I haven't even had my first cup of coffee and we have another ../ CVE. This time it's Synology: https://nvd.nist.gov/vuln/detail/CVE-2024-11398

#directoryTraversalMemes

[RSS] The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!)

https://bughunters.google.com/blog/6355265783201792/the-great-google-password-heist-15-years-of-hacking-passwords-to-test-our-security-and-build-team-culture

[RSS] How to escape Gem::SafeMarshal

https://nastystereo.com/security/ruby-safe-marshal-escape.html

#Ruby

Exactly 11 (!) years ago we released an advisory for an rsync 0-day.

Two days earlier the Gentoo Linux mirror I was hosting and maintainig was compromised with it.

What a ride.

https://forums.gentoo.org/viewtopic.php?t=111779

https://lists.samba.org/archive/rsync-announce/2003/000011.html

Maybe fun to know - using #MS365 means that the US government has bulk access to your data, which matters if you are a government yourself. Supporters of Microsoft will tell you you can easily use "double key encryption" to protect your MS365 data against US government snooping. This is how easily you can do that. Hint, it involves GitHub and compiling code: https://learn.microsoft.com/en-us/purview/double-key-encryption-setup

My VirusBulletin presentation: A web of surveillance was uploaded to YouTube: https://www.youtube.com/watch?v=iERGg1dUVNE

You are holding your Internet wrong.

[RSS] Your Bluesky Posts Are Probably In A Bunch of Datasets Now

https://www.404media.co/bluesky-posts-machine-learning-ai-datasets-hugging-face/

Surprise: you%27ve published them on the Internet.

[RSS] Vodka maker Stoli says August ransomware attack contributed to bankruptcy filing

https://therecord.media/stoli-group-usa-bankruptcy-filing-ransomware

Bastards!

[RSS] Tricks from product support: We're not smart enough to debug the problem, can you help us?

https://devblogs.microsoft.com/oldnewthing/20241203-00/?p=110601

"It looks like the anti-malware software is interfering with our ability to debug the problem." :)

New whitepaper and exploit code from @stephenfewer on 5 new vulnerabilities he chained to achieve unauthenticated RCE on Lorex 2K Indoor Wi-Fi security cameras. The exploit works in two phases and comprises an auth bypass, a stack-based buffer overflow, an out-of-bounds heap read, and a null pointer dereference — and that's just to start (because it was, like, Tuesday for Stephen or whatever) 📈

Whitepaper: https://www.rapid7.com/globalassets/_pdfs/research/pwn2own-iot-2024-lorex-2k-indoor-wi-fi-security-camera-research.pdf

Exploit: https://github.com/sfewer-r7/LorexExploit

Interestingly enough, MS disabled the "Use my Windows user account" checkbox when connecting to Wi-Fi on the lock screen to address CVE-2024-38143 in the August Patch Tuesday.

This change completely remediates the "Airstrike" attack as well. 🤯

https://support.microsoft.com/en-us/topic/august-13-2024-kb5041585-os-builds-22621-4037-and-22631-4037-76655cde-e2ee-49d4-a415-cf9a4d3c3a04

Details of the commitee hearing about the VBÜ hack were classified for 29 years.

I guess I have to change my lifestyle a bit if I want to know the details...

(or hack some gov DB, which I would never ever do ofc!)

DNA Lounge Update, Wherein we negotiate with the mob
https://www.dnalounge.com/backstage/log/2024/12/03.html

New very high-latency exfil path just dropped

https://noc.social/@todayilearned/113590099290650747

The Advent of Code for V has started, uncovering a new challenge every day! Check them out!

https://github.com/vlang/adventofcode

Unused functions are now skipped by default. This reduces generated C dramatically. Give it a try! if you have issues, use v -no-skip-unused ... and report them.
After making this option by default, CI times went down significantly:

I've noticed a concerning trend of "slop security reports" being sent to open source projects. Here are thoughts about what platforms, reporters, and maintainers can do to push back:

#oss #opensource #security

https://sethmlarson.dev/slop-security-reports?utm_campaign=mastodon

[RSS] Extracting Account Connectivity Credentials (ACCs) from Symantec Management Agent (aka Altiris) - @MDSecLabs

https://www.mdsec.co.uk/2024/12/extracting-account-connectivity-credentials-accs-from-symantec-management-agent-aka-altiris/

Fucking PaloAltoNetworks...

two major CVEs come out, guidance says X version is fine and unaffected. I upgrade everything to that version.

PaloAlto then changes the CVE details to say that ""LOL version Y is good, X sucks.""

I don't want to have to keep checking CVE pages for changes....