cross-posted from: https://lemmy.ml/post/4958656

Chrome was updated September 11

Electron updated September 12

Matrix Element Desktop updated September 15, without a changelog or advisory. (The Element update on September 13 did not include the updated electron with the fix; today's update does, according to their announcement on Matrix.)

Many/most electron apps don't receive timely security updates, so if you don't want arbitrary images to be able to get code execution you might want to stop using them.

cross-posted from: https://infosec.pub/post/2466014

This is my first write-up, on a vulnerability I discovered in iTerm2 (RCE). Would love to hear opinions on this. I tried to make the writing engaging.

The machine is running Windows 11

We're happy to announce that we were successfully able to initiate a BusKill lockscreen trigger using a 3D-printed BusKill prototype!

Watch the 3D Printable BusKill Proof-of-Concept Demo for more info youtube.com/v/Q-QjHelRvvk

via @Goldfishlaser@lemmy.ml

What is BusKill?

BusKill is a laptop kill-cord. It's a USB cable with a magnetic breakaway that you attach to your body and connect to your computer.

Watch the BusKill Explainer Video for more info youtube.com/v/qPwyoD_cQR4

If the connection between you to your computer is severed, then your device will lock, shutdown, or shred its encryption keys -- thus keeping your encrypted data safe from thieves that steal your device.

Why?

While we do what we can to allow at-risk folks to purchase BusKill cables anonymously, there is always the risk of interdiction.

We don't consider hologram stickers or tamper-evident tape/crisps/glitter to be sufficient solutions to supply-chain security. Rather, the solution to these attacks is to build open-source, disassembleable, and easily inspectable hardware whose integrity can be validated without damaging the device and without sophisticated technology.

Actually, the best way to confirm the integrity of your hardware is to build it yourself. Fortunately, printing your own circuit boards, microcontroller, or silicon has a steeper learning curve than a BusKill cable -- which is essentially just a USB extension cable with a magnetic breakaway in the middle.

Mitigating interdiction via 3D printing is one of many reasons that Melanie Allen has been diligently working on prototyping a 3D-printable BusKill cable this year. In our latest update, we hope to showcase her progress and provide you some OpenSCAD and .stl files so you can experiment with building your own and help test and improve our designs.

Print BusKill

If you'd like to reproduce our experiment and print your own BusKill cable prototype, you can download the stl files and read our instructions here:

• buskill.in/3d-print-2023-08/

Iterate with us!

If you have access to a 3D Printer, you have basic EE experience, or you'd like to help us test our 3D printable BusKill prototype, please let us know. The whole is greater than the sum of its parts, and we're eager to finish-off this 3D printable BusKill prototype to help make this security-critical tool accessible to more people world-wide!

cross-posted from: https://lemdro.id/post/190327 (!android@lemdro.id)

Every so often a piece of security research will generate a level of excitement and buzz that's palpable. Dan Kaminsky's DNS bug, Barnaby Jack's ATM Jackpotting, Chris Valasek and Charlie Miller's Jeep hacking escapades. There's something special about the overheard conversations, the whispered sightings of the superstar du jour, and the packed-to-the-rafters conference hall. These moments have delivered something more than just research: they delivered entertainment.

Stagefright was one of these big moments. A frenzied feeling in the air, a willing showman, and a message to deliver. Mobile security was broken, seriously broken.

It's been 8 years since Stagefright's careful dissection of Android's remote security posture, and it seems like a great time to revisit the event and its aftermath. Like any great piece of research, Stagefright changed the world, and it's only with hindsight that it's really possible to understand how.

See article for more.

I was organizing and cleaning my mail today, and I saw a mail from a few days ago that I left unread.

This is a copypaste of that mail:

Hello!

Unfortunately, there are some bad news for you. Around several months ago I have obtained access to your devices that you were using to browse internet. Subsequently, I have proceeded with tracking down internet activities of yours.

Below, is the sequence of past events: In the past, I have bought access from hackers to numerous email accounts (today, that is a very straightforward task that can be done online). Clearly, I have effortlessly logged in to email account of yours (contact@vis4valentine.com).

A week after that, I have managed to install Trojan virus to Operating Systems of all your devices that are used for email access. Actually, that was quite simple (because you were clicking the links in inbox emails). All smart things are quite straightforward. (>_<)

The software of mine allows me to access to all controllers in your devices, such as video camera, microphone and keyboard. I have managed to download all your personal data, as well as web browsing history and photos to my servers. I can access all messengers of yours, as well as emails, social networks, contacts list and even chat history. My virus unceasingly refreshes its signatures (since it is driver-based), and hereby stays invisible for your antivirus.

So, by now you should already understand the reason why I remained unnoticed until this very moment...

While collecting your information, I have found out that you are also a huge fan of websites for adults. You truly enjoy checking out porn websites and watching dirty videos, while having a lot of kinky fun. I have recorded several kinky scenes of yours and montaged some videos, where you reach orgasms while passionately masturbating.

If you still doubt my serious intentions, it only takes couple mouse clicks to share your videos with your friends, relatives and even colleagues. It is also not a problem for me to allow those vids for access of public as well. I truly believe, you would not want this to occur, understanding how special are the videos you love watching, (you are clearly aware of that) all that stuff can result in a real disaster for you.

Let's resolve it like this: All you need is $1450 USD transfer to my account (bitcoin equivalent based on exchange rate during your transfer), and after the transaction is successful, I will proceed to delete all that kinky stuff without delay. Afterwards, we can pretend that we have never met before. In addition, I assure you that all the harmful software will be deleted from all your devices. Be sure, I keep my promises.

That is quite a fair deal with a low price, bearing in mind that I have spent a lot of effort to go through your profile and traffic for a long period. If you are unaware how to buy and send bitcoins - it can be easily fixed by searching all related information online.

Below is bitcoin wallet of mine: 13g3WtdxuoB9AVyy54QW9xxbDtFjE2iNHk

You are given not more than 48 hours after you have opened this email (2 days to be precise).

Below is the list of actions that you should not attempt doing:

Do not attempt to reply my email (the email in your inbox was created by me together with return address). Do not attempt to call police or any other security services. Moreover, don't even think to share this with friends of yours. Once I find that out (make no doubt about it, I can do that effortlessly, bearing in mind that I have full control over all your systems) - the video of yours will become available to public immediately. Do not attempt to search for me - there is completely no point in that. All cryptocurrency transactions remain anonymous at all times. Do not attempt reinstalling the OS on devices of yours or get rid of them. It is meaningless too, because all your videos are already available at remote servers.

Below is the list of things you don't need to be concerned about:

That I will not receive the money you transferred.

• Don't you worry, I can still track it, after the transaction is successfully completed, because I still monitor all your activities (trojan virus of mine includes a remote-control option, just like TeamViewer).

That I still will make your videos available to public after your money transfer is complete.

• Believe me, it is meaningless for me to keep on making your life complicated. If I indeed wanted to make it happen, it would happen long time ago!

Everything will be carried out based on fairness!

Before I forget...moving forward try not to get involved in this kind of situations anymore! An advice from me - regularly change all the passwords to your accounts.

The thing is, this was sent on July 13 and I just opened it today. So I went through the 48 hours without paying and nothing happened, didn't send any more mail and my family and friends certainly had not gotten any videos of my jerking off. Also the language is very vague. " You truly enjoy checking out porn websites and watching dirty videos, while having a lot of kinky fun." That could apply to almost anyone. If someone tried to black mail me, they gotta be more specific.

Also, a trojan? I use GNU/Linux and most of my current devices are Raspberry Pi's because my main computer died and I'm waiting for a new laptop to ship. And I never used TeamViewer in my life.

BTW my mail is public, so I'm not concerned about being doxxed lol.

I changed my mail password which is a painless process and needed to be updated anyway.

What do you think? Should I watch my back?

Also here: https://www.malwarebytes.com/blog/news/2023/07/act-now-unpatched-zimbra-vulnerability-is-actively-exploited

https://web.archive.org/web/20230624215234/https://www.bleepingcomputer.com/news/security/moveit-breach-impacts-genworth-calpers-as-data-for-32-million-exposed/

https://web.archive.org/web/20230624215237/https://www.bleepingcomputer.com/news/security/university-of-manchester-confirms-data-theft-in-recent-cyberattack/

https://web.archive.org/web/20230624162555/https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-fortinac-remote-command-execution-flaw/

After being scammed into thinking her daughter was kidnapped, an Arizona woman testified in the US Senate about the dangers side of artificial intelligence technology when in the hands of criminals.

Jennifer DeStefano told the Senate judiciary committee about the fear she felt when she received an ominous phone call on a Friday last April.

Thinking the unknown number was a doctor’s office, she answered the phone just before 5pm on the final ring. On the other end of the line was her 15-year-old daughter – or at least what sounded exactly like her daughter’s voice.

“On the other end was our daughter Briana sobbing and crying saying ‘Mom’.”

Briana was on a ski trip when the incident took place so DeStefano assumed she injured herself and was calling let her know.

DeStefano heard the voice of her daughter and recreated the interaction for her audience: “‘Mom, I messed up’ with more crying and sobbing. Not thinking twice, I asked her again, ‘OK, what happened?’”

She continued: “Suddenly a man’s voice barked at her to ‘lay down and put your head back’.”

Panic immediately set in and DeStefano said she then demanded to know what was happening.

“Nothing could have prepared me for her response,” Defano said.

Defano said she heard her daughter say: “‘Mom these bad men have me. Help me! Help me!’ She begged and pleaded as the phone was taken from her.”

“Listen here, I have your daughter. You tell anyone, you call the cops, I am going to pump her stomach so full of drugs,” a man on the line then said to DeStefano.

The man then told DeStefano he “would have his way” with her daughter and drop her off in Mexico, and that she’d never see her again.

At the time of the phone call, DeStefano was at her other daughter Aubrey’s dance rehearsal. She put the phone on mute and screamed for help, which captured the attention of nearby parents who called 911 for her.

DeStefano negotiated with the fake kidnappers until police arrived. At first, they set the ransom at $1m and then lowered it to $50,000 when DeStefano told them such a high price was impossible.

She asked for a routing number and wiring instructions but the man refused that method because it could be “traced” and demanded cash instead.

DeStefano said she was told that she would be picked up in a white van with bag over her head so that she wouldn’t know where she was going.

She said he told her: “If I didn’t have all the money, then we were both going to be dead.”

But another parent with her informed her police were aware of AI scams like these. DeStefano then made contact with her actual daughter and husband, who confirmed repeatedly that they were fine.

“At that point, I hung up and collapsed to the floor in tears of relief,” DeStefano said.

When DeStefano tried to file a police report after the ordeal, she was dismissed and told this was a “prank call”.

A survey by McAfee, a computer security software company, found that 70% of people said they weren’t confident they could tell the difference between a cloned voice and the real thing. McAfee also said it takes only three seconds of audio to replicate a person’s voice.

DeStefano urged lawmakers to act in order prevent scams like these from hurting other people.

She said: “If left uncontrolled, unregulated, and we are left unprotected without consequence, it will rewrite our understanding and perception what is and what is not truth. It will erode our sense of ‘familiar’ as it corrodes our confidence in what is real and what is not.”