Picard management tip: Empower others to command when you are unfit. You never know when your mind will be taken over by an alien.

It’s been a while since we had a good 512-bit RSA key controlling anything important, and I’m here for it. https://arstechnica.com/security/2024/08/home-energy-system-gives-researcher-control-of-virtual-power-plant

All vendors will keep producing garbage as long they have no long term liability and maintenance obligations to all the garbage they produce. And somehow we want secure products... Rust everything, yeah LOL

Incentives, how do they work?

I bet this guy has quite the LinkedIn profile: Feds arrest a 38 y/o Nashville man who allegedly provided a US network presence for a bunch of fake North Korean IT workers trying to raise money for the DPRK's nuclear weapons program:

"According to court documents, Knoot ran a “laptop farm” at his Nashville residences between approximately July 2022 and August 2023. The victim companies shipped laptops addressed to “Andrew M.” to Knoot’s residences. Following receipt of the laptops, and without authorization, Knoot logged on to the laptops, downloaded and installed unauthorized remote desktop applications, and accessed the victim companies’ networks, causing damage to the computers. The remote desktop applications enabled the North Korean IT workers to work from locations in China, while appearing to the victim companies that “Andrew M.” was working from Knoot’s residences in Nashville. For his participation in the scheme, Knoot was paid a monthly fee for his services by a foreign-based facilitator who went by the name Yang Di. A court-authorized search of Knoot’s laptop farm was executed in early August 2023."

"The overseas IT workers associated with Knoot’s cell were each paid over $250,000 for their work between approximately July 2022 and August 2023, much of which was falsely reported to the Internal Revenue Service and the Social Security Administration in the name of the actual U.S. person, Andrew M., whose identity was stolen. Knoot and his conspirators’ actions also caused the victim companies more than $500,000 in costs associated with auditing and remediating their devices, systems, and networks. Knoot, Di, and others conspired to commit money laundering by conducting financial transactions to receive payments from the victim companies, transfer those funds to Knoot and to accounts outside of the United States, in an attempt both to promote their unlawful activity and to hide that transferred funds were the proceeds of it. The non-U.S. accounts include accounts associated with North Korean and Chinese actors."

https://www.justice.gov/opa/pr/justice-department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and

Happy birthday @openstreetmap !

You are simply the best, not only for providing a reliable map at home, or for guiding me when #bikepacking 10,000 km from #Belgium to #China, but also for all the fun #mapping, completing and correcting details on the map!

#osm #openstreetmap #opendatabase #commons #digitalpublicgoods #PublicInfrastructure #digitalsovereignty

Is #Microsoft #Defender for #Identity part of the #MSRC #Bounty program?

Asking for a fried.

W00t! @hdm / @runZeroInc made sshamble public (took forever for BH/DC to get here).

https://github.com/runZeroInc/sshamble

SSHamble is research tool for SSH implementations that includes:

— Interesting attacks against authentication
— Post-session authentication attacks
— Pre-authentication state transitions
— Authentication timing analysis
— Post-session enumeration

Gorgeous website for it too: https://www.runzero.com/sshamble/

FTX settles complaint from the CFTC with $12.7 billion payout

August 8, 2024
https://www.web3isgoinggreat.com/?id=ftx-cftc-settlement

"Question regarding you hacking my webserver?"

It is #inbox time again.

https://bagder.github.io/emails/2024/2024-08-07.html

Thrilled to announce that, after roughly 4 years of dedicated collaboration between Mozilla and Google's WebDriver automation teams, Firefox is now officially supported in Puppeteer, thanks to the new WebDriver BiDi protocol!

This significant milestone allows seamless testing of websites in Firefox, using tools that were previously exclusive to Chrome.

Please share your thoughts and feedback, let us know what works and what features you'd like to see!

https://fosstodon.org/@planetmozilla/112921805158708461

Protip: You can also make a phone call by holding it up to your ear and speaking into it directly at a low volume.

Thanks to @jmc for setting it up, there's a new mailing list for those interested in all aspects of illumos on SPARC

https://illumos.topicbox.com/groups/sparc

Nothing there yet, but I thought I would give those interested a chance to join before starting up some conversations

💫DID YOU KNOW💫
that if you move a mouse cursor fast enough, you can get persistence of vision and, say...
*run a game of Pong inside your mouse's firmware*
🕹️🕹️🕹️🕹️🕹️🕹️🕹️🕹️🕹️

ClownStrike.lol now says #Fortinet has falsely blocked the domain as "phishing" and is giving them the runaround about appealing it. This domain is demonstrating all of the cybersecurity industry's problems. https://clownstrike.lol/crowdmad/

CPU bugs reached a level of yikes that speculation side channels can only dream of

https://ghostwriteattack.com/riscvuzz.pdf

Tony Hawk's Pro Strcpy https://icode4.coffee/?p=954

The whitepaper is live! Listen to the whispers: web timing attacks that actually work. Read it here ->
https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work

Ivanti and Fortinet have unpatched vulnerabilities in their VPN products!
Akamai, in their blog post Living off the VPN — Exploring VPN Post-Exploitation Techniques, talk about techniques that can be used by threat actors after compromising a VPN server to further escalate their intrusion. The key takeaway is that the vulnerability disclosure was published 133 days after initial notification to Ivanti and Fortinet:

• CVE-2024-37374 (unknown CVSS score) Ivanti hard-coded key issue?
• CVE-2024-37375 (unknown CVSS score) Ivanti MDM cleartext passwords issue?
• Fortinet custom encryption key bypass issue (no CVE ID assigned)

Fortinet informed us that after additional consideration, they decided to not fix the custom encryption key bypass as it “does not cross a security boundary”

If the original Ivanti Connect Secure exploited zero-day fiasco hasn't scared you off of their products, this is your wakeup call. As @cadey would say: "No way to prevent this" say users of only VPN where this regularly happens

cc: @campuscodi (who else wants to be notified of issues like this?)

#CVE_2024_37374 #CVE_2024_37375 #Fortinet #Ivanti #ConnectSecure #FortiGate

“Variant analysis is the lowest effort, highest reward activity for preventing 0days” @natashenka

Another year, another Microsoft Most Valuable Researcher for me. This year, it has a bittersweet taste though.

Let’s kick off with the sweet part.

I’m quite happy with my consistency and findings. My record for 2024:
- 10x Exchange
- 2x SharePoint
- 1x .NET/VS

Multiple RCEs included.

I have also already reported several vulns for 2025, and I’m happy with the technical level of the findings. Not necessarily with the impact, but you don’t always get RCE;). I’m especially happy with the fact that I’m doing some risky deep dives, and sometimes it pays off.

I’m also happy with some recent research. I’ve been abusing unknown attack surfaces and I had some success with that (even though I was not familiar with the target). At least some of them are unknown according to my knowledge, so even if they are known, it does not count, right? :)

Now the bitter part.

Over the entire year, I had an impression that MSRC leaderboard is missing points for the majority of my submissions. I was signalizing this issue a couple of times, but with no effect. I was even not on the initial MVR list.

After my small tweet, some of my missing points were found and I eventually made it to the list (thx MSRC for this intervention). The truth is – the list is not so important to me. I like to think about vuln disclosure as some mutually respected process.

I’m not collecting bounties (reporting as ZDI) and the only thing I want in return for my submissions is a proper acknowledgment. I think that this process failed in 2024, but I hope it will eventually get better. I have impression that I should have way more points, but whatever.

Another part – several of my submissions were rejected as an expected behavior. Not a nice feeling, but it’s a part of the game. I can see a lot of tweets about dropped submissions and this part concerns everybody. From my perspective, reporting of .NET vulns is hardest.

I have a small perception that if you cannot exploit something that you consider a .NET vuln in Exchange or SharePoint, it’s probably going to be ignored (based on my experience only). Well guess what, there are different products/apps based on .NET too :D

To sum up, quite a good year. Hoping to have an even better 2025, although my Exchange run from 2023/2024 will be hard to repeat.

I hope to deliver some nice research and to see you next year during conferences or wherever. Cheers