@wdormann@infosec.exchange cover
@wdormann@infosec.exchange avatar

wdormann

@wdormann@infosec.exchange

I play with vulnerabilities and exploits.
This account mostly exists for testing.
https://twitter.com/wdormann
Once Twitter implodes, you might find me here, on BlueSky as @wdormann.bsky.social or maybe outside somewhere.

This profile is from a federated server and may be incomplete. For a complete list of posts, browse on the original instance.

bontchev , to random
@bontchev@infosec.exchange avatar

This article is absolute nonsense:

"Google: Stop Burning Counterterrorism Operations":

https://poppopret.org/2024/06/24/google-stop-burning-counterterrorism-operations/

My arguments:

  • The job of the security researchers is to find security flaws, attackers exploiting them, etc.

  • The job of the spies to the spy.

  • The job of those doing counter-terrorism is to fight terrorists.

Do your job and stop complaining about the other people who are doing their job.

wdormann ,
@wdormann@infosec.exchange avatar

@bontchev
It also conveys: "I'm definitely the only person in the universe who knows about this bug now, and until the end of time."

video/mp4

wdormann , to random
@wdormann@infosec.exchange avatar

Elon Musk Begs Advertisers to Return as Twitter's Revenue Plunges
https://futurism.com/elon-musk-begs-advertisers-return-twitter-revenue
🤔

video/mp4

wdormann , to random
@wdormann@infosec.exchange avatar

Anybody who ever has the need to desolder things, do yourself a favor and get one of these. You also get an excellent iron with temp control that heats up instantly.

Unless you don't value your time. In that case you can play around with copper braid and spring-loaded plungers to your heart's content.

wdormann , to random
@wdormann@infosec.exchange avatar

Dear Microsoft,
You "forgot" the third option of "Don't remind me again".
@deceptivepatterns

wdormann , to random
@wdormann@infosec.exchange avatar

This Microsoft Recall thing...

While it does actually omit things that it knows are sensitive (e.g. incognito mode in recognized browsers) from the screenshots it saves, things that it does not know about are all fair game.

DuckDuckGo browser? Never heard of it. Let's hoover up all the data we can get.
Signal? 🤷‍♂️ I'll just default to saving everything I see there.
You get the picture...

wdormann OP ,
@wdormann@infosec.exchange avatar

Chrome-based browser windows in incognito (or whatever they call it) mode are actually omitted from the saved screenshots. Which is sort of neat.

However, Windows is apparently unaware that Firefox Private Browsing is a thing. So all that stuff gets saved.

Microsoft Recall saves Firefox Private Browsing data.

wdormann OP ,
@wdormann@infosec.exchange avatar

@erickolb
Anything you do in a non-incognito (or other recognized equavalent) is fair game.
If you see something on the screen, Recall sees and indexes it.

wdormann OP ,
@wdormann@infosec.exchange avatar

@erickolb
TBH, I'm not sure what it takes for an app to be excluded from Recall snapshots.
Specifically if it's something the app needs to do explicitly, or if it's up to Microsoft to provide a list of things not to capture.
For example, the KeePassXC app isn't included, but the 1password session in a browser is.

image/png

wdormann OP ,
@wdormann@infosec.exchange avatar

@erickolb
I mean, it's better than nothing.
But at the same time, the 1password stand-alone app is NOT exempt from Recall indexing.
Is this 1password's fault for not exempting itself from Recall, or is this Microsoft's fault for not recognizing that 1password should be exempt?

image/png

wdormann OP ,
@wdormann@infosec.exchange avatar

@erickolb
You can manually exclude apps and websites.
But both of these lists are empty, at least from the GUI perspective.
So how Recall knows to ignore the KeePassXC app, but doesn't know to ignore 1password is beyond me...

wdormann , to random
@wdormann@infosec.exchange avatar

HT @bontchev

Somebody figured out the secret technique that 3rd-party AV uses to disable Microsoft Defender so that they themselves can run without interference.

This tool uses this technique to install a null AV product, thus having the effect of simply disabling Microsoft Defender.
https://github.com/es3n1n/no-defender

video/mp4

wdormann , to random
@wdormann@infosec.exchange avatar

Reminder:
It's never been safe to run a program out of a directory that contains other untrusted files.
https://insights.sei.cmu.edu/blog/carpet-bombing-and-directory-poisoning/

https://twitter.com/WithinRafael/status/1782213111296229776

wdormann , to random
@wdormann@infosec.exchange avatar

Just a backdoor in XZ.
Nothing important.
https://www.openwall.com/lists/oss-security/2024/03/29/4

wdormann OP ,
@wdormann@infosec.exchange avatar

Interesting how this backdoor can lead to an sshd compromise.

"openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma."

wdormann OP ,
@wdormann@infosec.exchange avatar

Presumably somebody is going back through all of this actor's commits back to 2021 to check for shenanigans?
On the other hand, that seems like a lot of work.
It's probably all good. 😬

wdormann OP ,
@wdormann@infosec.exchange avatar

More about this actor:
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
"libarchive should also be considered compromised until proven otherwise."

Good times...

wdormann , to random
@wdormann@infosec.exchange avatar

So yes, Facebook intercepting Snapchat messages is completely inexcusable.
But at the same time, Snapchat explicitly designed their app to allow message text to be intercepted. (Pictures are end-to-end encrypted)
What was the rationale for this decision, I wonder?

wdormann OP ,
@wdormann@infosec.exchange avatar

Though as I look closer, it appears that Snapchat has been doing cert pinning since 2015 at the latest.
So, if Facebook was intercepting Snapchat traffic in 2016... what exactly were they successfully seeing?
https://github.com/magicguru/SnapchatCertPinning

wdormann , to random
@wdormann@infosec.exchange avatar

Two things would have made macOS CVE-2023-42931 a nothingburger even before Apple patched it.

  1. Don't run old OS versions.
  2. Don't log in to your computer as an admin.
    If you aren't already following these guidelines, you really should.
    https://securityonline.info/cve-2023-42931-macos-flaw-exposed-systems-to-easy-privilege-escalation-patch-now/
  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • test
  • worldmews
  • mews
  • All magazines
    •