https://scottarc.blog/2024/06/04/attacking-nist-sp-800-108/

#NIST #crypto #cryptography #kdf #prf #secuity #infosec

Boost Security Audit - Shielder https://www.shielder.com/blog/2024/05/boost-security-audit/

[RSS] Hungary's ruling party skips parliamentary session on disputed Russian cyberattack

https://therecord.media/hungary-party-skips-russian-cyberattack-session

[RSS] Almost Zero Value in “Zero Progress on Zero-Days”; a Rebuttal

https://jericho.blog/2024/06/03/almost-zero-value-in-zero-progress-on-zero-days-a-rebuttal/

NEW: Fox Spy (3.3 GB)

Eight years of data from the Brazilian surveillance company Fox Spy, also known as Celular 007.

The spyware allows users to monitor phone calls along with SMS, WhatsApp and Facebook messages. The company's surveillance software also allows users to remotely activate the microphone and camera on a phone, as well as to monitor the device's screen

Due to widespread presence of PII, the data is only being made available to journalists and researchers

https://ddosecrets.com/wiki/Fox_Spy

Just because you get access denied accessing a folder, it doesn't mean you can't get access. A quick look at bypassing the security on the WindowsApps folder. https://www.tiraniddo.dev/2024/06/working-your-way-around-acl.html. This was inspired by a specific toot from @detective :)

Many, many years ago, a new specification called "XML" emerged. After a bit, people realized it was kinda useful for some stuff.

Then, something happened.

MANAGERS!

I imagine many conversations between managers / developers somewhat like this:

M: "So, what is the nice thing with #XML

D: "oh, it is a specification that simplifies stuff, since tools have a clean format to work with."

M: "So, what kinda specifications?"

D: "Oh, it can be more or less anything."

M: *starry eyed!* "an.. an... anything?"

I was teaching computer courses for companies at that point. Suddenly, my calendar was just packed with XML courses.

It is like very limited what you can teach, it is not really complex, so you talk surrounding technologies. But not...

"Our boss wants us to replace the SQL db with XML?"

"what?"

"We gonna use XML instead of MS SQL"

"... what?"

"He said XML can be used for anything..."

If you think companies with #AI plans have actual plans, with a strategy make sense, please think of this story.

Wheeeeeeeeeeeeeeee. Bye bye NTLM.

[RSS] Windows Internals: Dissecting Secure Image Objects - Part 1

https://connormcgarr.github.io/secure-images/

A Wireshark Lua Dissector for Fixed Field Length Protocols https://i5c.us/d30976

PSA: feel free to shitpost as much as you want on Mastodon, there’s a fair chance it will get scraped and used to train AIs.

*A new fuzzing target just dropped*

https://www.kaspersky.com/blog/kvrt-for-linux/51375/

[RSS] To Infinity and Beyond!

https://posts.specterops.io/to-infinity-and-beyond-feab2d8ff93c?source=rss----f05f8696e3cc---4

Increasing our understanding of EDR capabilities in the face of impossible odds.

I’m making a new religion that turns libraries into religious institutions and our most holy practice is going to the library and reading books. On the weekend we all get together and read silently together at the library. Our holy leaders are our librarians as they are guides to knowledge.

This way it makes it significantly harder to defund libraries. 😈

Introduction to XDP, eBPF and AF_XDP has been released on media.ccc.de https://media.ccc.de/v/osmodevcon2024-204-introduction-to-xdp-ebpf-and-afxdp

Issue #4 is out - enjoy!
https://pagedout.institute/?page=issues.php

Please share and tell your friends!

A Bug Hunter’s Reflections on Fuzzing by @a13xp0p0v

https://a13xp0p0v.github.io/img/Alexander_Popov-Reflections_on_Fuzzing.pdf

#Fuzzing

Crazy story about cursed tech from the other site:

"True Apple lightning devices are more expensive to make. So instead of conforming to the Apple standard, these companies have made headphones that receive audio via bluetooth — avoiding the Apple specification — while powering the bluetooth chip via a wired cable, thereby avoiding any need for a battery."

https://x.com/joshwhiton/status/1796222090216886682

I'm probably in the Ticketmaster leak, and as a security person my concern about this is approaching 0.

Have I lost my senses, or are these breaches generally a bit overblown (esp. in our circles)?