[RSS] Sign in as anyone: Bypassing SAML SSO authentication with parser differentials

https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/

In Memoriam: Mark Klein, AT&T Whistleblower Who Revealed NSA Mass Spying | Electronic Frontier Foundation
https://www.eff.org/deeplinks/2025/03/memoriam-mark-klein-att-whistleblower-about-nsa-mass-spying

#fromBsky

This is something that was occupying my time for some time already and I'm super happy that this research is finally released.

I believe this to be only a second reporting on malware targeting Juniper devices. Following Lumen Technologies blog from last month (but this one related to a different actor and different malware).

This blogs dives into specifics of Veriexec bypass vulnerability used by UNC3886, and details of 6 different backdoors found on Juniper MX devices.

UNC3886 is a very interesting actor that does not shy away from targeting less commonly known technologies like routers, edge devices or hypervisors.

More details here: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers

I learned today that MySQL connections are crypto agility hell.

It has a concept of "secure" and "insecure" connections, opportunistic TLS, less opportunistic TLS, rsa based password encryption for transmitting a connection password securely over an insecure connection, and here's the kicker: an authentication cache that allows to authenticate over an insecure connection if you have first authenticated over a secure connection.

Paging @soatok ...

Project: mpengine-x64-pdb 1.1.24090.11
File: mpengine.dll
Address: 75a6ac088

get_resource_info

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fmpengine-x64-pdb%2F75a6ac088.json&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fmpengine-x64-pdb%2F75a6ac088.json&colors=light

One of the things I've been advocating for years - and where I want to raise my voice even louder - is the importance of owning your data. #OwnYourData

Over the past few days, I’ve come across two examples of how misinformation is causing immense damage, leading people to believe that there's no alternative but to hand over their data to big corporations, putting themselves entirely in their hands.

- A well-known lawyer, just before a meeting, warned about using Teams and its new "virtual assistant," which joins conferences before anyone else and transcribes everything. When I pointed out that it would be wise to use alternative tools (like Jitsi, for example, but there are others), he abruptly ended the conversation, saying, "We've lost this war. There's no alternative anymore."
That wasn’t the right moment for a detailed discussion, so I just noted that alternatives do exist - but if no one starts using them, and if we passively accept certain behaviors from certain companies, things will never improve for us.

- Just now, I received another one of those emails that hurt more in the heart than in the wallet: "Our e-commerce is taking off, so we’re moving it to Shopify to better manage our growth."
I replied, trying to explain that handing over a growing e-commerce business to a third-party company (right now, they have full access to their own server - meaning all their databases, data, etc., are under their control) means losing ownership of it. Prices could change at any moment, contract terms could shift negatively, and, worst case scenario, if Shopify itself faced issues (which seems impossible today, but think of giants like Kodak), they could lose everything. Of course, they’ll do what they think is best, but I feel obligated to warn them.

Luckily, others are making the opposite choice. But I keep wondering: since these big platforms aren’t exactly cheap, rather than "selling themselves" to them just for (potentially) fewer headaches, wouldn’t it be worth paying someone (not me, of course, but someone working exclusively for them) to handle these things - ensuring they retain full ownership of their business and their data?

#DataOwnership #Decentralization #BigTech #DataRights #MyDataMyChoice #TakeBackControl

@tardis @algernon https://knowyourmeme.com/memes/bojler-elado

@algernon @tardis ugyanitt bojler eladó!

A fun thing with vulnerability writeups is to watch the (cloud-based) issue trackers of affected companies come in as referers :)

Me to MSRC: Words clearly describing a vulnerability, with supporting screenshots of the commands I typed and the response that Windows gives.

MSRC: Can you please provide a video showing the behavior you are seeing?

Me: ...

I get that people doing grunt work have mostly-fixed workflows that they go through with common next steps.
But to request a video that now captures (beyond my already-submitted screenshots) the act of me typing, and the Windows response being painted on the screen adds what of value now?

I should have done this a long time ago but people keep asking. I have assembled all of the clips of HNNCast on Youtube into one playlist. If you want to relive ~14yr old news items then this list is for you.

https://www.youtube.com/watch?v=UdKyDqU1p-4&list=PL-DjMTsCaYUwR3dZKdSb-fFMwLFBOvENb

@jerry @briankrebs

Give that cat a donation.

Patreon: https://www.patreon.com/infosecexchange

Ko-Fi: https://ko-fi.com/infosecexchange

Liberpay: https://liberapay.com/Infosec.exchange/

Here's the second installment of my Paramilitary Leaks series. How you can set up your computer to read through the leaked militia chats yourself https://micahflee.com/step-by-step-guide-to-reading-the-leaked-militia-chats-yourself/

TIL Space Invaders had a tilt sensor. Good deep dive into the inner workings of the game.

https://www.computerarcheology.com/Arcade/SpaceInvaders/

#programming #retrocomputing #retrogaming #spaceinvaders #assemblylanguage #z80

If you're fuzzing C/C++ code and need more customizability, our new Testing Handbook chapter shows you exactly how to set up and use LibAFL - both as a libFuzzer drop-in and as a Rust library.
https://appsec.guide/docs/fuzzing/c-cpp/libafl/

Reminder to submit your proposals!
The CFP will close on the 2nd of April.

There is a new official C language website maintained by the C Standards Committee https://www.c-language.org/

Adobe Acrobat Reader vulnerability reports from Talos:

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2136
https://talosintelligence.com/vulnerability_reports/TALOS-2025-2135
https://talosintelligence.com/vulnerability_reports/TALOS-2025-2134

CVE-2025-27163 CVE-2025-27158 CVE-2025-27164

/via @talosvulns

Update: it wasn't the ECB blocking gnome-calculator, it was an HTTP library regression breaking the connection to the ECB. Text in [] is incorrect, retained due to RTs etc.

[The ECB have remotely bricked gnome-calculator]

In the latest episode of "Why the 21st Century is impossibly stupid", GNOME calculator contacts the ECB on startup to get currency rates. It just hangs on startup if this fails, the whole calculator not just the currency stuff. [The ECB has blocked GNOME calculator].

To fix this, you can do "dconf write /org/gnome/calculator/refresh-interval 0", whatever tf dconf is, because when I tried it told me dbus-launch is missing, wtf that is, because it doesn't have a package. Turns out it's in "dbus-x11". I dunno why X11, because I use wayland, but I'm past caring at this point. I installed it and it worked.

Now I can calculate how much postage I need to pay for this parcel.

[A bloody OS-shipped desktop calculator, DDoSing a central bank, and blocking on connection failure].

[oss-security] Below: World Writable Directory in /var/log/below Allows Local Privilege Escalation (CVE-2025-27591)

https://seclists.org/oss-sec/2025/q1/201

Below: "A time traveling resource monitor for modern Linux systems" <- this sounds pretty cool!

https://github.com/facebookincubator/below