I just spent a day or so figuring this out, and CVE-2022-41099 is... really stupid...
I decided to call this "push button decrypt".
basically when you boot to WinRE tied to an OS install, keys for the os volume are derived (this is done by having a sha256 hash of a wim in the bitlocker metadata)
anyway, WinRE does not require bitlocker recovery key when choosing to "reset my PC" and "remove everything".
When choosing "just remove my files", winre starts to decrypt the bitlocker volume at ~98%.
Hard resetting (hard power off / power on) here will reboot back into WinRE and show an error.
Clicking OK on the error will cause a reboot back to the OS, and starts windows setup which shows an "upgrade" screen.
...where Shift+F10 works to get a shell, you can then pause the decryption, remove all key protectors, then dump plaintext VMK, decrypt the FVEK with that, and use that FVEK to decrypt a disk image you made earlier.
This is the second time that Shift+F10 in setup to get a shell broke bitlocker.
The fix removes "reset my PC" -> "remove everything" from the list of options that are allowed to start with the osvolume unlocked and without entering a recovery key. (leaving only one in place: startup repair)
Because this is an issue with code running in winre usermode, this affects legacy integrity validation as well as secure boot integrity validation.
Hello friends, I've seen the below image come up a few times elsewhere and am going to expound a little!
While the hyperlinks in the image display correctly, those aren't actually the addresses of those sites! Instead, they're the Internationalized Domain Name replacements - examples of what are called IDN Homograph Attacks.
It's incredibly hard to include all characters from all active alphabets in the mechanisms that resolve domain names - so currently that letter set is restricted, and instead uses a translation system called Punycode to move between a visual URL with the correct characters and a domain name your computer can actually resolve to a website.
So while neurovagrant[.]com is fine either way, nӘ̃urovagrant[.]com isn't! The actually domain would be xn--nurovagrant-rkg322d[.]com.
Notice that xn-- ! That's what tells browsers and other software that it's an IDN domain, and to try and translate it.
Attackers use this to their benefit. So:
xn--mcrosoft-security-teams-1ec[.]com can appear in your email, on your twitter feed, in other places visually as: mícrosoft-security-teams[.]com
You may think you're signing in to check your retirement at vanguarɗ[.]com but it's actually sent you to xn--vanguar-4cd[.]com
A link that appears as vḙnmo[.]com actually sends you to the website xn--vnmo-q64a[.]com
They even target kids! Take a look at xn--rblox-jua[.]com - which looks like röblox[.]com in most settings. Note the diacritical mark above the first o.
If anything looks off, there's a reason. Always view links with skepticism, don't click on things unnecessarily, and always sign into the sites you use by going to the domain name you know.
The UK is now building a national system to allow police to access and inspect people's internet history
In 2016, the government passed the Investigatory Powers Act, also known as the Snooper's Charter
The law says telecoms companies can be made to collection people's 'internet connection records' and store them for up to a year
Internet connection records are essentially the websites you visit, but not the individual pages upon them
For the last few months, the UK has been creating a 'national' system that will allow law enforcement to access and 'filter' internet connection records
An initial police trial of the records has found “significant operational benefit”
New from me: Pornhub is facing GDPR complaints for allegedly illegally processing people’s data.
It’s claimed:
Pornhub doesn’t ask for consent to use tracking cookies. All that appears on its homepage is a notice saying cookies are used and an ‘OK’ button, there’s no way to opt out
It’s unclear what data Pornhub shares with third party companies and its own network of businesses
And Pornhub assigns people sexual preferences based on the videos they watch, with no way to consent to this or change it
Perhaps most surprising, to me, is Pornhub keeps a list of the videos you watch saved in your browser. Each time you watch a video, it’s ID is added to a growing list (even if you’re not logged in)
Cyprus’s data protection regulator has confirmed and audit into Pornhub is ongoing
Regarding xz-utils backdoor (liblzma5): Right now no Debian stable versions are known to be affected.
Compromised packages were part of the Debian testing, unstable and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1. The package has been reverted to use the upstream 5.4.5 code, which we have versioned 5.6.1+really5.4.5-1. Debian #Linux 12/11/10 appears safe. Taken from https://lists.debian.org/debian-security-announce/2024/msg00057.html#infosec#security
Here’s a fun one! A new deep learning model is capable of using a microphone to as a key logger by interpreting the sound of you typing, with 95% accuracy.
When deployed over Zoom, it’s accuracy only falls to 93%.
This reminds me of a story I saw on mapping the inside of a home using vibrations in lightbulbs.
Help strengthen our security posture across our infrastructure, and partner with our software development teams (e.g., @dangerzone and @securedrop) to protect journalists and whistleblowers.
Remote; 4 hours overlap with NYC business hours required. Salary range $125K-$140K.
I had a Twitter account, but never actively used it. Twitter was basically an #InfoSec newsfeed so I just used #RSS feeds instead. There was no interaction when I was on it. Nobody cared what a peon like me was doing. The algorithm would gladly bury me.
Once Elon bought Twitter, I immediately deleted my stagnant Twitter account.
That also got Mastodon in the news, so I looked into it.
I'd even sent off a few emails to some instances around various #Technology and #LGBT things, but didn't get any replies.
I found infosec.exchange and thought it might be like a LinkedIn thing where you talk about professional stuff with professional people.
My original profile was very formal.
What I found here was not LinkedIn or Twitter or Facebook or Instagram.
This place feels like a cross between old school forums and IRC with a dash of LiveJournal. I half expect to be able to use / emotes or bbcode.
I have conversations here.
I make connections that matter.
I can talk to folks about magick, philosophy, info sec, transgender issues, discordianism, neurodiversity, the environment, politics, horror movies, video games, writing, what books to read, TV shows, the news, sexuality.
Really I can generally find people to talk about anything thanks to hashtags and federation.
I know this place isn't perfect. I know it has massive racism, anti-LGBT, trolling, and spam issues that individual users can't possibly combat alone.
@jerry is a great admin and his team does an impressive job moderating. I give him something like $12 a month ($15 minus fees) for the privilege of using this instance and that's honestly not enough.
I'm glad to be here. I haven't been this involved in any sort of interactive social media since the heyday of #SomethingAwful (I am protected).
Somebody linked this to me recently and I just had occasion to try it. It totally works. There is a sound on this page, if you play it near a shopping cart you can get the cart all the way to the bike lock stand instead of just to the parking garage. Security research from defcon29, Joseph Gabay. A+ domain too https://www.begaydocrime.com/#infosec#waroncars
> Germany has admitted the apparent [compromise] by Russia of a military meeting where officers discussed giving Ukraine long-range missiles - and possible targets.
> According to Der Spiegel magazine, the videoconference was not held on a secret internal army network but on the WebEx platform.
🤡
There's an infosec person somewhere who is really trying hard not to go: "I fucking told you this would happen". 👀
So apparently .zip and .mov are now domains, meaning now any .zip or .mov download is potentially susceptible to phishing attempts a la URLs like https://realdownloads.com∕path∕to∕@totally.legit-file.zip.1 Or fake social media profiles (and thus login screens) like https://fandom.ink∕@hacker.zip. All of which seems completely cool and fine and I’m glad our Benevolent Internet Overlords have decided this was a great idea, truly.
I got laid off, along with about 10% of the company.
I'm in good shape with savings and was feeling burnt out anyway, so it's time to enjoy some time off, and figure out what I'm doing next.
Don't have a current resume, and really don't want to start looking just yet, but if you hear of an awesome, remote, senior, #infosec#security opportunity, please let me know.
Former title was Senior Security Engineer, and I'd love to find an architect role.
🚨🎬 Privacy Concerns about Apple Push Notifications
TL;DR: data-hungry apps use push notifications as a trigger to send app analytics and device information to their remote servers, even if the apps aren't running at all on your iPhone. Such apps include TikTok, Facebook, FB Messenger, Instagram, Threads, X, and many more.
Google fesses up to spying on people's browsing habits in Chrome's not-so-Incognito mode, promising to destroy billions of records tracking U.S. citizens. Sadly it was not out of the goodness of their electric hearts - it took a formidable class action lawsuit (that they'd probably already prepared for):