Privatnost i sigurnost podataka i korisnika

[tomek@vz]

Citiraj:

Meta's latest whistleblower, Sarah Wynn-Williams, got a warm reception on Capitol Hill Wednesday, as the Careless People author who the company has fought to silence described the company's chief executive as someone willing to shapeshift into whatever gets him closest to power. The message was one that lawmakers on the Senate Judiciary subcommittee on crime and counterterrorism were very open to. Their responses underscore that amid CEO Mark Zuckerberg's latest pivot in cozying up to the right, his perception in Washington has not yet totally changed, even as he reportedly lobbies President Donald Trump to drop the government's antitrust case against the company.

"He's recently tried a reinvention in which he is now a great advocate of free speech, after being an advocate of censorship in China and in this country for years," subcommittee Chair Josh Hawley (R-MO) said, pointing to longtime conservative allegations that Meta has suppressed things like vaccine skepticism and the Hunter Biden laptop story. "Now that's all wiped away. Now he's on Joe Rogan and says that he is Mr. Free Speech, he is Mr. MAGA, he's a whole new man, and his company, they're a whole new company. Do you buy this latest reinvention of Mark Zuckerberg?"

"If he is such a fan of freedom of speech, why is he trying to silence me?" Wynn-Williams asked in response. Meta convinced an arbitrator to order her to stop making disparaging statements and halt further publishing and promotion of the book, which details Meta's alleged dealings with the Chinese government and claims of sexual harassment from a top executive.

> Verge

[tomek@vz]

Citiraj:

The CVE and CWE programs are at risk of shutdown as MITRE's DHS contract expires on April 16, 2025, with no confirmed renewal. Without continued funding, the ability to standardize, track, and respond to software vulnerabilities could collapse, leaving the cybersecurity community scrambling in a fragmented and dangerously opaque environment. Forbes reports: "Failure to renew MITRE's contract for the CVE program, seemingly set to expire on April 16, 2025, risks significant disruption," said Jason Soroko, Senior Fellow at Sectigo. "A service break would likely degrade national vulnerability databases and advisories. This lapse could negatively affect tool vendors, incident response operations, and critical infrastructure broadly. MITRE emphasizes its continued commitment but warns of these potential impacts if the contracting pathway is not maintained."

MITRE has indicated that historical CVE records will remain accessible via GitHub, but without continued funding, the operational side of the program -- including assignment of new CVEs -- will effectively go dark. That's not a minor inconvenience. It could upend how the global cybersecurity community identifies, communicates, and responds to new threats. [...] MITRE has said that discussions with the U.S. government are active and that it remains committed to the CVE mission. But with the expiration date looming, time is running short -- and the consequences of even a temporary gap are severe.

> Slashdot

[tomek@vz]

Citiraj:

Reversing blurred pixels to reveal censored content in videos is easier than you think

Citiraj:

EU provides burner phones to officials traveling to US amid espionage concern. Washington isn't Beijing, but you can never be too careful

[tomek@vz]

Update CVE teme:

Citiraj:

CISA says the U.S. government has extended MITRE’s funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program.
[…] The announcement follows a warning from MITRE Vice President Yosry Barsoum that government funding for the CVE and CWE programs was set to expire today, April 16, potentially leading to widespread disruption across the cybersecurity industry.
↫ Sergiu Gatlan at BleepingComputer

Kaj drugo reci osim:

Citiraj:

Elect clowns, live in a circus.

[tomek@vz]

Nekaj iz susjedstva:

Citiraj:

Amnesty International reports that a Cellebrite zero-day exploit was used to unlock a Serbian activist’s Android phone.

> securityaffairs


Za one koji neznaju sto je Cellebrite: 1 2 3

[tomek@vz]

Dečki i cure (kolko znam ima bar jedna), heads up!

Citiraj:

Here we go again. Google has confirmed another attack on Gmail users that combines inherent vulnerabilities in the platform with devious social engineering. The net result is a flurry of headlines and viral social media posts followed by an urgent platform update. Google’s security warning is clear. Users should stop using their passwords.
This latest attack has been bubbling on X and in a number of crypto outlets given the victim was an Ethereum developer. Nick Johnson says he was “targeted by an extremely sophisticated phishing attack,” one which “exploits a vulnerability in Google’s infrastructure, and given their refusal to fix it, we’re likely to see it a lot more.”
The attack started with an email from a legitimate Google address warning Johnson that it has been served with a subpoena for his Google account. “This is a valid, signed email,” Johnson says, “sent from no-reply@google.com. It passes the DKIM signature check, and Gmail displays it without any warnings - it even puts it in the same conversation as other, legitimate security alerts.”

> Forbes

[tomek@vz]

Citiraj:

Cybersecurity researchers have uncovered three malicious packages in the npm registry that masquerade as a popular Telegram bot library but harbor SSH backdoors and data exfiltration capabilities.
The packages in question are listed below -

• node-telegram-utils (132 downloads)
• node-telegram-bots-api (82 downloads)
• node-telegram-util (73 downloads)

According to supply chain security firm Socket, the packages are designed to mimic node-telegram-bot-api, a popular Node.js Telegram Bot API with over 100,000 weekly downloads. The three libraries are still available for download.

> HackerNews

[medo]

To sa supply chain napadima je živo s*anje. Za neupućene, to je kada haker ne napadne vas koji imate jaku obranu nego napadne vašeg poslovnog partnera koji ima puno slabiji security pa uđe vama u sustav jer je kompromitirani poslovni partner na svim vašim white listama.

Sad ti objasni upravi i nadzornom odboru da njegov kum/rođo iz partnerske firme mora imati 2FA i certove za sve (VPN npr), DMARC/DKIM/SPF prolaz, Zero Trust…

[tomek@vz]

Yep...i onda dodaš Slopsquatting....


https://socket.dev/blog/slopsquattin...-chain-attacks

[tomek@vz]

Još malo o Slopsquatting temi:

Citiraj:

Researchers have uncovered a new supply chain attack called Slopsquatting, where threat actors exploit hallucinated, non-existent package names generated by AI coding tools like GPT-4 and CodeLlama. These believable yet fake packages, representing almost 20% of the samples tested, can be registered by attackers to distribute malicious code. CSO Online reports: Slopsquatting, as researchers are calling it, is a term first coined by Seth Larson, a security developer-in-residence at Python Software Foundation (PSF), for its resemblance to the typosquatting technique. Instead of relying on a user's mistake, as in typosquats, threat actors rely on an AI model's mistake. A significant number of packages, amounting to 19.7% (205,000 packages), recommended in test samples were found to be fakes. Open-source models -- like DeepSeek and WizardCoder -- hallucinated more frequently, at 21.7% on average, compared to the commercial ones (5.2%) like GPT 4. Researchers found CodeLlama ( hallucinating over a third of the outputs) to be the worst offender, and GPT-4 Turbo ( just 3.59% hallucinations) to be the best performer.

These package hallucinations are particularly dangerous as they were found to be persistent, repetitive, and believable. When researchers reran 500 prompts that had previously produced hallucinated packages, 43% of hallucinations reappeared every time in 10 successive re-runs, with 58% of them appearing in more than one run. The study concluded that this persistence indicates "that the majority of hallucinations are not just random noise, but repeatable artifacts of how the models respond to certain prompts." This increases their value to attackers, it added. Additionally, these hallucinated package names were observed to be "semantically convincing." Thirty-eight percent of them had moderate string similarity to real packages, suggesting a similar naming structure. "Only 13% of hallucinations were simple off-by-one typos," Socket added. The research can found be in a paper on arXiv.org (PDF).

[Jerry Drake]

NIsma našao posebnu temu, a možda je zgodno to i ovdje ubaciti.

Ima li netko od vas iskustva iz prve ruke s NIS2?


Naime, firma u kojoj trenutno radim dobila je neke naznake da će biti uključena u NIS2 priču pa bismo se htjeli pripremiti za isto.


Znam ono što se da zguglati o inicijatiivi i ono što se traži. Međutim je zapravo vrlo malo konrketnog napisano o tome.


Ono što mene zanima su neki konkretni tehnički setup detalji.
Što točno treba biti implementirano? IDP sistem? EDR? IDS? SIEM? Sve to?


Mi recimo u firmi imamo već Fortigate firewall s pretplatom za cloud sigurnosne servise, i tu već ima svašta unutra, da li je to dovoljno?
Mailovi su nam u 365 officu, s enkripcijom, imamo i enkripciju od windowsa na hardovima.

[tomek@vz]

Citiraj:

Autor Jerry Drake

NIsma našao posebnu temu, a možda je zgodno to i ovdje ubaciti.

Ima li netko od vas iskustva iz prve ruke s NIS2?


Naime, firma u kojoj trenutno radim dobila je neke naznake da će biti uključena u NIS2 priču pa bismo se htjeli pripremiti za isto.


Znam ono što se da zguglati o inicijatiivi i ono što se traži. Međutim je zapravo vrlo malo konrketnog napisano o tome.


Ono što mene zanima su neki konkretni tehnički setup detalji.
Što točno treba biti implementirano? IDP sistem? EDR? IDS? SIEM? Sve to?


Mi recimo u firmi imamo već Fortigate firewall s pretplatom za cloud sigurnosne servise, i tu već ima svašta unutra, da li je to dovoljno?
Mailovi su nam u 365 officu, s enkripcijom, imamo i enkripciju od windowsa na hardovima.

https://nis2direktiva.hr/


Nazalost nekaj pametnijeg nemam u rukavu osim ako netko od kolega ima dublje iskustvo.

[tomek@vz]

Heads up...

Citiraj:

“This evasion technique has been available since io_uring was added to the Linux kernel, but until now, no one had developed a fully functional rootkit that demonstrated its true potential,” said Ben Hirschberg, CTO and co-founder at ARMO.
“Leading cybersecurity vendors are still treating Linux as a second-class citizen. This is a huge gap, especially with the widespread cloud-native adoption, which is mostly Linux based. This is a wake-up call for the entire cybersecurity industry that cloud-native security is a discipline in its own right.”

> Techzine

Citiraj:

You are probably going to see a lot of news about the new Curing vulnerability which can take advantage of the io_uring system call interface which is enabled in many Linux kernels. At a glance it seems terrifying, a way to infect a machine that is essentially invisible to current antivirus software is not a good thing, but in order to make use of it you already have to have root privileges. If an attacker already has root, then the game is finished. Then again, a way to leverage this Curing rootkit without having root privileges then you can rightfully panic.
What is interesting about Curing is what it reveals about how security software functions, and that they all definitely have a blind spot. Current protections monitor system calls, which are certainly things which need to be closely watched, but Curing reveals that they need to do more. The article is light on details, likely on purpose to ensure bad actors can’t immediately leverage this possible vulnerability, but apparently Curing can be used to make network connections or tamper with files without your antivirus programs detecting it.

> PcPer

[tomek@vz]

Citiraj:

The majority of the traffic on the web is from bots. For the most part, these bots are used to discover new content. These are RSS Feed readers, search engines crawling your content, or nowadays AI bots crawling content to power LLMs. But then there are the malicious bots. These are from spammers, content scrapers or hackers. At my old employer, a bot discovered a wordpress vulnerability and inserted a malicious script into our server. It then turned the machine into a botnet used for DDOS. One of my first websites was yanked off of Google search entirely due to bots generating spam. At some point, I had to find a way to protect myself from these bots. That’s when I started using zip bombs.

↫ Ibrahim Diallo

[mkey]

> These are RSS Feed readers, search engines crawling your content, or nowadays AI bots crawling content to power LLMs. But then there are the malicious bots. These are from spammers, content scrapers or hackers.


Ma nemoj me. Search engines/AI bots <> content scrapers?

[tomek@vz]

Citiraj:

Apple sent notifications this week to several people who the company believes were targeted with government spyware, according to two of the alleged targets. In the past, Apple has sent similar notifications to targets and victims of spyware, and directed them to contact a nonprofit that specializes in investigating such cyberattacks. Other tech companies, like Google and WhatsApp, have in recent years also periodically sent such notifications to their users. As of Wednesday, only two people appear to have come forward to reveal they were among those who received the notifications from Apple this week.

One is Ciro Pellegrino, an Italian journalist who works for online news outlet Fanpage. Pellegrino wrote in an article that he received an email and a text message from Apple on Tuesday notifying him that he was targeted with spyware. The message, according to Pellegrino, also said he wasn't the only person targeted. "Today's notification is being sent to affected users in 100 countries," the message read, according to Pellegrino's article. "Did this really happen? Yes, it is not a joke," Pellegrino wrote.

The second person to receive an Apple notification is Eva Vlaardingerbroek, a Dutch right-wing activist, who posted on X on Wednesday. "Apple detected a targeted mercenary spyware attack against your iPhone," the Apple alert said, according to a screenshot shown in a video that Vlaardingerbroek posted on X. "This attack is likely targeting you specifically because of who you are or what you do. Although it's never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning -- please take it seriously." Reacting to the notification, Vlaardingerbroek said that this was an "attempt to intimidate me, an attempt to silence me, obviously."

Citiraj:

Wired reports that a vulnerability in Apple's software development kit (SDK) means that tens of millions of those devices could be compromised by an attacker: "On Tuesday, researchers from the cybersecurity firm Oligo revealed what they're calling AirBorne, a collection of vulnerabilities affecting AirPlay, Apple's proprietary radio-based protocol for local wireless communication. Bugs in Apple's AirPlay software development kit (SDK) for third-party devices would allow hackers to hijack gadgets like speakers, receivers, set-top boxes, or smart TVs if they're on the same Wi-Fi network as the hacker's machine [...]

Oligo's chief technology officer and cofounder, Gal Elbaz, estimates that potentially vulnerable third-party AirPlay-enabled devices number in the tens of millions. 'Because AirPlay is supported in such a wide variety of devices, there are a lot that will take years to patch -- or they will never be patched,' Elbaz says. 'And it's all because of vulnerabilities in one piece of software that affects everything.'"

For consumers, an attacker would first need to gain access to your home Wi-Fi network. The risk of this depends on the security of your router: millions of wireless routers also have serious security flaws, but access would be limited to the range of your Wi-Fi. AirPlay devices on public networks, like those used everywhere from coffee shops to airports, would allow direct access. The researchers say the worst-case scenario would be an attacker gaining access to the microphones in an AirPlay device, such as those in smart speakers. However, they have not demonstrated this capability, meaning it remains theoretical for now.

[tomek@vz]

Prijateljski podsjetnik...



> HiveSystems

[kopija]

Ovo FTW!

[Libertus]

Tako je! Moje glavne koje trebam pamtiti su takve godinama. Mislim da sam to vidio kod Snowdena na twitteru kad je savjetovao kako imati sigurnu lozinku, a da možeš zapamtiti.

Tipa:
gledam pce svaki dan

Onda staviš malo velikih slova

gledamPCEsvakiDAN

Onda dodaš neki broj i znak

gledamPCEsvaki1DAN!

I eto gadne lozinke za pogoditi a relativno lake za zapamtiti.

[Bubba]

Citiraj:

Autor tomek@vz

Prijateljski podsjetnik...

Ovo je vec godinama jedna od glupljih tablica koja kola internetima i poslovicno pali... sve koji vole infografike bez konteksta i minimuma pozadinskog znanja.

Bonjour tristesse, niti itko normalan vise ne koristi hashiranje bez salta vec... desetcima godina kao industrijski standard. Mozda sam malo i rekao.

Uz to sto vise nitko ne bruteforcea passworde isto tako svih tih... desetak godina, nego ih ukrades kako je Bog i zamislio - na izvoru!

[tomek@vz]

No eto čovjek nešto nauči svaki dan

[medo]

Ima nas koji smo koristili smart kartice prije 23 godine jer je firma passworde smatrala nesigurnima. Zbog toga smo žurili s migracijom na XP

[mkey]

Htio sam ovo komentirati, ali onda sam ponovno pročitao i vidio da piše "nitko normalan". Tako da teza ipak drži vodu

[tomek@vz]

Citiraj:

If you use Microsoft’s Authenticator app on your mobile phone as a password manager, here’s some bad news: Microsoft is discontinuing the “autofill” password management functionality in Authenticator. According to the announcement post (spotted by BleepingComputer), the transition will take place in three stages over this summer.

> Pcworld

[The Exiled]

Citiraj:

Unofficial Signal app used by Trump officials investigates hack

Citiraj:

Izvor: BleepingComputer i The Verge

StručLJaci za Trumpova državna pitanja uspješno koriste (nešto kao, a moglo bi biti nalik, dosta je slično, pa valjda i sigurno kao) Signal koliko i Severina PEZ bonbone za kontracepciju.

[OuttaControl]

Citiraj:

Autor Bubba

Bonjour tristesse, niti itko normalan vise ne koristi hashiranje bez salta vec... desetcima godina kao industrijski standard. Mozda sam malo i rekao.

Uz to sto vise nitko ne bruteforcea passworde isto tako svih tih... desetak godina, nego ih ukrades kako je Bog i zamislio - na izvoru!

Ima nazalost puno nenormalnih i dalje

A svak normalan ce throttleat loginove nakon faila, i onemogucit login nakon x,

A opet kako si rekao niko nece vise brute forcat nego ce ko normalni svit, ukrast od onih istih nenormalnih koji ne da nisu hashali password nego ga enkriptirali, sa keyem iz baze, koja je dostupna sql injectionom. Pa ce dekriptirati i najsigurniji password od 487541 random znakova il rijeci, i ako isti koristis na gmailu sa svim accountovima.... well..... a cak te i 2fa nasamare, nasamarili su Troy Hunta, pa mogu i nekog tipicnog advanced usera....

[spiderhr]

Jel ovo tema da priupitam jel koristi tko Yubikey ili nešto slično?

Razmišljam da nabavim možda jedan ili dva (drugi za backup).

[medo]

Citiraj:

Autor spiderhr

Jel ovo tema da priupitam jel koristi tko Yubikey ili nešto slično?

Razmišljam da nabavim možda jedan ili dva (drugi za backup).

Pazi koju verziju softwarea imaju. Prošle godine je otkriven vulnerability koji te ne bi trebao pretjerano zabrinjavati ali kad već uzimaš novo… iz sigurnosnih razloga Yubikey ima zapečen firmware - nema updatea.

Meni je osobno Yubikey a must have.

Onaj s fingerprint readerom mi slabo očitava prste. Imam suhi kožu pa je možda do toga. Moram stisnuti prst a onda savijam USB-C port… a ako tri puta ne očita prst ili fula PIN onda pobriše (sve) sa sebe.

Citiraj:

Autor OuttaControl

Ima nazalost puno nenormalnih i dalje

A svak normalan ce throttleat loginove nakon faila, i onemogucit login nakon x,

Lupam bezveze neke passworde iz bilo kojeg kraja svijeta i zalokam ti account. Samo trebam znati tvoj username.

Super scenarij za tebe ako radiš od doma

[xlr]

2 komada je neki standardni slucaj, ne bi uzimao samo jedan kljuc osim za inicijalnu probu da se uvjeris treba li ti to i da vidis kako radi.

Ovdje smo pisali dosta o kljucevima:
http://forum.pcekspert.com/showthread.php?t=216268

Osobno imam Token2 kljuceve jer su visestruko jeftiniji od jubija, a podrzavaju sve sto mi REALNO treba (passkey, TOTP, CLI/GUI appovi za pristup kljucu ako ikad zatreba).

Osobno kljuc koristim za ulazak u password manager i par drugih accounta. Neke usluge imam slozene na nacin da im mogu pristupiti s kljucem i sa passkeyem spremljenim u password manageru - u slucaju da nemam komp ili lak pristup password manageru na ovaj ga nacin mogu zaobici samo koristenjem kljuca - pod uvjetom da me taj servis u praksi NE pita password nego da mu je dosta samo passkey... Jbga, jedini pass koji znam napamet je taj od password managera. Sve ostalo mi je 20+ random znakova i ovisim o manageru.

Kakogod, passkey spika je dosta sarena i nisam odusevljen kako to sve radi. Zato fokus stavljam na otkljucavanje password managera pa dalje sve vadim iz njega, passworde, passkeyeve, sve.

[mkey]

Imam dvije pričice za ne povjerovati

Citiraj:

Autor OuttaControl

sa keyem iz baze, koja je dostupna sql injectionom.

Dakle, na svoje sam oči vidio kako su majstori u produkcijskom okruženju koristili user/pass za pristup db serveru u plain text formatu u sklopu konfiguracijskog JSONa i to vidljivog u aplikacijskim postavkama, kojima (makar read only) pristup imaju svi korisnici sajta Istina je da su korisnici glup k'o k*rac i ne umiju čitati JSON, ali svejedno.

Lijeno programiranje na 15tu, liku se jednostavno nije dalo to napraviti kako treba, zadovoljio je KPI, pripremili su skripte, deployali u produkciju (dakle, više ljudi je sudjelovalo u tom procesu) i onda je to stajalo tako tko zna koliko dugo dok ja na to nisam naletio. Užas.

Citiraj:

Autor medo

Lupam bezveze neke passworde iz bilo kojeg kraja svijeta i zalokam ti account. Samo trebam znati tvoj username.

Netko isto tako pametan kao ovaj iz gornjeg primjera u produkcijskom okruženju podesio da se neki vanjski servis logira u web aplikaciju koristeći administratorski account. Kako je bila konfigurirana kriva (stara) lozinka, nakon 5 pokušaja account bi se zaključao na 5 minuta. Servis se pokušavao spojiti više puta svaku sekundu tako da je account bio konstantno zaključan.

Govorim kolegama šta se dešava, i kažem kako je taj account stalno zaključan već duže vrijeme. Ma kakvi, nema šanse Prvotno sam napravio drugi account (tako da sam administratorski privremeno preimenovao kroz bazu da mogu ući unutra) da mogu odraditi što treba.

Onda kada mi je dopizdilo (6 mjeseci kasnije) išao sam tražiti po konfiguracijskim fajlovima i naravno našao konfiguraciju za taj servis. Naučio sam da nije dovoljno ukazati na problem nego treba i prstom uprti u rješenje, staviti pokoji uskličnik, podcrtati, uokviriti, poslati pokoji nadrkani mail i tako ukrug. Također užas.