More video highlights from #PwnOwn Ireland Day 2, the InfoSect (@infosectcbr) group exploits the Sonos. https://youtube.com/shorts/UGp-HVRP5mU?feature=share

More video highlights from #Pwn2Own Ireland Day 2. This one has Corentin Bayet (@OnlyTheDuck) going from the QNAP QHora-322 to the QNAP TS-464 in a SOHO Smashup. https://youtube.com/shorts/LhHk03l4vm8?feature=share

Compass Security (@compasssecurity) ran into a collision in their attempt against the Ubiquiti AI bullet. Their exploit still wins them $3,750 and 1.5 Master of Pwn points. #Pwn2Own #P2OIreland

Critical 0-day Vulnerability in Fortinet FortiManager (CERT-EU Security Advisory 2024-113)

On October 23, 2024, Fortinet released a security advisory addressing a critical 0-day vulnerability in its FortiManager product. If exploited, a remote unauthenticated attacker could execute arbitrary code or commands on the affected device.
It is strongly recommended to apply the update. When not possible, it is recommended to apply the workarounds. In all cases, it is recommended to search for evidence of a potential compromise.

https://www.cert.europa.eu/publications/security-advisories/2024-113/

In another video highlight from Day 2 of #Pwn2Own, team Viettel takes on the Sonos speaker: https://youtube.com/shorts/DUWfgz1Mm6w?feature=share

Using Nix to Fuzz Test a PDF Parser https://mtlynch.io/nix-fuzz-testing-1/

Around 100 new games were added to the program reconstruction section of the Decompilation Wiki:
https://decompilation.wiki/applications/program-reconstruction/

On that note, the Wiki is always looking for more writers who want to contribute tutorials, explanations, or categorizations of any topic in the Wiki :).

Unfortunately, Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) could not get his exploit of the TrueNAS Mini X working within the time allotted.

Sadly, the Neodyme (@neodyme) team could not get their exploit of the Lexmark CX331adwe printer working within the time allotted.

We have another collision. The DEVCORE Research Team (@d3vc0r3) successfully exploited the Lorex 2K camera, but they used a bug previously seen in the contest. They still earn $3,750 and 1.5 Master of Pwn points. #Pwn2Own #P2OIreland

I thought I understood the extent to which the broad availability of mobile location data has exacerbated countless privacy and security challenges. That is, until I was invited along with four other publications to be a virtual observer in a 2-weeek test run of Babel Street, a service that lets users draw a digital polygon around nearly any location on a map of the world, and view a time-lapse history of the mobile devices seen coming in and out of the area.

The issue isn't that there's some dodgy company offering this as a poorly-vetted service: It's that *anyone* willing to spend a little money can now build this capability themselves.

I'll be updating this story with links to reporting from other publications also invited, including 404 Media, Haaretz, NOTUS, and The New York Times. All of these stories will make clear that mobile location data is set to massively complicate several hot-button issues, from the tracking of suspected illegal immigrants or women seeking abortions, to harassing public servants who are already in the crosshairs over baseless conspiracy theories and increasingly hostile political rhetoric against government employees.

https://krebsonsecurity.com/2024/10/the-global-surveillance-free-for-all-in-mobile-ad-data/

Yes- I’m looking at you!