Exploiting the Nespresso smart cards for fun and profit coffee

https://pollevanhoof.be/nuggets/smart_cards/nespresso

"Here, take a Lua ruler! It starts with 1!" #mch2022

Very good thread from @inthehands, LLMs cement the patterns of today and actual engineering and long-term problem solving require slow careful iteration and improvement.

https://hachyderm.io/@inthehands/114373816449701933

WHY2025 is calling for art. Neon. Space. Synthwave. Light. Interactive magic. Show us what you’ve got. 🌌
→ https://why2025.org/post/318
#WHY2025 #ArtCall #HackersMakeArt

Attackers can use MCP servers to hack your system before tools are invoked.

We call this attack vector "line jumping." This is a critical vulnerability in which tool descriptions become prompt injection vectors during the initial tools/list request. This technique bypasses invocation controls, breaking connection isolation and rendering security checkpoints ineffective.

Even "human approval" fails: AI-enabled IDEs permit automatic execution, and users rarely recognize disguised malicious commands.

Read the blog: https://blog.trailofbits.com/2025/04/21/jumping-the-line-how-mcp-servers-can-attack-you-before-you-ever-use-them/

There is quite a bit of buzz related to CVE-2025-24054 which covers attackers causing victims to leak NTLM hashes if they open certain files or view certain directories. In short, this forces victims running Windows to make a connection to an attacker controlled SMB share.

If you prevent SMB traffic from leaving your networks then you don't have to worry about this unless the attacker has already setup shop in your network. Like, patch anyway but, IMO, it would be a better use of your time to ensure that outbound SMB is blocked first. Don't forget to account for mobile devices that are off-network.

#Security #Windows

Fact checking my exploit against the Erlang SSH bug and the blog I'm reading uses git to checkout OTP... then proceeds to ask ChatGPT to write a tool to diff the files between the versions... in git. What's worse is that the CVE reference that they link to has always had the exact commit of the fix.

🌐 Tor Browser 14.5 is here! Major improvements include:
• Connection Assist now on Android
• Added Belarusian, Bulgarian & Portuguese
• Improved log readability
• Better performance when quitting the app
Update today! #PrivacyMatters
https://blog.torproject.org/new-release-tor-browser-145/

Reverse engineering the obfuscated TikTok VM

https://github.com/LukasOgunfeitimi/TikTok-ReverseEngineering

#HackerNews #ReverseEngineering #TikTok #VM #Obfuscation #CyberSecurity #TechInsights

Windows administrators from numerous organizations report widespread account lockouts triggered by false positives in the rollout of a new Microsoft Entra ID's "leaked credentials" detection app called MACE.

https://www.bleepingcomputer.com/news/microsoft/widespread-microsoft-entra-lockouts-tied-to-new-security-feature-rollout/

I’m a bit tired of all of the ‘look, the USA did these terrible things in the past, this isn’t new’ posts.

The past was pretty awful, for most people. This wasn’t unique to the USA. Russia didn’t abolish serfdom until 1861, until the peasants were owned by the land (and this by the landowners). The UK didn’t allow all people over the age of 18 to vote until 1969.

The fact the past was terrible is not a surprise to anyone who has paid attention to any period in history in any country.

The important thing was the direction. The kind of racism and homophobia that were normal in the 1970s had at least become things that people would criticise by the late 1990s, even if they weren’t eliminated. Jim Crow laws, sodomy laws, and so on had long shadows but were at least being removed from the statute books.

Progress was a lot slower than many of us would have liked, but it was at least moving in the right direction. Not everyone was able to enjoy all of the freedoms that a modern society should convey, but more people were every year. Even bigots had smaller sets of people that they considered not to count as people each year.

The change that people are complaining about is reversing the direction of travel. The fact that things were bad in the past doesn’t contradict this. The thing we’re upset about is not that the current state is new, it’s the exact opposite: that we are returning to a state that we should have moved on from.

The Rise of Slopsquatting: How AI Hallucinations Are Fueling a New Class of Supply Chain Attacks

https://socket.dev/blog/slopsquatting-how-ai-hallucinations-are-fueling-a-new-class-of-supply-chain-attacks?utm_medium=feed

> Slopsquatting is a new supply chain threat where AI-assisted code generators recommend hallucinated packages that attackers register and weaponize.

This was an excellent article covering an area that definitely has not gotten enough attention, especially coupled with Vibe Coding.

SlopSquatting... What an excellent name!

#Socket #SlopSquatting #Cybesecurity

[oss-security] CVE-2025-29953: Apache ActiveMQ NMS OpenWire Client: deserialization allowlist bypass

https://www.openwall.com/lists/oss-security/2025/04/18/3

"servers could abuse the unbounded deserialization *in the client* to provide malicious responses that may eventually cause arbitrary code execution on the client"

"The project is considering to [...] drop this part of the NMS API altogether."

Proper root cause analysis of the Erlang/OTP SSH bug (CVE-2025-32433):

https://www.openwall.com/lists/oss-security/2025/04/18/2

I spent all morning trying to decode the Apple Positional Audio Codec (APAC)’s GlobalConfig from its MPEG4 Sample Description Box (stsd).

If you want to follow along:

• the codec is in /System/Library/Frameworks/AudioToolbox.framework/AudioCodecs
• See apac::GlobalConfig::Serialize and apac::GlobalConfig::Deserialize
• If you need a sample file: afconvert -o sound.m4a -d apac -f mp4f sound.wav
• Or grab a sample file from https://trac.ffmpeg.org/ticket/11480
• Pull the stsd from the m4a with mp4extract --payload-only moov/trak[0]/mdia/minf/stbl/stsd/apac sound.m4a sound_config.bin
• The config starts after dapa then 4 0x00 bytes
• First two bytes of the apac bitstream are 0x08 0x00 (see IsAPACBitstreamVersionValid / ACAPACBaseEncoder::GetMagicCookie)
• followed by the GlobalConfig

If you know, you know...

Released new Pwndbg: 2025.04.18

It adds display of breakpoints in the disasm view, new libcinfo command, improves attachp & hexdump commands, UI, TUI and more. Also, command names use "-" istead of "_" now for consistency.

Read more and download it on https://github.com/pwndbg/pwndbg/releases/tag/2025.04.18 !

#pwndbg #gdb #binaryexploitation #ctf #security #tools

Oof. Reportedly, if you got a certificate from SSL.com by putting “example[@]gmail.com” at _validation-contactemail.example.com, they would add gmail.com (!!!) to your verified domains.

A good reminder to use the CAA record, and to sign up for CT monitoring (e.g. Cert Spotter).

https://bugzilla.mozilla.org/show_bug.cgi?id=1961406

TIC80 jam just kicked off, with a DJ set from Commander Homer!

https://streaming.media.ccc.de/revision2025/revision

#Revision2025