Notes

It’s been over a year since my last Apple camera hacking project, so I decided to give it another go.

My hack successfully gained unauthorized camera access by exploiting a series of issues with iCloud Sharing and Safari 15. While this bug does require the victim to click “open” on a popup from my website, it results in more than just multimedia permission hijacking. This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.

This research resulted in 4 0day bugs (CVE-2021-30861, CVE-2021-30975, and two without CVEs), 2 of which were used in the camera hack. I reported this chain to Apple and was awarded $100,500 as a bounty.

↳ Hacking the Apple Webcam (again)

→ in reply to @note#1643185199

Today is polkit-patching day. Keep in mind that this vulnerability is not remotely exploitable, you need a local user on the machine. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009 (commit c8c3d83, “Add a pkexec(1) command”).

Easyfix if you don’t have patches for your OS yet, by removing the SUID-bit from the binary.

# chmod 0755 /usr/bin/pkexec

The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.

↳ PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)

“And now you’re gonna have to get used to it
You say you never compromise
With the mystery tramp, but now you realize
He’s not selling any alibis
As you stare into the vacuum of his eyes
And say do you want to make a deal?

How does it feel, how does it feel?”

Bob Dylan Sells All Recorded Rights to Sony Music

In our previous article “Mobile banking fraud: BRATA strikes again” we’ve described how threat actors (TAs) leverage the Android banking trojan BRATA to perpetrate fraud via unauthorized wire transfers.

In this article, we are presenting further insights, on how BRATA is evolving in terms of both new targets and new features, such as:

• Capability to perform the device factory reset: it appears that TAs are leveraging this feature to erase any trace, right after an unauthorized wire transfer attempt.
• GPS tracking capability
• Capability to use multiple communication channels (HTTP and TCP) between the device and the C2 server to keep a persistent connection.
• Capability to continuously monitor the victim’s bank application through VNC and keylogging techniques.

↳ How BRATA is monitoring your bank account

Everyone who’d support going to war with Russia or China over Ukraine or Taiwan should be regarded with the same revulsion and social rejection as child molesters. - Caitlin Johnstone

That is the truth.

→ in reply to @note#1641369131

If you wondered why I said Mozilla should go and die in a ditch, this is what the Mozilla CEO, Mitchell Baker, has to say:

We need more than deplatforming

Now, let’s read that again. And again. And again.

Mozilla Corporation gets the vast majority of its revenue (which totaled around $450 million in each of 2018, 2019 and 2020) from search engines who pay to be the default search option in Firefox in different parts of the world, including Google, Yandex, and Baidu.

Mozilla, the maker of Firefox, began cutting about 25% (250 people) of its global workforce in 2020, saying that the coronavirus pandemic’s impact on economies “significantly impacted our revenue.”

“Senior executives have also done very well for themselves. Mitchell Baker, Mozilla’s top executive, was paid $2.4m in 2018, a sum I personally think of as instant inter-generational wealth. Payments to Baker have more than doubled in the last five years.” - source

Yeah.

Child sex abusers use social media platforms to exploit children and share images and videos of children being abused with other offenders.

Right now, some social media companies can detect child sexual abuse material being shared on their platforms and report it to law enforcement. This plays an important part in stopping child sex abusers, and these companies deserve to be praised for this.

But some are planning to introduce end-to-end-encryption, which scrambles messages so that only the sender and receiver can see what is being shared.

This means they will no longer be able to detect child sexual abuse on their platforms and therefore won’t be able to report it. - source

Junk, junk, junk, junk. This campaign has nothing to do with protecting children - especially given the UK establishment’s veritable tradition of both organizing and covering up industrial scale sexual abuse (hint, what is lowercase-prince Andrew doing?) - and it is nothing more than hate speech designed to isolate technologists as part of a broader political effort. Fuck the UK.

• 8 Inches / 1920×1200 Screen Resolution
• Intel Core i7-1195G7 / Intel Pentium Silver N6000
• 16GB LPDDR4x 3733 / 8GB LPDDR4x 2933
• 1TB / 512GB PCIe M.2 NVMe SSD

More info

In theory, the Fediverse is an excellent idea. The issue we have right now is with little fiefdoms, where the lord of those fiefdoms isn’t just setting rules on their fief but also preventing all their peasants from going to look at other fiefs or talk to peasants from those fiefs that the lord doesn’t like!

That sure doesn’t sound ok, right?

The protocol does nothing to secure the right of choice for individual users and leaves them at the mercy of service owners. Sure, if service owners just acted right, then the problem would be fixed, but asking for good intentions never fixes anything. The only fix with the current protocol is for every individual to become their own service owner but of course that’s not doable.

People like to make their own decisions, perhaps we should just let them?

Adaptive state sharding

The optimal approach to blockchain sharding needs to take into consideration advantages from all three sharding types: State, Transactions & Network. Elrond’s approach to increased throughput, called “Adaptive State Sharding”, combines all three sharding types into a solution that improves communication inside the shards and dramatically increases performance through parallel processing. - source

The Western Internet nowadays is just fraud, sponsored by Husky Musky, Biff Jizzos and Sexie Smokemypipe. Nothing else.

You probably are familiar with Marak Squires and his faker.js project. GitHub (actually Microsoft, there is no GitHub anymore) suspended his account and prevented him from accessing his own code, of course, serving the interests of the corporations and not the developers. Regardless of who Marak might be and what he might have done, GitHub is not the police nor the government and they should not have done what they did. It was Marak’s own corner of the Internet for him to publish his own personal projects.

Of course some miserable “people” stepped in to fork his project and of course they are not in any way linked to AirBnb, Ycombinator, OpenCollective, Democracy Earth Foundation and the likes. No sir, nope.

Today I deleted my GitHub account. It was inactive anyway so there isn’t much of a change. Remember what Microsoft really is.

LUKS2 is an on-disk format for disk-encryption configuration with cryptsetup as the tool for configuration on Linux systems.

LUKS2 online reencryption is an optional extension to allow a user to change the data reencryption key while the data device is available for use during the whole reencryption process.

CVE-2021-4122 describes a possible attack against data confidentiality through LUKS2 online reencryption extension crash recovery.

An attacker can modify on-disk metadata to simulate decryption in progress with crashed (unfinished) reencryption step and persistently decrypt part of the LUKS device.

This attack requires repeated physical access to the LUKS device but no knowledge of user passphrases.

↳ CVE-2021-4122: cryptsetup 2.x: decryption through LUKS2 reencryption crash recovery

Malware development

1. Basics
2. Anti dynamic analysis & sandboxes
3. Anti-debugging
4. Anti static analysis tricks
5. Tips & tricks
6. Advanced obfuscation with LLVM and template metaprogramming
7. Secure Desktop keylogger
8. COFF injection and in-memory execution
9. Hosting CLR and managed code injection

Existence is entropy, I guess they don’t teach that in 5th grade anymore. Of course, humans may be random but they hardly ever change.

In January 2022, Doxbin (doxbin.com) ‘doxxing’ website was compromised. The data subsequently was leaked online on various hackforums and included over 370,000 unique email addresses in user accounts. The personal information disclosed on the website and in documents was often extensive, including names, physical addresses, phone numbers, and more.

If you are one of the less than 2,500 users that logged into Doxbin from 9th November 2021 - January 4th 2022, your Doxbin password was logged in plaintext. If you used the same password on other platforms, we suggest changing them. - source

What is doxxing?
The goal of doxxing is to obtain any and all information pertaining to the target; valuable information in so-called “name and shame” campaigns includes the target’s full name, address, phone number, employer, family and friends’ names, and compromising pictures. The priority information for doxxers is dissimilar to that for hacktivists, who typically attempt to gain additional personally identifiable information, such as date of birth, Social Security Number, and financial information.

The Motion Picture Association has asked GitHub to remove a collection of scripts that allow people to rip content from popular streaming services such as Netflix, Disney+, and Amazon Prime. The tools in question bypass the Widevine copy protection, violating the DMCA, the group argues. Hundreds of forks of the ‘Widevine Dump’ code were also targeted and removed by GitHub.

↳ GitHub Takes Down ‘Widevine Dump’ Forks Following MPA Complaint

On Patch Tuesday of last November, Microsoft released advisories to address several vulnerabilities in Active-Directory. Analysis of these vulnerabilities showed that by combining CVE-2021-42278 and CVE-2021-42287 it is possible, under default conditions, for a regular user to easily impersonate a domain admin. This means that any domain user can effectively become a domain administrator, which makes these vulnerabilities extremely severe. Moreover, there are already several Github repositories with free-to-use PoC code that facilitates the exploitation of these vulnerabilities.

↳ From User to Domain Admin in (less than) 60 seconds

A SOCMINT tool to get information for an Instagram account via its followers; allows you to analyse someone’s followers, following and mutuals, with these functions:

• A probability function to determine the close social circle of your target,
• Export of the followers / following lists (with their details) to excel and csv,
• More informations here.
• Check the WIKI for the detailed Usage.

↳ S T E R R A

Dopamine is a hell of a drug. It feels good to be wanted and people substitute the virtual for the real, but it’s a hollow shell. The top aspiring profession nowadays is to be an influencer - a puppet - because the puppets pull the strings of the sheep.

But who is pulling the strings of the puppets?