Category: privacy

WDMyCloud Multiple Vulnerabilities

Post author By tongwing
Post date January 9, 2018

Either terrible security practices or malicious intent. Some security research firm found serious backdoor in a range of Western Digital MyCloud devices aimed at personal home or office users.

Several serious security issues were uncovered during my research. Vulnerabilities such as pre auth remote root code execution, as well as a hardcoded backdoor admin account which can NOT be changed. The backdoor also allows for pre auth remote root code execution on the affected device.

— WDMyCloud Multiple Vulnerabilities

WD’s MyCloud vulnerability list grows even longer

privacy security

Critical flaws revealed to affect most Intel chips since 1995 | ZDNet

Post author By tongwing
Post date January 4, 2018

Another huge blow for Intel. The critical flaws in Intel processors allow attackers to gain access to the entire memory space, meaning it could read in-memory contents of running apps like password managers, browsers etc.

Most Intel processors and some ARM chips are confirmed to be vulnerable, putting billions of devices at risk of attacks. One of the security researchers said the bugs are “going to haunt us for years.”

Source: Critical flaws revealed to affect most Intel chips since 1995 | ZDNet

privacy security

Experts can hack most CPUs since 2008 over USB by triggering Intel Management Engine flaw

Post author By tongwing
Post date November 14, 2017

Gaining full privileged access to the CPU just by plugging in a USB device? This is as serious as it sounds.

Positive Technologies plans to demonstrate at the next Black Hat conference how to hack over USB into Intel Management Engine of most CPUs since 2008.

Source: Experts can hack most CPUs since 2008 over USB by triggering Intel Management Engine flaw

privacy security

Key Reinstallation Attacks – Breaking WPA2 by forcing nonce reuse

Post author By tongwing
Post date October 17, 2017

A serious weakness in WPA2 can cause sensitive information transmitted over Wifi to be read. KRACK attack is especially bad news for Android and Linux users.

This website presents the Key Reinstallation Attack (KRACK). It breaks the WPA2 protocol by forcing nonce reuse in encryption algorithms used by Wi-Fi.

via Key Reinstallation Attacks Breaking WPA2 by forcing nonce reuse

privacy

World Wide Web Consortium abandons consensus, standardizes DRM with 58.4% support, EFF resigns

Post author By tongwing
Post date September 19, 2017

It’s a sad day for the Web. Yes the controversial EME (Encrypted Media Extensions) – basically an implementation of DRM – is now in all major browsers and the writing’s on the wall. But W3C being complicit in this is just wrong. I’m glad that EFF is taking a strong stand on this important issue.

The W3C is a body that ostensibly operates on consensus. Nevertheless, as the coalition in support of a DRM compromise grew and grew — and the large corporate members continued to reject any meaningful compromise — the W3C leadership persisted in treating EME as topic that could be decided by one side of the debate. In essence, a core of EME proponents was able to impose its will on the Consortium, over the wishes of a sizeable group of objectors — and every person who uses the web.

Source: World Wide Web Consortium abandons consensus, standardizes DRM with 58.4% support, EFF resigns

privacy security

Wanted: Weaponized exploits that hack phones. Will pay top dollar

Post author By tongwing
Post date August 24, 2017

Lucrative exploit market might just swing more people over to the dark side.

Exploit broker Zerodium ups the ante with $500,000 to target Signal and WhatsApp.

Source: Wanted: Weaponized exploits that hack phones. Will pay top dollar

privacy security

Our Copyfish extension was stolen and adware-infested

Post author By tongwing
Post date July 31, 2017

Popular chrome extension gets hijacked.

We log into our developer account and boom – our Copyfish extension is gone! It seems the hackers/thieves/idiots moved it to THEIR developer account. We currently have no access to it!

Our Copyfish extension was stolen and adware-infested

privacy

Roomba’s Next Big Step Is Selling Maps of Your Home to the Highest Bidder

Post author By tongwing
Post date July 25, 2017

Privacy concerns or fearmongering?

The Roomba is generally regarded as a cute little robot friend that no one but dogs would consider to be a potential menace. But for the last couple of years, the robovacs have been quietly mapping homes to maximize efficiency. Now, the device’s makers plan to sell that data to smart home device manufacturers, turning the friendly robot into a creeping, creepy little spy.

Source: Roomba’s Next Big Step Is Selling Maps of Your Home to the Highest Bidder

privacy

Errata Security: How The Intercept Outed Reality Winner

Post author By tongwing
Post date June 6, 2017

Oh wow. You can’t even trust your printer now ‘cos it could expose potentially incriminating information about how you are using it.

The problem is that most new printers print nearly invisibly yellow dots that track down exactly when and where documents, any document, is printed. Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document.

Source: Errata Security: How The Intercept Outed Reality Winner

privacy security

How to Accidentally Stop a Global Cyber Attacks | MalwareTech

Post author By tongwing
Post date May 15, 2017

Someone accidentally stopped the ongoing WannaCry attacks by registering a domain.

In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).

Source: How to Accidentally Stop a Global Cyber Attacks | MalwareTech