap devices often have not had all the R&D done on securing them. For basic location this may not be serious, but where it is controlling access, alarm systems, shipping, and such like, it does start getting quite serious.
See Critical flaws in GPS tracker enable “disastrous” and “life-threatening” hacks
#technology #security #vulnerabilities #GPS #tracking
An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.
Ouch, and the point often being that really cheap devices often have not had all the R&D done on securing them. For basic location this may not be serious, but where it is controlling access, alarm systems, shipping, and such like, it does start getting quite serious.
See Critical flaws in GPS tracker enable “disastrous” and “life-threatening” hacks
#technology #security #vulnerabilities #GPS #tracking
China-based Micodus has yet to patch critical vulnerabilities in MV720 GPS tracker.
